From ceba53f1c4b4b28279636639382085f707bc790b Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 5 Dec 2014 14:25:14 -0500 Subject: [PATCH] explain how to install a multi-domain or wildcard ssl cert; if one is installed, the Replace Cert button in the admin for non-primary domains should not replace the cert on the primary domain --- management/status_checks.py | 2 +- management/templates/ssl.html | 2 ++ management/web_update.py | 6 +++--- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/management/status_checks.py b/management/status_checks.py index 86f83d09..e12221fa 100755 --- a/management/status_checks.py +++ b/management/status_checks.py @@ -522,7 +522,7 @@ def check_certificate(domain, ssl_certificate, ssl_private_key): return ("SELF-SIGNED", None) elif retcode != 0: if "unable to get local issuer certificate" in verifyoutput: - return ("The certificate is missing an intermediate chain or the intermediate chain is incorrect or incomplete.", None) + return ("The certificate is missing an intermediate chain or the intermediate chain is incorrect or incomplete. (%s)" % verifyoutput, None) # There is some unknown problem. Return the `openssl verify` raw output. return ("There is a problem with the SSL certificate.", verifyoutput.strip()) diff --git a/management/templates/ssl.html b/management/templates/ssl.html index 0123fac7..46b4df0b 100644 --- a/management/templates/ssl.html +++ b/management/templates/ssl.html @@ -18,6 +18,8 @@ +

Advanced:
Install a multi-domain or wildcard certificate for the {{hostname}} domain to have it automatically applied to any domains it is valid for.

+

Install SSL Certificate

There are many places where you can get a free or cheap SSL certificate. We recommend Namecheap’s $9 certificate or StartSSL’s free express lane.

diff --git a/management/web_update.py b/management/web_update.py index 90901b18..92e6041c 100644 --- a/management/web_update.py +++ b/management/web_update.py @@ -135,7 +135,7 @@ def get_web_root(domain, env, test_exists=True): if os.path.exists(root) or not test_exists: break return root -def get_domain_ssl_files(domain, env): +def get_domain_ssl_files(domain, env, allow_shared_cert=True): # What SSL private key will we use? Allow the user to override this, but # in many cases using the same private key for all domains would be fine. # Don't allow the user to override the key for PRIMARY_HOSTNAME because @@ -159,7 +159,7 @@ def get_domain_ssl_files(domain, env): # But we can be smart and reuse the main SSL certificate if is has # a Subject Alternative Name matching this domain. Don't do this if # the user has uploaded a different private key for this domain. - if not ssl_key_is_alt: + if not ssl_key_is_alt and allow_shared_cert: from status_checks import check_certificate if check_certificate(domain, ssl_certificate_primary, None)[0] == "OK": ssl_certificate = ssl_certificate_primary @@ -225,7 +225,7 @@ def install_cert(domain, ssl_cert, ssl_chain, env): # Do validation on the certificate before installing it. from status_checks import check_certificate - ssl_key, ssl_certificate, ssl_csr_path = get_domain_ssl_files(domain, env) + ssl_key, ssl_certificate, ssl_csr_path = get_domain_ssl_files(domain, env, allow_shared_cert=False) cert_status, cert_status_details = check_certificate(domain, fn, ssl_key) if cert_status != "OK": if cert_status == "SELF-SIGNED":