diff --git a/recipes/default.rb b/recipes/default.rb
index d5624f5870d6828c8ce88f77ce3dbefba9557334..d2bb2b08c05a033a69d2a1fea881904000ed729a 100644
--- a/recipes/default.rb
+++ b/recipes/default.rb
@@ -238,19 +238,40 @@ end
### Setup Apache Environment ###
################################
-# copy ssl key data
-template '/etc/apache2/ssl/sslKey.key' do
- source 'sslKey.key'
+# create ssl certificate
+# Instructions are from here: https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate/43666288#43666288
+template '/etc/apache2/ssl/v3.ext' do
+ source 'v3.ext'
owner 'vagrant'
group data_bag['groupId']
end
-template '/etc/apache2/ssl/sslKey.crt' do
- source 'sslKey.crt'
+template '/etc/apache2/ssl/create_certificate_for_domain.sh' do
+ source 'create_certificate_for_domain.sh'
owner 'vagrant'
group data_bag['groupId']
end
+# not needed (globally used, but maybe someone else needs this)
+# template 'create_root_cert_and_key.sh' do
+# source 'create_root_cert_and_key.sh'
+# owner 'vagrant'
+# group data_bag['groupId']
+# end
+
+bash 'Create Certificate' do
+ cwd '/etc/apache2/ssl/'
+
+ user 'vagrant'
+ group data_bag['groupId']
+
+ code <<-EOF
+ chmod 755 create_certificate_for_domain.sh
+ ./create_certificate_for_domain.sh #{node['typo3_site']['hostname']}
+ EOF
+ action :run
+end
+
# create vHost directory
directory "#{node['typo3_site']['webroot']}/#{node['typo3_site']['hostname']}" do
owner 'vagrant'
diff --git a/templates/default/create_certificate_for_domain.sh b/templates/default/create_certificate_for_domain.sh
new file mode 100755
index 0000000000000000000000000000000000000000..4850b29b0e1a15e718da1665c86e56116ad7c91a
--- /dev/null
+++ b/templates/default/create_certificate_for_domain.sh
@@ -0,0 +1,38 @@
+if [ -z "$1" ]
+then
+ echo "Please supply a subdomain to create a certificate for";
+ echo "e.g. www.mysite.com"
+ exit;
+fi
+
+# Create a new private key if one doesnt exist, or use the xeisting one if it does
+if [ -f device.key ]; then
+ KEY_OPT="-key"
+else
+ KEY_OPT="-keyout"
+fi
+
+DOMAIN=$1
+COMMON_NAME=${2:-*.$1}
+SUBJECT="/C=CA/ST=None/L=NB/O=None/CN=$COMMON_NAME"
+NUM_OF_DAYS=999
+openssl req -new -newkey rsa:2048 -sha256 -nodes $KEY_OPT device.key -subj "$SUBJECT" -out device.csr
+cat v3.ext | sed s/%%DOMAIN%%/$COMMON_NAME/g > /tmp/__v3.ext
+openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days $NUM_OF_DAYS -sha256 -extfile /tmp/__v3.ext
+
+# move output files to final filenames
+mv device.csr $DOMAIN.csr
+cp device.crt $DOMAIN.crt
+
+# remove temp file
+rm -f device.crt;
+
+echo
+echo "###########################################################################"
+echo Done!
+echo "###########################################################################"
+echo "To use these files on your server, simply copy both $DOMAIN.csr and"
+echo "device.key to your webserver, and use like so (if Apache, for example)"
+echo
+echo " SSLCertificateFile /path_to_your_files/$DOMAIN.crt"
+echo " SSLCertificateKeyFile /path_to_your_files/device.key"
diff --git a/templates/default/create_root_cert_and_key.sh b/templates/default/create_root_cert_and_key.sh
new file mode 100755
index 0000000000000000000000000000000000000000..e03da1638eca33af981c7034ec517b741bba8ac2
--- /dev/null
+++ b/templates/default/create_root_cert_and_key.sh
@@ -0,0 +1,2 @@
+openssl genrsa -out rootCA.key 2048
+openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
diff --git a/templates/default/sslKey.crt b/templates/default/sslKey.crt
deleted file mode 100644
index d39f5b6b4db579f629af6a8fb56e8904cafb83b4..0000000000000000000000000000000000000000
--- a/templates/default/sslKey.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDfzCCAmegAwIBAgIJAORC8MQ0C9DzMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
-BAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMQ8wDQYDVQQHDAZNdW5pY2gxJDAiBgNV
-BAoMG3NnYWxpbnNraSBJbnRlcm5ldCBTZXJ2aWNlczAeFw0xNTA0MjExNzQzMTda
-Fw0xNjA0MjAxNzQzMTdaMFYxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlh
-MQ8wDQYDVQQHDAZNdW5pY2gxJDAiBgNVBAoMG3NnYWxpbnNraSBJbnRlcm5ldCBT
-ZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSgEUitUshZ
-hpIcKxI5IBSaHx8UEelHuJLCqe2uOPS5LwGLfwftwwJkPYCmQgDRVN3EarZU7ssq
-kkeQ3LoAS6GzZ/R8XKVm2bs8qme9w7K13/Nntv2k3qhtNVfbbB9l3xDzilYRhNY/
-BZ1RxpjSMRKenzkv7KfdDLVQ2xX/YtLjS2qEGTE09oop7m75H7j2PpvnUMz9exnQ
-g1R91177iBhhWPa/HA0+QUirqQ0cica6YgHx4imGmJ8fXCUDpn5kRxqPIl5+Gwrw
-Y/+zUzFcwamz9XJJo2inWRZHz+uHQWHt00g8RPZdJMClPLvcf/a8hXM8Q0V0z+xk
-/RAU9knwS6kCAwEAAaNQME4wHQYDVR0OBBYEFOkJIQ36tTSNGCnwFI6baqxtDKXH
-MB8GA1UdIwQYMBaAFOkJIQ36tTSNGCnwFI6baqxtDKXHMAwGA1UdEwQFMAMBAf8w
-DQYJKoZIhvcNAQELBQADggEBAAhRxgilKKFKWg9jOSu+7qDmxVdnlK17rYNVnDoU
-L6emvKOEHR7eIpLVx/4wwPKfCe8SaKzTQ8EP/y0bAnuv2qrNOiQ/wv3kJa3Miu9x
-47E//+13AY22ADdB0lXDKS6RveJaL8YfgYtjV1aKa3kvnbBpeDD5Lh60n55tXod5
-DVU0WhOxH62d1EgllYP4DN7Pzl8QrSDEREHewj+5gSAfbYqOHr6e865iXZh3lpdi
-C+BYNsvTHWnMC7AxqeEDRpfxJ9paYhgjVU7mNyjhDuvict+bXQ/iqKS/h2tN24fw
-oSPkeMBC4ZxhmYkM+D06FAGBvjGVm9tr5m8sJ9FIkoCWQWY=
------END CERTIFICATE-----
\ No newline at end of file
diff --git a/templates/default/sslKey.key b/templates/default/sslKey.key
deleted file mode 100644
index fc717d389f722cfafdbf04f68234d7d97a6cc567..0000000000000000000000000000000000000000
--- a/templates/default/sslKey.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA1KARSK1SyFmGkhwrEjkgFJofHxQR6Ue4ksKp7a449LkvAYt/
-B+3DAmQ9gKZCANFU3cRqtlTuyyqSR5DcugBLobNn9HxcpWbZuzyqZ73DsrXf82e2
-/aTeqG01V9tsH2XfEPOKVhGE1j8FnVHGmNIxEp6fOS/sp90MtVDbFf9i0uNLaoQZ
-MTT2iinubvkfuPY+m+dQzP17GdCDVH3XXvuIGGFY9r8cDT5BSKupDRyJxrpiAfHi
-KYaYnx9cJQOmfmRHGo8iXn4bCvBj/7NTMVzBqbP1ckmjaKdZFkfP64dBYe3TSDxE
-9l0kwKU8u9x/9ryFczxDRXTP7GT9EBT2SfBLqQIDAQABAoIBADL6gcpcDAoPNO2Z
-JVaELcXiwe1woW6+DGnblGRxLiS2tad4K6faALR1Fi3fLtoFVoSpUDCRIoPBnDre
-Z52M7pVBb341xvy9MRzsSar/24jghGZWipA71EqrjGuZJ05L3XSx/4vtPV0k1RLI
-BYakdrGRKHnMnMAOhrp+PVkD10zaVFuAbiKZKc5Qg5m+KD7785VMY5bBfqZwh66w
-igeqFw0ZU6MZtaVGKeJzxWJGZxW5vbvjJGb/doLxMHYqzn4tjpFopXc0peOk0GiO
-0A76zJVMWCOuQElui4amXC6EmD61GySub3fiBA1NEcptcIu6HVQqGi1dSb1aRbyV
-oeqvRZECgYEA7ADxtY/WqafJadeIVnUkPZFSoyx4Q9X0W4/B2p56e22phJfU2CMZ
-48/Fss79Q80nSKQNlRWmm8dMtQ5m+WqTVhL63OYtl0wb93/DGejEfqyt8oWboWmp
-xqfSnFNOdTzH1GX6qAv/fWhU5oJ9PQ8EZCAuUgockwhcqEk+VCoPu50CgYEA5qQI
-J8nZhzw9ZKu+oXXump/NR4FBEzpLItg7hw2x3Zyef9sfGuxxPuG2PpyvkV+RHsgm
-3dDNTvc042mmMkAdLVPnpAyBw7hmMI32X0fMfEUzBQ7zxY6X09/OB5Mw8s060c6A
-LDeEnAhygAnHWljTVlnj4u+YLubNUbdSeo/RcH0CgYEAyBU81xsteQRhRDSQyAvk
-P7ZXAzQOeiSIWKAWT8yQNtiQIXO/5cZMitF54NCP882YgoNjaIPEjsl3BQFC2C48
-33qT6HfVKzJBe6F7vRmUjXjEuJoBieVVJLDfY91U5Rw0pqQW0CXr41xyrkLu/rce
-l+yYmMEt3JH4TExcZWqLkBkCgYBvl3vurGYYXZgixkoU2veYTqtG5o3y3KiP8mlS
-3dhqLiYuHHn/T9k3IIRJ5Qu5XbDcYOEVP7qmc0teoLZt58F2NfuEzxxV8zlWUsma
-riWNFvopf2OI+YYSWF3aImhzgcLs0moHetEpoZisxI508zdFt3ZgTaanQrqix/0b
-GcyvDQKBgQC3R9KNQygh/a6Bw/SHRAVa06WLgxF5WP905XWhmwZeFKsjX4dbef5a
-3/hpnutUKdUxZ5Tvx9dQAxOQpfKlltbjy0VFDi5i61268Q63y9ON3UPUuduVb7Y3
-EZmYqUTDz8VWDrxp6U/r3gJXxvNCkYf3EmEUNk575QhVZeLiUJXgPA==
------END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/templates/default/v3.ext b/templates/default/v3.ext
new file mode 100644
index 0000000000000000000000000000000000000000..7515c66d72d23a6bbbda54fb7de0a4a6b4ab57b5
--- /dev/null
+++ b/templates/default/v3.ext
@@ -0,0 +1,7 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = %%DOMAIN%%
diff --git a/templates/default/vHost-xenial.conf.erb b/templates/default/vHost-xenial.conf.erb
index bd094d24844b9f0b72d93fc492a7c4739363e796..333c52c2e0cbd985c58a7b7b07aaf2645b99c255 100644
--- a/templates/default/vHost-xenial.conf.erb
+++ b/templates/default/vHost-xenial.conf.erb
@@ -40,8 +40,8 @@
# SSLCertificateFile directive is needed.
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
- SSLCertificateFile /etc/apache2/ssl/sslKey.crt
- SSLCertificateKeyFile /etc/apache2/ssl/sslKey.key
+ SSLCertificateFile /etc/apache2/ssl/<%= @params[:server_name] %>.crt
+ SSLCertificateKeyFile /etc/apache2/ssl/device.key
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
diff --git a/templates/default/vHost.conf.erb b/templates/default/vHost.conf.erb
index abcbfa79a48105b077286b12785c59b4f54d9796..bf7b020b18d587e6e5e99b4639adfb4ed14562f6 100644
--- a/templates/default/vHost.conf.erb
+++ b/templates/default/vHost.conf.erb
@@ -37,8 +37,8 @@
# SSLCertificateFile directive is needed.
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
- SSLCertificateFile /etc/apache2/ssl/sslKey.crt
- SSLCertificateKeyFile /etc/apache2/ssl/sslKey.key
+ SSLCertificateFile /etc/apache2/ssl/<%= @params[:server_name] %>.crt
+ SSLCertificateKeyFile /etc/apache2/ssl/device.key
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"