When you go the route of http://community.aegirproject.org/node/70 to add a Chain cert to your SSL site (if needed), it would more or less look like this

function drupalwiki_provision_apache_vhost_config($uri, $data) {
  switch($uri) {
    case 'somedomain':
      return _drupalwiki_add_ssl_chain($data);
    break;
  }
}

function _drupalwiki_add_ssl_chain($data) {
  // we expect the chain.crt to be in the same folder as the certs
  // get the basepath
  $path = dirname ( $data["ssl_cert"] );
  $command = "SSLCertificateChainFile $path/chain.crt";
  return $command;
}

This works perfectly, but the chain.crt is never rsynced to the remote server, so the server fails to start. Even more, if you create the chain.crt over there, it gets removed with the next verification. As it is suggested to work with chain crts according to the notes on http://community.aegirproject.org/node/29 .. i mark this as a bug rather then a feature request.

Using beta2

CommentFileSizeAuthor
#6 chaincrt.patch1.81 KBEugenMayer
#5 chaincrts.patch1.32 KBEugenMayer

Comments

EugenMayer’s picture

EugenMayer commented

Well i could not fined were the files are actually synced, its pretty much encapsulated again.

I guess that will be the highest level called from provision-save

/**
 * Sync the current Drupal platform and, if applicable, site. Call after
 * finishing operations that affect the filesystem.
 */
function provision_drupal_sync_site() {
  d()->service('http')->sync(d()->root, array('exclude-sites' => TRUE));
  if (d()->type === 'site') {
    d()->service('http')->sync(d()->site_path, array('no-delete' => TRUE));
  }
}

http/http.ssl.inc::config_date() is one of the methods generated the data, but iam still not sure who decides what to rsync of all this data or not. I expect this to be hardcoded, but could not find it anywhere. Can someone assist here?

EugenMayer’s picture

EugenMayer commented

There is another issue here, maybe we should cover them both here. When you use that hook to add the chain-cert you will end up having this line in the *:80 vhost also, which is pretty bad. I can`t see how to only set those extras for SSL / NON SSL only / both.

EugenMayer’s picture

EugenMayer commented
Status: Active » Closed (won't fix)

reopen if needed, solved for myself

anarcat’s picture

anarcat commented
Title: [SSL] not all files in ssl.d/$name/ are synced - no way to add chain certs » chained certificates support
Category: bug » feature
Status: Closed (won't fix) » Active
Issue tags: +ssl

Reopening this as a feature request.

EugenMayer’s picture

EugenMayer commented
Status: Active » Needs review
StatusFileSize
new chaincrts.patch1.32 KB

patch attached. Not deeply tested yet. Also the name is argueable "openssl_chain.crt". Any input here?

EugenMayer’s picture

EugenMayer commented
StatusFileSize
new chaincrt.patch1.81 KB

rerolled patch. Now added support in the template / chainged the hash name to something properly fitting.

acrollet’s picture

acrollet commented
Version: » 6.x-1.0

subscribe

steven jones’s picture

steven jones commented

It would be good to get this in.

steven jones’s picture

steven jones commented

Thanks for your patch Eugen, I've added it to a new branch and tidied it up a little in:

dev-ssl-chained-1062168

We'll review it from there, this doesn't look like too much of a big change, and I've basically implemented something similar in the last few days, so this approach can definitely work. I will test on my machine too, and we can merge into stable if appropriate.

anarcat’s picture

anarcat commented
Status: Needs review » Fixed

Looking good, i merged the branch in 2.x, let's let it sit there for a while...

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

nicksanta’s picture

nicksanta commented

I've just applied this patch and the chained certificates now reappear in the vhost file once the site is verified.

anarcat’s picture

anarcat commented
Status: Closed (fixed) » Patch (to be ported)

marking this for release.

anarcat’s picture

anarcat commented
Status: Patch (to be ported) » Fixed

merged in 1.x

Status: Fixed » Closed (fixed)
Issue tags: -ssl

Automatically closed -- issue fixed for 2 weeks with no activity.

Issue tags: +ssl

Restoring issue tags, see #2125755: System messages removed all issue tags during D7 upgrade.

  • Commit 93e0701 on dev-ssl-chained-1062168, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x by Steven Jones: 
    Add patch from #1062168 comment 6.

By EugenMayer: Added chained...
  • Commit 89877cd on 6.x-1.x, dev-drupal-8, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x authored by Steven Jones, committed by anarcat:
    Add patch from #1062168 comment 6.

By EugenMayer: Added chained...