suggested patch for review - issue 7158

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

As discussed in infra meeting 16 aug around the 14:30 mark regarding Issue #7158: Planet Fedora doesn't have a valid certificate.

I created two patches (attached) based on my reading/understanding of the certbot role README. Text below. I think we are in Freeze right now and I probably have many things to fix.

Thanks to everyone that guided me (hopefully I'm on the right track :)




diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index 8013c539e..5cd82375c 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -932,3 +932,15 @@
     tags:
     - pkgs.fedoraproject.org
     when: env == "staging" and "phx2" in inventory_hostname
+# cert for https://fedoraplanet.org which redirects to http://fedoraplanet.org
+
+  - role: httpd/website
+    site_name: fedoraplanet.org
+    server_aliases:
+    - www.fedoraplanet.org
+    ssl: true
+    sslonly: true
+    certbot: true
+    certbot_addhost: fedoraplanet.org
+    tags:
+    - fedoraplanet.org


---------------------------------------


diff --git a/roles/planet/templates/planet.conf b/roles/planet/templates/planet.conf
index 319923d2a..f4f1eb622 100644
--- a/roles/planet/templates/planet.conf
+++ b/roles/planet/templates/planet.conf
@@ -15,6 +15,10 @@
     ErrorLog logs/planet-error.log
     CustomLog logs/fedoraplanet.org-access.log common
 
+    RewriteEngine on
+    RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
+    RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE]
+
     UserDir disable
     AddCharset UTF-8 .xml
 
@@ -79,3 +83,32 @@
     RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
 
 </VirtualHost>
+<VirtualHost {{public_ip}}:443 _default_:443>
+    ##
+    # Domain: fedoraplanet.org
+    # Owner: admin@xxxxxxxxxxxxxxxx
+    #
+    ServerName fedoraplanet.org
+
+    SSLEngine on
+    SSLCertificateFile    /etc/letsencrypt/live/fedoraplanet.org/cert.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/fedoraplanet.org/privkey.pem
+    SSLCertificateChainFile /etc/letsencrypt/live/fedoraplanet.org/fullchain.pem
+    SSLHonorCipherOrder On
+    SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
+    SSLProtocol ALL -SSLv2
+   
+    ServerAdmin admin@xxxxxxxxxxxxxxxx
+    ServerName fedoraplanet.org
+
+    DocumentRoot "/srv/planet/site/"
+
+    ErrorLog logs/planet-error.log
+    CustomLog logs/planet.fedoraproject.org-access.log common
+
+    UserDir disable
+    AddCharset UTF-8 .xml
+
+    RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
+
+</VirtualHost>

diff --git a/roles/planet/templates/planet.conf b/roles/planet/templates/planet.conf
index 319923d2a..f4f1eb622 100644
--- a/roles/planet/templates/planet.conf
+++ b/roles/planet/templates/planet.conf
@@ -15,6 +15,10 @@
     ErrorLog logs/planet-error.log
     CustomLog logs/fedoraplanet.org-access.log common
 
+    RewriteEngine on
+    RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
+    RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1"; [L,R=301,NE]
+
     UserDir disable
     AddCharset UTF-8 .xml
 
@@ -79,3 +83,32 @@
     RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
 
 </VirtualHost>
+<VirtualHost {{public_ip}}:443 _default_:443>
+    ##
+    # Domain: fedoraplanet.org
+    # Owner: admin@xxxxxxxxxxxxxxxx
+    #
+    ServerName fedoraplanet.org
+
+    SSLEngine on
+    SSLCertificateFile    /etc/letsencrypt/live/fedoraplanet.org/cert.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/fedoraplanet.org/privkey.pem
+    SSLCertificateChainFile /etc/letsencrypt/live/fedoraplanet.org/fullchain.pem
+    SSLHonorCipherOrder On
+    SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
+    SSLProtocol ALL -SSLv2
+    
+    ServerAdmin admin@xxxxxxxxxxxxxxxx
+    ServerName fedoraplanet.org
+
+    DocumentRoot "/srv/planet/site/"
+
+    ErrorLog logs/planet-error.log
+    CustomLog logs/planet.fedoraproject.org-access.log common
+
+    UserDir disable
+    AddCharset UTF-8 .xml
+
+    RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
+
+</VirtualHost>

diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index 8013c539e..5cd82375c 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -932,3 +932,15 @@
     tags:
     - pkgs.fedoraproject.org
     when: env == "staging" and "phx2" in inventory_hostname
+# cert for https://fedoraplanet.org which redirects to http://fedoraplanet.org
+
+  - role: httpd/website
+    site_name: fedoraplanet.org
+    server_aliases:
+    - www.fedoraplanet.org
+    ssl: true
+    sslonly: true
+    certbot: true
+    certbot_addhost: fedoraplanet.org
+    tags:
+    - fedoraplanet.org

_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux