X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/e44092b29d6fbf3798c7f2b37164abd8f6f4e088..2ddb3a386c8ef91ef2bb041c5ef0bc385debd737:/tools/arvbox/lib/arvbox/docker/service/nginx/run

diff --git a/tools/arvbox/lib/arvbox/docker/service/nginx/run b/tools/arvbox/lib/arvbox/docker/service/nginx/run
index 2353e949f7..18c56ce9dd 100755
--- a/tools/arvbox/lib/arvbox/docker/service/nginx/run
+++ b/tools/arvbox/lib/arvbox/docker/service/nginx/run
@@ -8,6 +8,8 @@ set -ex -o pipefail
 
 . /usr/local/lib/arvbox/common.sh
 
+openssl verify -CAfile $root_cert $server_cert
+
 cat <<EOF >/var/lib/arvados/nginx.conf
 worker_processes auto;
 pid /var/lib/arvados/nginx.pid;
@@ -46,8 +48,8 @@ http {
   server {
     listen *:${services[controller-ssl]} ssl default_server;
     server_name controller;
-    ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
-    ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+    ssl_certificate "${server_cert}";
+    ssl_certificate_key "${server_cert_key}";
     location  / {
       proxy_pass http://controller;
       proxy_set_header Host \$http_host;
@@ -68,8 +70,8 @@ server {
   proxy_read_timeout    300s;
 
   ssl                   on;
-  ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
-  ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+  ssl_certificate "${server_cert}";
+  ssl_certificate_key "${server_cert_key}";
 
   location / {
     proxy_pass          http://arvados-ws;
@@ -86,8 +88,8 @@ server {
   server {
     listen *:${services[workbench2-ssl]} ssl default_server;
     server_name workbench2;
-    ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
-    ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+    ssl_certificate "${server_cert}";
+    ssl_certificate_key "${server_cert_key}";
     location  / {
       proxy_pass http://workbench2;
       proxy_set_header Host \$http_host;
@@ -110,8 +112,8 @@ server {
   server {
     listen *:${services[keep-web-ssl]} ssl default_server;
     server_name keep-web;
-    ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
-    ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+    ssl_certificate "${server_cert}";
+    ssl_certificate_key "${server_cert_key}";
     location  / {
       proxy_pass http://keep-web;
       proxy_set_header Host \$http_host;