software/galene: use new insecure option

Since Galene is behind our frontend, no need to take care of the HTTPS certificates.

software/galene/buildout.hash.cfg

@@ -15,4 +15,4 @@
 
 [instance-cfg]
 filename = instance.cfg.in
-md5sum = 270b39f448ec553fa9e203c5fbb49856
+md5sum = cc1f28b6906f00b9fab2da7728fcdcb7

software/galene/instance.cfg.in

@@ -36,14 +36,6 @@ data       = $${:srv}/data
 groups     = $${:srv}/groups
 recordings = $${:srv}/recordings
 
-[galene-ssl]
-recipe = plone.recipe.command
-cert-file = $${directory:data}/cert.pem
-key-file = $${directory:data}/key.pem
-command = ${openssl:location}/bin/openssl req -newkey rsa:2048 -batch -new -x509  -days 3650 -nodes -keyout "$${:key-file}" -out "$${:cert-file}"
-update-command =
-stop-on-error = true
-
 [admin-password]
 recipe = slapos.cookbook:generate.password
 storage-path = $${directory:data}/.passwd
@@ -77,9 +69,9 @@ command-line =
     -groups $${directory:groups}
     -data $${directory:data}
     -http [$${:ip}]:$${:port}
+    -insecure
 wrapper-path = $${directory:services}/galene
 depends =
   $${ice-servers.json:recipe}
   $${groups-json:recipe}
-  $${galene-ssl:recipe}
 

[Jérome Perrin]

it's still a bit better to use https anyway, we can not trust the link between frontend and backend

[Jérome Perrin]

( but I'm not sure how much https with a non verified self signed certificate is better than plain http )

[Kirill Smelkov]

@tomo, I just wanted to say here what @jerome said: is it a good idea? With plain HTTP in between frontend-backend anyone can intercept that traffic...

[Romain Courteaud]

I agree with @jerome and @kirr.

What is the problem using ssl @tomo ? Or, do you expect galene to be hosted only on the CDN servers?

[Thomas Gambier]

you're right. I just reverted the commit.

I just took into account the simplicity of the slapos recipe but not the security.