From 1e712cdc30ae0b740d387e031999739925e2f872 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 21 Feb 2022 10:19:17 -0800 Subject: [PATCH] Revert "Revert "wildcard-2022.fedoraproject.org cert"" This reverts commit 4430178b29f481dde2b69b115fec9d9452b1f8d0. It's time to put this back before the cert expires and before we go into Beta freeze. Hopefully the odd issue with armv7 qemu guests having a time behind real time is not still happening. --- inventory/group_vars/all | 8 ++++---- playbooks/include/proxies-certificates.yml | 4 ++++ playbooks/include/proxies-websites.yml | 2 +- roles/download/tasks/main.yml | 6 +++--- roles/fedmsg/gateway/slave/tasks/main.yml | 4 ++-- roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 | 4 ++-- roles/httpd/website/defaults/main.yml | 2 +- 7 files changed, 17 insertions(+), 13 deletions(-) diff --git a/inventory/group_vars/all b/inventory/group_vars/all index cc6fb7727e..7916588b92 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -254,10 +254,10 @@ virt_install_command_two_nic_unsafe: virt-install -n {{ inventory_hostname }} -- vpn: False # This is the wildcard certname for our proxies. It has a different name for # the staging group and is used in the proxies.yml playbook. -wildcard_cert_name: wildcard-2020.fedoraproject.org -wildcard_crt_file: wildcard-2020.fedoraproject.org.cert -wildcard_int_file: wildcard-2020.fedoraproject.org.intermediate.cert -wildcard_key_file: wildcard-2020.fedoraproject.org.key +wildcard_cert_name: wildcard-2022.fedoraproject.org +wildcard_crt_file: wildcard-2022.fedoraproject.org.cert +wildcard_int_file: wildcard-2022.fedoraproject.org.intermediate.cert +wildcard_key_file: wildcard-2022.fedoraproject.org.key # # say if we want the apache role dependency for mod_wsgi or not # In some cases we want mod_wsgi and no apache (for python3 httpaio stuff) diff --git a/playbooks/include/proxies-certificates.yml b/playbooks/include/proxies-certificates.yml index 6f0ce7cd68..2a34e456dd 100644 --- a/playbooks/include/proxies-certificates.yml +++ b/playbooks/include/proxies-certificates.yml @@ -19,6 +19,10 @@ certname: wildcard-2020.fedoraproject.org SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert + - role: httpd/certificate + certname: wildcard-2022.fedoraproject.org + SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert + - role: httpd/certificate certname: wildcard-2020.id.fedoraproject.org SSLCertificateChainFile: wildcard-2020.id.fedoraproject.org.intermediate.cert diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index d447d310d8..3067cfd6c7 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -911,7 +911,7 @@ - role: httpd/website site_name: nagios.fedoraproject.org server_aliases: [nagios.stg.fedoraproject.org] - SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert + SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert sslonly: true cert_name: "{{wildcard_cert_name}}" diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml index fa3686906d..1c3c4f2040 100644 --- a/roles/download/tasks/main.yml +++ b/roles/download/tasks/main.yml @@ -56,13 +56,13 @@ - selinux - name: Copy wildcard cert from puppet private - copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.cert owner=root group=root mode=0644 + copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.cert owner=root group=root mode=0644 - name: Copy wildcard key from puppet private - copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2020.fedoraproject.org.key owner=root group=root mode=0600 + copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2022.fedoraproject.org.key owner=root group=root mode=0600 - name: Copy intermediate wildcard cert from puppet private - copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.intermediate.cert owner=root group=root mode=0644 + copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.intermediate.cert owner=root group=root mode=0644 - name: Configure httpd dl main conf template: src=httpd/dl.fedoraproject.org.conf dest=/etc/httpd/conf.d/dl.fedoraproject.org.conf diff --git a/roles/fedmsg/gateway/slave/tasks/main.yml b/roles/fedmsg/gateway/slave/tasks/main.yml index d50260d844..e2aeb94f0e 100644 --- a/roles/fedmsg/gateway/slave/tasks/main.yml +++ b/roles/fedmsg/gateway/slave/tasks/main.yml @@ -98,8 +98,8 @@ - name: put our combined cert in place copy: > - src={{private}}/files/httpd/wildcard-2020.fedoraproject.org.combined.cert - dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.combined.cert + src={{private}}/files/httpd/wildcard-2022.fedoraproject.org.combined.cert + dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.combined.cert owner=root group=root mode=0644 notify: restart stunnel tags: diff --git a/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 b/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 index 53f69497cc..1fa9cd5474 100644 --- a/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 +++ b/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 @@ -1,5 +1,5 @@ -cert = /etc/pki/tls/certs/wildcard-2020.fedoraproject.org.combined.cert -key = /etc/pki/tls/private/wildcard-2020.fedoraproject.org.key +cert = /etc/pki/tls/certs/wildcard-2022.fedoraproject.org.combined.cert +key = /etc/pki/tls/private/wildcard-2022.fedoraproject.org.key pid = /var/run/stunnel.pid [{{ stunnel_service }}] diff --git a/roles/httpd/website/defaults/main.yml b/roles/httpd/website/defaults/main.yml index b7aa68040b..1d74294387 100644 --- a/roles/httpd/website/defaults/main.yml +++ b/roles/httpd/website/defaults/main.yml @@ -8,7 +8,7 @@ server_admin: webmaster@fedoraproject.org certbot: false ssl: true sslonly: false -SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert +SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert gzip: false stssubdomains: true # set to true to enable the proxy to redirect the http01 challenge