From c739c770f7bf50eae859c1988b4be9afec32e79b Mon Sep 17 00:00:00 2001 From: Michael Hobbs Date: Thu, 31 Mar 2016 07:52:19 -0700 Subject: [PATCH] remove references to global TLS certs. closes #2057 --- docs/deployment/ssl-configuration.md | 28 ---------------------------- plugins/checks/check-deploy | 4 ++-- plugins/nginx-vhosts/install | 2 -- tests/unit/30_core_1.bats | 2 +- tests/unit/40_core_2.bats | 2 +- 5 files changed, 4 insertions(+), 34 deletions(-) diff --git a/docs/deployment/ssl-configuration.md b/docs/deployment/ssl-configuration.md index 96df89a44..0837b9a57 100644 --- a/docs/deployment/ssl-configuration.md +++ b/docs/deployment/ssl-configuration.md @@ -64,34 +64,6 @@ root@dokku:~/dokku# dokku certs:info node-js-app The `certs:remove` command only works on app-specific certificates. It will `rm` the app-specific tls directory, rebuild the nginx configuration, and reload nginx. -## Global Certification - -Global certificate management is a manual process. To enable TLS connections for all your applications at once you will need a wildcard TLS certificate. - -To enable TLS across all apps, you can run the following commands: - -```shell -mkdir -p /home/dokku/tls -cp server.crt /home/dokku/tls/server.crt -cp server.key /home/dokku/tls/server.key -``` - -Next, you will want to enable the certificates by editing `/etc/nginx/conf.d/dokku.conf` and uncommenting these two lines (remove the `#`): - -``` -ssl_certificate /home/dokku/tls/server.crt; -ssl_certificate_key /home/dokku/tls/server.key; -``` - -The settings will take affect at the next deploy. If you would like to propagate the change to all apps immediately, you can also run the following command: - -```shell -dokku ps:restartall -``` - -Once TLS is enabled, the application will be accessible by `https://` (redirection from `http://` is applied as well). - -> Note: TLS will not be enabled unless the application's VHOST matches the certificate's name. (i.e. if you have a cert for `*.example.com` TLS won't be enabled for `something.example.org` or `example.net`) ## HSTS Header diff --git a/plugins/checks/check-deploy b/plugins/checks/check-deploy index 8f2b20d64..e2a15477e 100755 --- a/plugins/checks/check-deploy +++ b/plugins/checks/check-deploy @@ -156,8 +156,8 @@ checks_check_deploy() { local CURL_OPTIONS="-q --compressed --fail --location --max-time $TIMEOUT" # Set X-Forwarded-Proto header if TLS is enabled. - local SSL="$DOKKU_ROOT/$APP/tls"; local WILDCARD_SSL="$DOKKU_ROOT/tls" - if [[ -e "$SSL/server.crt" && -e "$SSL/server.key" ]] || [[ -e "$WILDCARD_SSL/server.crt" && -e "$WILDCARD_SSL/server.key" ]]; then + local SSL="$DOKKU_ROOT/$APP/tls" + if [[ -e "$SSL/server.crt" && -e "$SSL/server.key" ]]; then local CURL_OPTIONS+=" -H X-Forwarded-Proto:https" fi diff --git a/plugins/nginx-vhosts/install b/plugins/nginx-vhosts/install index 2fd42fd83..2c5dfea9e 100755 --- a/plugins/nginx-vhosts/install +++ b/plugins/nginx-vhosts/install @@ -33,8 +33,6 @@ ssl_session_timeout 10m; ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; -# ssl_certificate $DOKKU_ROOT/tls/server.crt; -# ssl_certificate_key $DOKKU_ROOT/tls/server.key; EOF fi diff --git a/tests/unit/30_core_1.bats b/tests/unit/30_core_1.bats index 42f6e0122..e5b007afb 100644 --- a/tests/unit/30_core_1.bats +++ b/tests/unit/30_core_1.bats @@ -8,7 +8,7 @@ setup() { } teardown() { - rm -rf /home/dokku/$TEST_APP/tls /home/dokku/tls + rm -rf /home/dokku/$TEST_APP/tls destroy_app dokku config:unset --global DOKKU_RM_CONTAINER rm -f "$DOCKERFILE" diff --git a/tests/unit/40_core_2.bats b/tests/unit/40_core_2.bats index 5a6f0f88d..e8cc44671 100644 --- a/tests/unit/40_core_2.bats +++ b/tests/unit/40_core_2.bats @@ -7,7 +7,7 @@ setup() { } teardown() { - rm -rf /home/dokku/$TEST_APP/tls /home/dokku/tls + rm -rf /home/dokku/$TEST_APP/tls destroy_app }