Happy Monday all. Here's an updated set of patches for issue 7158, with
some of Kevin's comments on my previous attempt for context;
On 9/18/18 5:44 PM, Kevin Fenzi wrote:
>
> Confusingly, we have a 'certbot' rule, but thats old and we should nuke
> it. The new one is the 'letencrypt' role. It handles requesting a cert
> from letsencrypt for the site it's called with and putting certs on any
> other machines.
>
> So, keep the planet role as it is.
>
> Instead add to the playbooks/groups/people.yml the letencrypt role with
> the site_name as fedoraplanet.org. Take a look at the taskotron.yml
> playbook, I added this setup for taskotron-dev eariler today.
>
New people.yml patch adding certgetter role - tried to follow the
taskotron-dev example;
diff --git a/playbooks/groups/people.yml b/playbooks/groups/people.yml
index e7661b4b4..77b34cb23 100644
--- a/playbooks/groups/people.yml
+++ b/playbooks/groups/people.yml
@@ -69,6 +69,7 @@
- cgit/make_pkgs_list
- clamav
- planet
+ - { role: letsencrypt, site_name: 'fedoraplanet.org' }
- fedmsg/base
- git/server
>> ^/\.well-known/(.*)/srv/web/acme-challenge/.well-known/$1 [L]
>> + RewriteRule "^/?(.*)" "https://certgetter01/$1"; [L,R=301,NE]
>
> Change 'certgetter01' here to 'fedoraproject.org'. That will hit our
> proxies and get proxied into certgetter.
>>
>
> kevin
>
New planet.conf patch with above change;
diff --git a/roles/planet/templates/planet.conf
b/roles/planet/templates/planet.conf
index 319923d2a..0875e7aa4 100644
--- a/roles/planet/templates/planet.conf
+++ b/roles/planet/templates/planet.conf
@@ -14,6 +14,11 @@
ErrorLog logs/planet-error.log
CustomLog logs/fedoraplanet.org-access.log common
+
+ # let certbot get an answer from certgetter01
+ RewriteEngine on
+ RewriteRule
^/\.well-known/(.*)/srv/web/acme-challenge/.well-known/$1 [L]
+ RewriteRule "^/?(.*)" "https://fedoraproject.org/$1"; [L,R=301,NE]
UserDir disable
AddCharset UTF-8 .xml
@@ -79,3 +84,32 @@
RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
</VirtualHost>
+<VirtualHost {{public_ip}}:443 _default_:443>
+ ##
+ # Domain: fedoraplanet.org
+ # Owner: admin@xxxxxxxxxxxxxxxx
+ #
+ ServerName fedoraplanet.org
+
+ SSLEngine on
+ SSLCertificateFile /etc/letsencrypt/live/fedoraplanet.org/cert.pem
+ SSLCertificateKeyFile
/etc/letsencrypt/live/fedoraplanet.org/privkey.pem
+ SSLCertificateChainFile
/etc/letsencrypt/live/fedoraplanet.org/fullchain.pem
+ SSLHonorCipherOrder On
+ SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
+ SSLProtocol ALL -SSLv2
+
+ ServerAdmin admin@xxxxxxxxxxxxxxxx
+ ServerName fedoraplanet.org
+
+ DocumentRoot "/srv/planet/site/"
+
+ ErrorLog logs/planet-error.log
+ CustomLog logs/planet.fedoraproject.org-access.log common
+
+ UserDir disable
+ AddCharset UTF-8 .xml
+
+ RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
+
+</VirtualHost>
Thanks!
Zach
diff --git a/playbooks/groups/people.yml b/playbooks/groups/people.yml
index e7661b4b4..77b34cb23 100644
--- a/playbooks/groups/people.yml
+++ b/playbooks/groups/people.yml
@@ -69,6 +69,7 @@
- cgit/make_pkgs_list
- clamav
- planet
+ - { role: letsencrypt, site_name: 'fedoraplanet.org' }
- fedmsg/base
- git/server
diff --git a/roles/planet/templates/planet.conf b/roles/planet/templates/planet.conf
index 319923d2a..0875e7aa4 100644
--- a/roles/planet/templates/planet.conf
+++ b/roles/planet/templates/planet.conf
@@ -14,6 +14,11 @@
ErrorLog logs/planet-error.log
CustomLog logs/fedoraplanet.org-access.log common
+
+ # let certbot get an answer from certgetter01
+ RewriteEngine on
+ RewriteRule ^/\.well-known/(.*)/srv/web/acme-challenge/.well-known/$1 [L]
+ RewriteRule "^/?(.*)" "https://fedoraproject.org/$1"; [L,R=301,NE]
UserDir disable
AddCharset UTF-8 .xml
@@ -79,3 +84,32 @@
RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
</VirtualHost>
+<VirtualHost {{public_ip}}:443 _default_:443>
+ ##
+ # Domain: fedoraplanet.org
+ # Owner: admin@xxxxxxxxxxxxxxxx
+ #
+ ServerName fedoraplanet.org
+
+ SSLEngine on
+ SSLCertificateFile /etc/letsencrypt/live/fedoraplanet.org/cert.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/fedoraplanet.org/privkey.pem
+ SSLCertificateChainFile /etc/letsencrypt/live/fedoraplanet.org/fullchain.pem
+ SSLHonorCipherOrder On
+ SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
+ SSLProtocol ALL -SSLv2
+
+ ServerAdmin admin@xxxxxxxxxxxxxxxx
+ ServerName fedoraplanet.org
+
+ DocumentRoot "/srv/planet/site/"
+
+ ErrorLog logs/planet-error.log
+ CustomLog logs/planet.fedoraproject.org-access.log common
+
+ UserDir disable
+ AddCharset UTF-8 .xml
+
+ RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
+
+</VirtualHost>
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
