From e3e3317a3df05ace45a81edacf7eaeaf27a6fe0a Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Thu, 2 Feb 2017 17:16:11 +0000 Subject: [PATCH] lets break all the things --- inventory/group_vars/all | 3 +++ inventory/group_vars/staging | 4 ++++ playbooks/groups/batcave.yml | 2 +- playbooks/groups/mirrorlist2.yml | 14 +++++++------- playbooks/groups/people.yml | 4 ++-- playbooks/groups/secondary.yml | 4 ++-- playbooks/groups/torrent.yml | 4 ++-- .../infrastructure.fedoraproject.org.conf.j2 | 6 +++--- .../templates/httpd/dl.fedoraproject.org.conf | 6 +++--- roles/fedmsg/gateway/slave/tasks/main.yml | 4 ++-- .../fedmsg/gateway/slave/templates/stunnel-conf.j2 | 4 ++-- roles/people/templates/people.conf | 6 +++--- 12 files changed, 34 insertions(+), 27 deletions(-) diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 35e5ff749e..163a649c97 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -124,6 +124,9 @@ max_cpu: "{{ num_cpus * 5 }}" # This is the wildcard certname for our proxies. It has a different name for # the staging group and is used in the proxies.yml playbook. wildcard_cert_name: wildcard-2017.fedoraproject.org +wildcard_crt_file: wildcard-2017.fedoraproject.org.cert +wildcard_key_file: wildcard-2017.fedoraproject.org.key +wildcard_int_file: wildcard-2017.fedoraproject.org.intermediate.cert # Everywhere, always, we should sign messages and validate signatures. # However, we allow individual hosts and groups to override this. Use this very diff --git a/inventory/group_vars/staging b/inventory/group_vars/staging index 3707c659ed..df0edaab7b 100644 --- a/inventory/group_vars/staging +++ b/inventory/group_vars/staging @@ -6,6 +6,10 @@ host_group: staging # This is the wildcard certname for our stg proxies. wildcard_cert_name: wildcard-2017.stg.fedoraproject.org +wildcard_cert_file: wildcard-2017.stg.fedoraproject.org.cert +wildcard_key_file: wildcard-2017.stg.fedoraproject.org.key +wildcard_int_file: wildcard-2017.stg.fedoraproject.org.intermediate.cert + # This only does anything if the host is not RHEL6 collectd_graphite: True diff --git a/playbooks/groups/batcave.yml b/playbooks/groups/batcave.yml index 847bea6757..b7ba11dd1b 100644 --- a/playbooks/groups/batcave.yml +++ b/playbooks/groups/batcave.yml @@ -26,7 +26,7 @@ - rsyncd - apache - httpd/mod_ssl - - { role: httpd/certificate, name: wildcard-2014.fedoraproject.org, SSLCertificateChainFile: wildcard-2014.fedoraproject.org.intermediate.cert } + - { role: httpd/certificate, name: "{{wildcard_cert_name}}", SSLCertificateChainFile: "{{wildcard_int_file}}}" } - openvpn/client - batcave diff --git a/playbooks/groups/mirrorlist2.yml b/playbooks/groups/mirrorlist2.yml index dd32f8775d..b1d9a1fbdd 100644 --- a/playbooks/groups/mirrorlist2.yml +++ b/playbooks/groups/mirrorlist2.yml @@ -59,24 +59,24 @@ - httpd/mod_ssl - role: httpd/certificate - name: wildcard-2014.stg.fedoraproject.org - SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert + name: wildcard-2017.stg.fedoraproject.org + SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert when: env == "staging" - role: httpd/website name: mirrorlist-phx2.stg.phx2.fedoraproject.org - cert_name: wildcard-2014.stg.fedoraproject.org - SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert + cert_name: wildcard-2017.stg.fedoraproject.org + SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert when: env == "staging" - role: httpd/certificate - name: wildcard-2014.fedoraproject.org - SSLCertificateChainFile: wildcard-2014.fedoraproject.org.intermediate.cert + name: wildcard-2017.fedoraproject.org + SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert when: env != "staging" - role: httpd/website name: mirrorlist-phx2.fedoraproject.org - cert_name: wildcard-2014.fedoraproject.org + cert_name: wildcard-2017.fedoraproject.org server_aliases: - mirrorlist-dedicatedsolutions.fedoraproject.org - mirrorlist-host1plus.fedoraproject.org diff --git a/playbooks/groups/people.yml b/playbooks/groups/people.yml index e583bd9c90..edcb05e311 100644 --- a/playbooks/groups/people.yml +++ b/playbooks/groups/people.yml @@ -75,8 +75,8 @@ - role: apache - role: httpd/certificate - name: wildcard-2014.fedorapeople.org - SSLCertificateChainFile: wildcard-2014.fedorapeople.org.intermediate.cert + name: "{{wildcard_cert_name}}" + SSLCertificateChainFile: "{{wildcard_int_file}}" - people diff --git a/playbooks/groups/secondary.yml b/playbooks/groups/secondary.yml index 1e72e56103..9b15f557b0 100644 --- a/playbooks/groups/secondary.yml +++ b/playbooks/groups/secondary.yml @@ -37,8 +37,8 @@ - role: httpd/mod_ssl - role: httpd/certificate - name: wildcard-2014.fedoraproject.org - SSLCertificateChainFile: wildcard-2014.fedoraproject.org.intermediate.cert + name: "{{wildcard_cert_name}}" + SSLCertificateChainFile: "{{wildcard_int_file}}" - role: httpd/website name: secondary.fedoraproject.org diff --git a/playbooks/groups/torrent.yml b/playbooks/groups/torrent.yml index 92f62db959..89bb79785b 100644 --- a/playbooks/groups/torrent.yml +++ b/playbooks/groups/torrent.yml @@ -26,8 +26,8 @@ - role: httpd/mod_ssl - role: httpd/certificate - name: wildcard-2014.fedoraproject.org - SSLCertificateChainFile: wildcard-2014.fedoraproject.org.intermediate.cert + name: "{{wildcard_cert_name}}" + SSLCertificateChainFile: "{{wildcard_int_name}}" - role: httpd/website name: torrent.fedoraproject.org diff --git a/roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2 b/roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2 index a266c05f62..72b5c6b9ec 100644 --- a/roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2 +++ b/roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2 @@ -110,9 +110,9 @@ ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" /usr/libexec/git-core/git-http-backend/$1 SSLEngine on - SSLCertificateFile /etc/pki/tls/certs/wildcard-2014.fedoraproject.org.cert - SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2014.fedoraproject.org.key - SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedoraproject.org.intermediate.cert + SSLCertificateFile /etc/pki/tls/certs/{{ wildcard_crt_file }} + SSLCertificateKeyFile /etc/pki/tls/private/{{ wildcard_key_file }} + SSLCertificateChainFile /etc/pki/tls/certs/{{ wildcard_int_file }} Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" diff --git a/roles/download/templates/httpd/dl.fedoraproject.org.conf b/roles/download/templates/httpd/dl.fedoraproject.org.conf index 02da8c2386..1ca42bc409 100644 --- a/roles/download/templates/httpd/dl.fedoraproject.org.conf +++ b/roles/download/templates/httpd/dl.fedoraproject.org.conf @@ -15,9 +15,9 @@ SSLEngine on - SSLCertificateFile /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.cert - SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2017.fedoraproject.org.key - SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.intermediate.cert + SSLCertificateFile {{ wildcard_crt_file }} + SSLCertificateKeyFile {{ wildcard_key_file }} + SSLCertificateChainFile {{ wildcard_int_file }} SSLHonorCipherOrder On # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14 diff --git a/roles/fedmsg/gateway/slave/tasks/main.yml b/roles/fedmsg/gateway/slave/tasks/main.yml index b4febedeab..fb01e2f89c 100644 --- a/roles/fedmsg/gateway/slave/tasks/main.yml +++ b/roles/fedmsg/gateway/slave/tasks/main.yml @@ -82,8 +82,8 @@ - name: put our combined cert in place copy: > - src={{private}}/files/httpd/wildcard-2014.fedoraproject.org.combined.cert - dest=/etc/pki/tls/certs/wildcard-2014.fedoraproject.org.combined.cert + src={{private}}/files/httpd/wildcard-2017.fedoraproject.org.combined.cert + dest=/etc/pki/tls/certs/wildcard-2017.fedoraproject.org.combined.cert owner=root group=root mode=0644 notify: restart stunnel tags: diff --git a/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 b/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 index 1b590939c7..77d11c33e2 100644 --- a/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 +++ b/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 @@ -1,5 +1,5 @@ -cert = /etc/pki/tls/certs/wildcard-2014.fedoraproject.org.combined.cert -key = /etc/pki/tls/private/wildcard-2014.fedoraproject.org.key +cert = /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.combined.cert +key = /etc/pki/tls/private/wildcard-2017.fedoraproject.org.key pid = /var/run/stunnel.pid [{{ stunnel_service }}] diff --git a/roles/people/templates/people.conf b/roles/people/templates/people.conf index b7652b5639..337ce03d92 100644 --- a/roles/people/templates/people.conf +++ b/roles/people/templates/people.conf @@ -27,9 +27,9 @@ NameVirtualHost *:80 DocumentRoot /srv/people/site SSLEngine on - SSLCertificateFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.cert - SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2014.fedorapeople.org.key - SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.intermediate.cert + SSLCertificateFile /etc/pki/tls/certs/{{ wildcard_crt_file }} + SSLCertificateKeyFile /etc/pki/tls/private/{{ wildcard_key_file }} + SSLCertificateChainFile /etc/pki/tls/certs/{{ wildcard_int_file }} SSLHonorCipherOrder On SSLCipherSuite {{ ssl_ciphers }} SSLProtocol {{ ssl_protocols }}