Kevin - Thanks so much for the review! This is great feedback. I really wasn't super clear on what was happening with the proxies or not. I will work on this more and re-submit. Cheers! Zach On 9/3/18 7:48 PM, Kevin Fenzi wrote:
On 08/29/2018 11:51 AM, Zach Villers wrote:As discussed in infra meeting 16 aug around the 14:30 mark <https://meetbot.fedoraproject.org/teams/infrastructure/infrastructure.2018-08-16-14.00.log.html> regarding Issue #7158: Planet Fedora doesn't have a valid certificate <https://pagure.io/fedora-infrastructure/issue/7158>. I created two patches (attached) based on my reading/understanding of the certbot role README. Text below. I think we are in Freeze right now and I probably have _many_ things to fix. Thanks to everyone that guided me (hopefully I'm on the right track :)Sorry for taking so long to look this over. ;( And thanks a bunch for working on it...diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 8013c539e..5cd82375c 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -932,3 +932,15 @@ tags: - pkgs.fedoraproject.org when: env == "staging" and "phx2" in inventory_hostname +# cert for https://fedoraplanet.org which redirects to http://fedoraplanet.org + + - role: httpd/website + site_name: fedoraplanet.org + server_aliases: + - www.fedoraplanet.org + ssl: true + sslonly: true + certbot: true + certbot_addhost: fedoraplanet.org + tags: + - fedoraplanet.orgSo, this will work if we add this to our proxies, so we would need to change DNS to point there (currently fedoraplanet.org is pointing only to the people02 server, not the proxies), but that won't work as the content is still on fedoapeople.org. ;( So I think we should drop this part unless we just proxy everything from our proxies to people02, which could be slow. The problem is that our certbot/letsencrypt role is setup mostly for the proxies and not for people02, but we can still do it with a but more poking. :) So, look at roles/httpd/website/tasks/main.yml, and you will see: - name: Letsencrypt certificate stuff include_role: name=letsencrypt when: certbot == True we can call this in our 'people' role at the end... but we will also need to pass it all those variables that the httpd/website role already uses, ie, site_name, certbot, certbot_addhost, etc.diff --git a/roles/planet/templates/planet.conf b/roles/planet/templates/planet.conf index 319923d2a..f4f1eb622 100644 --- a/roles/planet/templates/planet.conf +++ b/roles/planet/templates/planet.conf @@ -15,6 +15,10 @@ ErrorLog logs/planet-error.log CustomLog logs/fedoraplanet.org-access.log common + RewriteEngine on + RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L] + RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE]Here, we need the rewrite to whatever machine is running the letsencrypt role, so certgetter01, ie: RewriteRule "^/?(.*)" "https://certgetter01/$1" [L,R=301,NE]UserDir disable AddCharset UTF-8 .xml @@ -79,3 +83,32 @@ RedirectMatch permanent /(.*) http://fedoraplanet.org/$1 </VirtualHost> +<VirtualHost {{public_ip}}:443 _default_:443> + ## + # Domain: fedoraplanet.org + # Owner: admin@xxxxxxxxxxxxxxxx + # + ServerName fedoraplanet.org + + SSLEngine on + SSLCertificateFile /etc/letsencrypt/live/fedoraplanet.org/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/fedoraplanet.org/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/fedoraplanet.org/fullchain.pem + SSLHonorCipherOrder On + SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL + SSLProtocol ALL -SSLv2 + + ServerAdmin admin@xxxxxxxxxxxxxxxx + ServerName fedoraplanet.org + + DocumentRoot "/srv/planet/site/" + + ErrorLog logs/planet-error.log + CustomLog logs/planet.fedoraproject.org-access.log common + + UserDir disable + AddCharset UTF-8 .xml + + RedirectMatch permanent /(.*) http://fedoraplanet.org/$1 + +</VirtualHost>That looks good. ;) So, if you could adjust it for the above we can look again. I think you are close... and this is a complex one. ;) Thanks again for working on it. kevin |
Attachment:
pEpkey.asc
Description: application/pgp-keys
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx