Freeze Break Request: update wildcard cert to new one

Stephen John Smoogen <smooge@xxxxxxxxx> · Thu, 27 Feb 2020 16:25:54 -0500

This patch should make the changes to the appropriate files so that various playbooks will use the newer certificate wildcard-2020

-- 
Stephen J Smoogen.


From 40a3b08e2120f7e43bd5352b16f8717da64a828f Mon Sep 17 00:00:00 2001
From: Stephen Smoogen <smooge@xxxxxxxxxx>
Date: Thu, 27 Feb 2020 21:19:54 +0000
Subject: [PATCH] put in patches to use wildcard2020

---
 files/httpd/website_id_fp_o_zanata.conf              | 6 +++---
 inventory/group_vars/all                             | 8 ++++----
 playbooks/include/proxies-certificates.yml           | 4 ++--
 playbooks/include/proxies-websites.yml               | 2 +-
 roles/download/tasks/main.yml                        | 6 +++---
 roles/fedmsg/gateway/slave/tasks/main.yml            | 4 ++--
 roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 | 4 ++--
 roles/httpd/website/defaults/main.yml                | 2 +-
 roles/kojipkgs/files/squid.conf                      | 2 +-
 9 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/files/httpd/website_id_fp_o_zanata.conf b/files/httpd/website_id_fp_o_zanata.conf
index f2c9322..871be0e 100644
--- a/files/httpd/website_id_fp_o_zanata.conf
+++ b/files/httpd/website_id_fp_o_zanata.conf
@@ -14,9 +14,9 @@ Listen 44342 https
 
   SSLEngine on
   SSLUseStapling on
-  SSLCertificateFile /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.cert
-  SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2017.fedoraproject.org.key
-  SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.intermediate.cert
+  SSLCertificateFile /etc/pki/tls/certs/wildcard-2020.fedoraproject.org.cert
+  SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2020.fedoraproject.org.key
+  SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2020.fedoraproject.org.intermediate.cert
 
   SSLHonorCipherOrder On
 
diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index f862897..ef0057e 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -235,10 +235,10 @@ max_cpu: "{{ num_cpus * 5 }}"
 
 # This is the wildcard certname for our proxies.  It has a different name for
 # the staging group and is used in the proxies.yml playbook.
-wildcard_cert_name: wildcard-2017.fedoraproject.org
-wildcard_crt_file: wildcard-2017.fedoraproject.org.cert
-wildcard_key_file: wildcard-2017.fedoraproject.org.key
-wildcard_int_file: wildcard-2017.fedoraproject.org.intermediate.cert
+wildcard_cert_name: wildcard-2020.fedoraproject.org
+wildcard_crt_file: wildcard-2020.fedoraproject.org.cert
+wildcard_key_file: wildcard-2020.fedoraproject.org.key
+wildcard_int_file: wildcard-2020.fedoraproject.org.intermediate.cert
 
 # This is the openshift wildcard cert. Until it exists set it equal to wildcard
 os_wildcard_cert_name: wildcard-2017.app.os.fedoraproject.org
diff --git a/playbooks/include/proxies-certificates.yml b/playbooks/include/proxies-certificates.yml
index 1225570..4d494fe 100644
--- a/playbooks/include/proxies-certificates.yml
+++ b/playbooks/include/proxies-certificates.yml
@@ -16,8 +16,8 @@
   - role: httpd/mod_ssl
 
   - role: httpd/certificate
-    certname: wildcard-2017.fedoraproject.org
-    SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert
+    certname: wildcard-2020.fedoraproject.org
+    SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert
 
   # - role: httpd/certificate
   #   certname: wildcard-2017.fedorahosted.org
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index 0dee3e7..9c8beb2 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -903,7 +903,7 @@
   - role: httpd/website
     site_name: nagios.fedoraproject.org
     server_aliases: [nagios.stg.fedoraproject.org]
-    SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert
+    SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert
     sslonly: true
     cert_name: "{{wildcard_cert_name}}"
 
diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml
index d9c6146..914f30b 100644
--- a/roles/download/tasks/main.yml
+++ b/roles/download/tasks/main.yml
@@ -62,13 +62,13 @@
   - selinux
 
 - name: Copy wildcard cert from puppet private
-  copy: src="{{private}}/files/httpd/wildcard-2017.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2017.fedoraproject.org.cert owner=root group=root mode=0644
+  copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.cert owner=root group=root mode=0644
 
 - name: Copy wildcard key from puppet private
-  copy: src="{{private}}/files/httpd/wildcard-2017.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2017.fedoraproject.org.key owner=root group=root mode=0600
+  copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2020.fedoraproject.org.key owner=root group=root mode=0600
 
 - name: Copy intermediate wildcard cert from puppet private
-  copy: src="{{private}}/files/httpd/wildcard-2017.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2017.fedoraproject.org.intermediate.cert owner=root group=root mode=0644
+  copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.intermediate.cert owner=root group=root mode=0644
 
 - name: Configure httpd dl main conf
   template: src=httpd/dl.fedoraproject.org.conf dest=/etc/httpd/conf.d/dl.fedoraproject.org.conf
diff --git a/roles/fedmsg/gateway/slave/tasks/main.yml b/roles/fedmsg/gateway/slave/tasks/main.yml
index 7c77da1..d50260d 100644
--- a/roles/fedmsg/gateway/slave/tasks/main.yml
+++ b/roles/fedmsg/gateway/slave/tasks/main.yml
@@ -98,8 +98,8 @@
 
 - name: put our combined cert in place
   copy: >
-    src={{private}}/files/httpd/wildcard-2017.fedoraproject.org.combined.cert
-    dest=/etc/pki/tls/certs/wildcard-2017.fedoraproject.org.combined.cert
+    src={{private}}/files/httpd/wildcard-2020.fedoraproject.org.combined.cert
+    dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.combined.cert
     owner=root group=root mode=0644
   notify: restart stunnel
   tags:
diff --git a/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 b/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2
index 77d11c3..53f6949 100644
--- a/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2
+++ b/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2
@@ -1,5 +1,5 @@
-cert = /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.combined.cert
-key = /etc/pki/tls/private/wildcard-2017.fedoraproject.org.key
+cert = /etc/pki/tls/certs/wildcard-2020.fedoraproject.org.combined.cert
+key = /etc/pki/tls/private/wildcard-2020.fedoraproject.org.key
 pid = /var/run/stunnel.pid
 
 [{{ stunnel_service }}]
diff --git a/roles/httpd/website/defaults/main.yml b/roles/httpd/website/defaults/main.yml
index 3fed4bd..b7aa680 100644
--- a/roles/httpd/website/defaults/main.yml
+++ b/roles/httpd/website/defaults/main.yml
@@ -8,7 +8,7 @@ server_admin: webmaster@xxxxxxxxxxxxxxxxx
 certbot: false
 ssl: true
 sslonly: false
-SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert
+SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert
 gzip: false
 stssubdomains: true
 # set to true to enable the proxy to redirect the http01 challenge
diff --git a/roles/kojipkgs/files/squid.conf b/roles/kojipkgs/files/squid.conf
index 3cf8f77..b9c86c9 100644
--- a/roles/kojipkgs/files/squid.conf
+++ b/roles/kojipkgs/files/squid.conf
@@ -1,5 +1,5 @@
 http_port 80 accel defaultsite=kojipkgs.fedoraproject.org
-https_port 443 accel defaultsite=kojipkgs.fedoraproject.org cert=/etc/pki/tls/certs/wildcard-2017.squid.cert key=/etc/pki/tls/private/wildcard-2017.fedoraproject.org.key cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA options=NO_SSLv2,NO_SSLv3
+https_port 443 accel defaultsite=kojipkgs.fedoraproject.org cert=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.combined.cert key=/etc/pki/tls/private/wildcard-2020.fedoraproject.org.key cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA options=NO_SSLv2,NO_SSLv3
 
 cache_peer 127.0.0.1 parent 8080 0 no-query originserver name=kojipkgs
 
-- 
1.8.3.1

_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx




