Added separate RHcloud aliases for www.mathdown.{net,com}.

Otherwise RHcloud didn't know the mathdown.{net,com} certs also cover www.mathdown.{net,com} and didn't present them, resulting in mismatched cert errors: > This server could not prove that it is www.mathdown.com; its security certificate is from *.rhcloud.com. (#6)
cben · Feb 20, 2015 · e98f0e5 · e98f0e5
1 parent e9a2cdc
commit e98f0e5
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -88,6 +88,8 @@ This app *mostly* works as static pages, and I intend to keep it this way.
 
         (For other branches/commits, there is no trivial solution - rawgit.com doesn't currently support submodules.)
 
+        The easiest way to run (and share) uncommitted modifications is probably Cloud 9.  TODO: test, details.
+
 As a dynamic app (`server.coffee`):
 
     npm install  # once

diff --git a/deployment/README.md b/deployment/README.md
@@ -99,6 +99,8 @@ Note: Both RHcloud and Heroku can only support custom-domain certs with SNI (cli
 [Eric Mill's tutorial]: https://konklone.com/post/switch-to-https-now-for-free
 [StartCom]: https://StartSSL.com
 
+Configuring the domains and certs on RHcloud can be repeated with `tls-certs-startcom/rhc-set-certs.sh` script.
+
 ## DNS
 
 DNS is served by Cloudflare.  They support [CNAME at the apex][] in their free plan, and they do it in a way that supposedly "doesn't  break the internet" .

diff --git a/deployment/tls-certs-startcom/.gitignore b/deployment/tls-certs-startcom/.gitignore
@@ -0,0 +1 @@
+GENERATED-*
diff --git a/deployment/tls-certs-startcom/rhc-set-certs.sh b/deployment/tls-certs-startcom/rhc-set-certs.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+if [ $# -lt 2 -o $# -gt 3 ]; then
+    echo "Usage: $0 APP KEYFILE [PASSPHRASE]"
+    echo "Examples:"
+    echo "  $0 mathdown ~/StartSSL/my-private-decrypted.key"
+    echo "kludge: disambiguate multiple openshift \"domains\":"
+    echo "  $0 'mathdown -n cben' ~/StartSSL/my-private-decrypted.key"
+    echo "use encrypted keyfile (unsecure on multi-user systems):"
+    echo "  read -s -p 'Passphrase: ' passphrase"
+    echo "  $0 mathdown ~/StartSSL/my-private-encrypted.key \"$passphrase\""
+    echo
+    echo "I believe this script is idempotent (up to \"Certificate Added\" date)."
+    echo "Not sure if it's zero downtime but it's pretty fast."
+    exit 2
+fi
+set -x
+
+cd "$(dirname "$0")"
+
+appopts=($1)  # this splits $1 into words
+if [ -z "$3" ]; then
+  keyopts=(--private-key="$2")
+else
+  keyopts=(--private-key="$2" --passphrase="$3")
+fi
+
+cat mathdown.com-until-2016-02-12.pem StartCom-chain-sub.class1.server.ca.pem > GENERATED-CHAINED-mathdown.com.pem
+cat mathdown.net-until-2016-02-15.pem StartCom-chain-sub.class1.server.ca.pem > GENERATED-CHAINED-mathdown.net.pem
+
+# <rant>In fish $X does the right thing, in bash I need "${X[@]}" and it only comes close.</rant>
+
+echo '== before: =='
+rhc alias list "${appopts[@]}"
+
+rhc alias add "${appopts[@]}" mathdown.net
+rhc alias add "${appopts[@]}" www.mathdown.net
+rhc alias add "${appopts[@]}" mathdown.com
+rhc alias add "${appopts[@]}" www.mathdown.com
+
+rhc alias update-cert "${appopts[@]}" mathdown.net --certificate GENERATED-CHAINED-mathdown.net.pem "${keyopts[@]}"
+rhc alias update-cert "${appopts[@]}" www.mathdown.net --certificate GENERATED-CHAINED-mathdown.net.pem "${keyopts[@]}"
+rhc alias update-cert "${appopts[@]}" mathdown.com --certificate GENERATED-CHAINED-mathdown.com.pem "${keyopts[@]}"
+rhc alias update-cert "${appopts[@]}" www.mathdown.com --certificate GENERATED-CHAINED-mathdown.com.pem "${keyopts[@]}"
+
+echo '== after: =='
+rhc alias list "${appopts[@]}"
+