Re: FBR: Setup proxying and VPN for certgetter01

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks.

It looks like I need one more thing to make sure the challenge doesn't
get redirected to https (acme challenges are always over plain http).
Can I also get +1s for:

>From fd0a29275ad4f37f42f6383e14a298adf1db0978 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
Date: Sat, 9 Sep 2017 23:42:19 +0000
Subject: [PATCH] Do not httpd-redirect for acme challenges

Signed-off-by: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
---
 roles/httpd/website/templates/website.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/httpd/website/templates/website.conf
b/roles/httpd/website/templates/website.conf
index 8eed648..804942a 100644
--- a/roles/httpd/website/templates/website.conf
+++ b/roles/httpd/website/templates/website.conf
@@ -17,6 +17,7 @@
 {% if sslonly %}
   RewriteEngine On
   RewriteCond %{HTTPS} off
+  RewriteCond %{REQUEST_URI} !/.well-known/acme-challenge/.*
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
 {% else %}
   Include "conf.d/{{ name }}/*.conf"
-- 
1.8.3.1

On Sat, Sep 9, 2017 at 7:26 PM, Stephen John Smoogen <smooge@xxxxxxxxx> wrote:
> +1 from me
>
> On 9 September 2017 at 19:04, Patrick Uiterwijk <puiterwijk@xxxxxxxxxx> wrote:
>> Hi,
>>
>> Could I get +1s for these patches:
>>
>> From 596ccf8bc44bad969a2ee9395c2c0ae7ee994a43 Mon Sep 17 00:00:00 2001
>> From: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
>> Date: Sat, 9 Sep 2017 22:25:08 +0000
>> Subject: [PATCH 1/3] Allow setting up a vhost for certgetter
>>
>> Signed-off-by: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
>> ---
>>  roles/httpd/website/defaults/main.yml      | 1 +
>>  roles/httpd/website/templates/website.conf | 4 ++++
>>  2 files changed, 5 insertions(+)
>>
>> diff --git a/roles/httpd/website/defaults/main.yml
>> b/roles/httpd/website/defaults/main.yml
>> index 99aa8b0..8ad299d 100644
>> --- a/roles/httpd/website/defaults/main.yml
>> +++ b/roles/httpd/website/defaults/main.yml
>> @@ -4,6 +4,7 @@
>>
>>  server_aliases: []
>>  server_admin: webmaster@xxxxxxxxxxxxxxxxx
>> +certbot: false
>>  ssl: true
>>  sslonly: false
>>  SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert
>> diff --git a/roles/httpd/website/templates/website.conf
>> b/roles/httpd/website/templates/website.conf
>> index 6547452..8eed648 100644
>> --- a/roles/httpd/website/templates/website.conf
>> +++ b/roles/httpd/website/templates/website.conf
>> @@ -10,6 +10,10 @@
>>    SetOutputFilter DEFLATE
>>  {% endif %}
>>
>> +{% if certbot %}
>> +  ProxyPass "/.well-known/acme-challenge"
>> "http://certgetter01/.well-known/acme-challenge";
>> +{% endif %}
>> +
>>  {% if sslonly %}
>>    RewriteEngine On
>>    RewriteCond %{HTTPS} off
>> --
>> 1.8.3.1
>>
>> From 403f97fc772c4a1d9fc55aab981e6bf0293c19b1 Mon Sep 17 00:00:00 2001
>> From: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
>> Date: Sat, 9 Sep 2017 22:26:40 +0000
>> Subject: [PATCH 2/3] Enable certbot for secondary kojis
>>
>> Signed-off-by: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
>> ---
>>  playbooks/include/proxies-websites.yml | 3 +++
>>  1 file changed, 3 insertions(+)
>>
>> diff --git a/playbooks/include/proxies-websites.yml
>> b/playbooks/include/proxies-websites.yml
>> index 9735c89..6362509 100644
>> --- a/playbooks/include/proxies-websites.yml
>> +++ b/playbooks/include/proxies-websites.yml
>> @@ -499,6 +499,7 @@
>>    - role: httpd/website
>>      name: ppc.koji.fedoraproject.org
>>      sslonly: true
>> +    certbot: true
>>      server_aliases:
>>      - ppcpkgs.fedoraproject.org
>>      cert_name: secondary.koji.fedoraproject.org.letsencrypt
>> @@ -507,6 +508,7 @@
>>    - role: httpd/website
>>      name: s390.koji.fedoraproject.org
>>      sslonly: true
>> +    certbot: true
>>      server_aliases:
>>      - s390pkgs.fedoraproject.org
>>      cert_name: secondary.koji.fedoraproject.org.letsencrypt
>> @@ -515,6 +517,7 @@
>>    - role: httpd/website
>>      name: arm.koji.fedoraproject.org
>>      sslonly: true
>> +    certbot: true
>>      server_aliases:
>>      - armpkgs.fedoraproject.org
>>      cert_name: secondary.koji.fedoraproject.org.letsencrypt
>> --
>> 1.8.3.1
>>
>> From 49a05d85c2af5d3288e095c837ff7013d77f5756 Mon Sep 17 00:00:00 2001
>> From: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
>> Date: Sat, 9 Sep 2017 23:02:21 +0000
>> Subject: [PATCH 3/3] Add certgetter01 ccd file
>>
>> Signed-off-by: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
>> ---
>>  roles/openvpn/server/files/ccd/certgetter01.phx2.fedoraproject.org | 2 ++
>>  1 file changed, 2 insertions(+)
>>  create mode 100644
>> roles/openvpn/server/files/ccd/certgetter01.phx2.fedoraproject.org
>>
>> diff --git a/roles/openvpn/server/files/ccd/certgetter01.phx2.fedoraproject.org
>> b/roles/openvpn/server/files/ccd/certgetter01.phx2.fedoraproject.org
>> new file mode 100644
>> index 0000000..6b4c087
>> --- /dev/null
>> +++ b/roles/openvpn/server/files/ccd/certgetter01.phx2.fedoraproject.org
>> @@ -0,0 +1,2 @@
>> +# ifconfig-push actualIP PtPIP
>> +ifconfig-push 192.168.1.177 192.168.0.177
>> --
>> 1.8.3.1
>> _______________________________________________
>> infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
>
>
>
> --
> Stephen J Smoogen.
> _______________________________________________
> infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux