On 09/11/2018 09:12 AM, Zach Villers wrote:
> Sorry this has taken so long - I've been fooling around trying to test
> locally. I _believe_ I've followed Kevin's guidance. Without further ado;
>
> - adding planet vars to people role;
>
> diff --git a/playbooks/groups/people.yml b/playbooks/groups/people.yml
> index e7661b4b4..1d00f77ca 100644
> --- a/playbooks/groups/people.yml
> +++ b/playbooks/groups/people.yml
> @@ -68,7 +68,6 @@
> - cgit/clean_lock_cron
> - cgit/make_pkgs_list
> - clamav
> - - planet
> - fedmsg/base
> - git/server
>
> @@ -79,6 +78,18 @@
> SSLCertificateChainFile:
> wildcard-2017.fedorapeople.org.intermediate.cert
>
> - people
> +
> + - role: planet
> + certbot: true
> + certbot_addhost: fedoraplanet.org
> + site_name: fedoraplanet.org
> + cert_name: wildcard-2018.fedoraplanet.org
> + server_aliases: planet.fedoraproject.org
> + server_admin: webmaster@xxxxxxxxxxxxxxxxx
> + ssl: true
> + sslonly: false
> + SSLCertificateChainFile:
> wildcard-2018.fedoraplanet.org.intermediate.cert
> + gzip: false
So, very close, but we don't want to use the wildcard cert here, just
let certbot handle it.
Confusingly, we have a 'certbot' rule, but thats old and we should nuke
it. The new one is the 'letencrypt' role. It handles requesting a cert
from letsencrypt for the site it's called with and putting certs on any
other machines.
So, keep the planet role as it is.
Instead add to the playbooks/groups/people.yml the letencrypt role with
the site_name as fedoraplanet.org. Take a look at the taskotron.yml
playbook, I added this setup for taskotron-dev eariler today.
Then, when that playbook runs it delegates to the 'certgetter01' host,
which runs certbot command to get a cert, as part of that it writes out
a challenge file locally that it gets back from letsencrypt. Then,
letsencrypt tries to get that file from fedorapeople.org, which
redirects it to the proxies which proxies it to certgetter01 and it's
happy. ;)
> tasks:
> - import_tasks: "{{ tasks_path }}/yumrepos.yml"
>
> -------------------------------
>
> And planet redirect https -> http patch;
>
> diff --git a/roles/planet/templates/planet.conf
> b/roles/planet/templates/planet.conf
> index 319923d2a..7e12b8f35 100644
> --- a/roles/planet/templates/planet.conf
> +++ b/roles/planet/templates/planet.conf
> @@ -14,6 +14,11 @@
>
> ErrorLog logs/planet-error.log
> CustomLog logs/fedoraplanet.org-access.log common
> +
> + # let certbot get an answer from certgetter01
> + RewriteEngine on
> + RewriteRule
> ^/\.well-known/(.*)/srv/web/acme-challenge/.well-known/$1 [L]
> + RewriteRule "^/?(.*)" "https://certgetter01/$1"; [L,R=301,NE]
Change 'certgetter01' here to 'fedoraproject.org'. That will hit our
proxies and get proxied into certgetter.
>
> UserDir disable
> AddCharset UTF-8 .xml
> @@ -79,3 +84,32 @@
> RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
>
> </VirtualHost>
> +<VirtualHost {{public_ip}}:443 _default_:443>
> + ##
> + # Domain: fedoraplanet.org
> + # Owner: admin@xxxxxxxxxxxxxxxx
> + #
> + ServerName fedoraplanet.org
> +
> + SSLEngine on
> + SSLCertificateFile /etc/letsencrypt/live/fedoraplanet.org/cert.pem
> + SSLCertificateKeyFile
> /etc/letsencrypt/live/fedoraplanet.org/privkey.pem
> + SSLCertificateChainFile
> /etc/letsencrypt/live/fedoraplanet.org/fullchain.pem
> + SSLHonorCipherOrder On
> + SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
> + SSLProtocol ALL -SSLv2
> +
> + ServerAdmin admin@xxxxxxxxxxxxxxxx
> + ServerName fedoraplanet.org
> +
> + DocumentRoot "/srv/planet/site/"
> +
> + ErrorLog logs/planet-error.log
> + CustomLog logs/planet.fedoraproject.org-access.log common
> +
> + UserDir disable
> + AddCharset UTF-8 .xml
> +
> + RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
> +
> +</VirtualHost>
That looks perfect for the https->http redirect. :)
Thanks again at poking at this and I am sorry I have been so slow to
provide feedback. ;(
kevin
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
