From 1a12aa01b4bdade8cd4751474fcaaf5891083eef Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Tue, 26 Jan 2016 10:17:34 -0800 Subject: [PATCH 1/2] make different options ssl conf for centos --- .../centos-options-ssl-apache.conf | 21 +++++++++++++++++++ .../letsencrypt_apache/constants.py | 17 ++++++++------- 2 files changed, 30 insertions(+), 8 deletions(-) create mode 100644 letsencrypt-apache/letsencrypt_apache/centos-options-ssl-apache.conf diff --git a/letsencrypt-apache/letsencrypt_apache/centos-options-ssl-apache.conf b/letsencrypt-apache/letsencrypt_apache/centos-options-ssl-apache.conf new file mode 100644 index 000000000..fbe8da0f2 --- /dev/null +++ b/letsencrypt-apache/letsencrypt_apache/centos-options-ssl-apache.conf @@ -0,0 +1,21 @@ +# Baseline setting to Include for SSL sites + +SSLEngine on + +# Intermediate configuration, tweak to your needs +SSLProtocol all -SSLv2 -SSLv3 +SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA +SSLHonorCipherOrder on + +SSLOptions +StrictRequire + +# Add vhost name to log entries: +LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined +LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common + +#CustomLog /var/log/apache2/access.log vhost_combined +#LogLevel warn +#ErrorLog /var/log/apache2/error.log + +# Always ensure Cookies have "Secure" set (JAH 2012/1) +#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4" diff --git a/letsencrypt-apache/letsencrypt_apache/constants.py b/letsencrypt-apache/letsencrypt_apache/constants.py index fe5ef3335..72ff384f7 100644 --- a/letsencrypt-apache/letsencrypt_apache/constants.py +++ b/letsencrypt-apache/letsencrypt_apache/constants.py @@ -16,7 +16,9 @@ CLI_DEFAULTS_DEBIAN = dict( le_vhost_ext="-le-ssl.conf", handle_mods=True, handle_sites=True, - challenge_location="/etc/apache2" + challenge_location="/etc/apache2", + MOD_SSL_CONF_SRC = pkg_resources.resource_filename( + "letsencrypt_apache", "options-ssl-apache.conf") ) CLI_DEFAULTS_CENTOS = dict( server_root="/etc/httpd", @@ -31,7 +33,9 @@ CLI_DEFAULTS_CENTOS = dict( le_vhost_ext="-le-ssl.conf", handle_mods=False, handle_sites=False, - challenge_location="/etc/httpd/conf.d" + challenge_location="/etc/httpd/conf.d", + MOD_SSL_CONF_SRC = pkg_resources.resource_filename( + "letsencrypt_apache", "centos-options-ssl-apache.conf") ) CLI_DEFAULTS_GENTOO = dict( server_root="/etc/apache2", @@ -46,7 +50,9 @@ CLI_DEFAULTS_GENTOO = dict( le_vhost_ext="-le-ssl.conf", handle_mods=False, handle_sites=False, - challenge_location="/etc/apache2/vhosts.d" + challenge_location="/etc/apache2/vhosts.d", + MOD_SSL_CONF_SRC = pkg_resources.resource_filename( + "letsencrypt_apache", "options-ssl-apache.conf") ) CLI_DEFAULTS = { "debian": CLI_DEFAULTS_DEBIAN, @@ -62,11 +68,6 @@ CLI_DEFAULTS = { MOD_SSL_CONF_DEST = "options-ssl-apache.conf" """Name of the mod_ssl config file as saved in `IConfig.config_dir`.""" -MOD_SSL_CONF_SRC = pkg_resources.resource_filename( - "letsencrypt_apache", "options-ssl-apache.conf") -"""Path to the Apache mod_ssl config file found in the Let's Encrypt -distribution.""" - AUGEAS_LENS_DIR = pkg_resources.resource_filename( "letsencrypt_apache", "augeas_lens") """Path to the Augeas lens directory""" From 1a14b4c8d5ec67115f41deec71fd15c4cd350be5 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Tue, 26 Jan 2016 10:39:54 -0800 Subject: [PATCH 2/2] fix mapping issue --- letsencrypt-apache/letsencrypt_apache/configurator.py | 2 +- letsencrypt-apache/letsencrypt_apache/constants.py | 6 +++--- letsencrypt-apache/letsencrypt_apache/tests/util.py | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/configurator.py b/letsencrypt-apache/letsencrypt_apache/configurator.py index 8818923f4..8cd26e32b 100644 --- a/letsencrypt-apache/letsencrypt_apache/configurator.py +++ b/letsencrypt-apache/letsencrypt_apache/configurator.py @@ -1587,4 +1587,4 @@ def install_ssl_options_conf(options_ssl): # Check to make sure options-ssl.conf is installed if not os.path.isfile(options_ssl): - shutil.copyfile(constants.MOD_SSL_CONF_SRC, options_ssl) + shutil.copyfile(constants.os_constant("MOD_SSL_CONF_SRC"), options_ssl) diff --git a/letsencrypt-apache/letsencrypt_apache/constants.py b/letsencrypt-apache/letsencrypt_apache/constants.py index 72ff384f7..50156444b 100644 --- a/letsencrypt-apache/letsencrypt_apache/constants.py +++ b/letsencrypt-apache/letsencrypt_apache/constants.py @@ -17,7 +17,7 @@ CLI_DEFAULTS_DEBIAN = dict( handle_mods=True, handle_sites=True, challenge_location="/etc/apache2", - MOD_SSL_CONF_SRC = pkg_resources.resource_filename( + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( "letsencrypt_apache", "options-ssl-apache.conf") ) CLI_DEFAULTS_CENTOS = dict( @@ -34,7 +34,7 @@ CLI_DEFAULTS_CENTOS = dict( handle_mods=False, handle_sites=False, challenge_location="/etc/httpd/conf.d", - MOD_SSL_CONF_SRC = pkg_resources.resource_filename( + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( "letsencrypt_apache", "centos-options-ssl-apache.conf") ) CLI_DEFAULTS_GENTOO = dict( @@ -51,7 +51,7 @@ CLI_DEFAULTS_GENTOO = dict( handle_mods=False, handle_sites=False, challenge_location="/etc/apache2/vhosts.d", - MOD_SSL_CONF_SRC = pkg_resources.resource_filename( + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( "letsencrypt_apache", "options-ssl-apache.conf") ) CLI_DEFAULTS = { diff --git a/letsencrypt-apache/letsencrypt_apache/tests/util.py b/letsencrypt-apache/letsencrypt_apache/tests/util.py index fb86d2320..ff60c05e3 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/util.py +++ b/letsencrypt-apache/letsencrypt_apache/tests/util.py @@ -33,7 +33,7 @@ class ApacheTest(unittest.TestCase): # pylint: disable=too-few-public-methods pkg="letsencrypt_apache.tests") self.ssl_options = common.setup_ssl_options( - self.config_dir, constants.MOD_SSL_CONF_SRC, + self.config_dir, constants.os_constant("MOD_SSL_CONF_SRC"), constants.MOD_SSL_CONF_DEST) self.config_path = os.path.join(self.temp_dir, config_root)