Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Revert "Revert "wildcard-2022.fedoraproject.org cert""

Browse source 
This reverts commit 4430178b29.

It's time to put this back before the cert expires and before we go into
Beta freeze. Hopefully the odd issue with armv7 qemu guests having a
time behind real time is not still happening.
This commit is contained in:
Kevin Fenzi 2022-02-21 10:19:17 -08:00
parent c98410fd08
commit 1e712cdc30
7 changed files with 17 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

8
inventory/group_vars/all
View file

@ -254,10 +254,10 @@ virt_install_command_two_nic_unsafe: virt-install -n {{ inventory_hostname }} --
vpn: False vpn: False
# This is the wildcard certname for our proxies. It has a different name for # This is the wildcard certname for our proxies. It has a different name for
# the staging group and is used in the proxies.yml playbook. # the staging group and is used in the proxies.yml playbook.
wildcard_cert_name: wildcard-2020.fedoraproject.org wildcard_cert_name: wildcard-2022.fedoraproject.org
wildcard_crt_file: wildcard-2020.fedoraproject.org.cert wildcard_crt_file: wildcard-2022.fedoraproject.org.cert
wildcard_int_file: wildcard-2020.fedoraproject.org.intermediate.cert wildcard_int_file: wildcard-2022.fedoraproject.org.intermediate.cert
wildcard_key_file: wildcard-2020.fedoraproject.org.key wildcard_key_file: wildcard-2022.fedoraproject.org.key
# #
# say if we want the apache role dependency for mod_wsgi or not # say if we want the apache role dependency for mod_wsgi or not
# In some cases we want mod_wsgi and no apache (for python3 httpaio stuff) # In some cases we want mod_wsgi and no apache (for python3 httpaio stuff)

4
playbooks/include/proxies-certificates.yml
View file

@ -19,6 +19,10 @@
certname: wildcard-2020.fedoraproject.org certname: wildcard-2020.fedoraproject.org
SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert
- role: httpd/certificate
certname: wildcard-2022.fedoraproject.org
SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert
- role: httpd/certificate - role: httpd/certificate
certname: wildcard-2020.id.fedoraproject.org certname: wildcard-2020.id.fedoraproject.org
SSLCertificateChainFile: wildcard-2020.id.fedoraproject.org.intermediate.cert SSLCertificateChainFile: wildcard-2020.id.fedoraproject.org.intermediate.cert

2
playbooks/include/proxies-websites.yml
View file

@ -911,7 +911,7 @@
- role: httpd/website - role: httpd/website
site_name: nagios.fedoraproject.org site_name: nagios.fedoraproject.org
server_aliases: [nagios.stg.fedoraproject.org] server_aliases: [nagios.stg.fedoraproject.org]
SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert
sslonly: true sslonly: true
cert_name: "{{wildcard_cert_name}}" cert_name: "{{wildcard_cert_name}}"

6
roles/download/tasks/main.yml
View file

@ -56,13 +56,13 @@
- selinux - selinux
- name: Copy wildcard cert from puppet private - name: Copy wildcard cert from puppet private
copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.cert owner=root group=root mode=0644 copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.cert owner=root group=root mode=0644
- name: Copy wildcard key from puppet private - name: Copy wildcard key from puppet private
copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2020.fedoraproject.org.key owner=root group=root mode=0600 copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2022.fedoraproject.org.key owner=root group=root mode=0600
- name: Copy intermediate wildcard cert from puppet private - name: Copy intermediate wildcard cert from puppet private
copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.intermediate.cert owner=root group=root mode=0644 copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.intermediate.cert owner=root group=root mode=0644
- name: Configure httpd dl main conf - name: Configure httpd dl main conf
template: src=httpd/dl.fedoraproject.org.conf dest=/etc/httpd/conf.d/dl.fedoraproject.org.conf template: src=httpd/dl.fedoraproject.org.conf dest=/etc/httpd/conf.d/dl.fedoraproject.org.conf

4
roles/fedmsg/gateway/slave/tasks/main.yml
View file

@ -98,8 +98,8 @@
- name: put our combined cert in place - name: put our combined cert in place
copy: > copy: >
src={{private}}/files/httpd/wildcard-2020.fedoraproject.org.combined.cert src={{private}}/files/httpd/wildcard-2022.fedoraproject.org.combined.cert
dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.combined.cert dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.combined.cert
owner=root group=root mode=0644 owner=root group=root mode=0644
notify: restart stunnel notify: restart stunnel
tags: tags:

4
roles/fedmsg/gateway/slave/templates/stunnel-conf.j2
View file

@ -1,5 +1,5 @@
cert = /etc/pki/tls/certs/wildcard-2020.fedoraproject.org.combined.cert cert = /etc/pki/tls/certs/wildcard-2022.fedoraproject.org.combined.cert
key = /etc/pki/tls/private/wildcard-2020.fedoraproject.org.key key = /etc/pki/tls/private/wildcard-2022.fedoraproject.org.key
pid = /var/run/stunnel.pid pid = /var/run/stunnel.pid
[{{ stunnel_service }}] [{{ stunnel_service }}]

2
roles/httpd/website/defaults/main.yml
View file

@ -8,7 +8,7 @@ server_admin: webmaster@fedoraproject.org
certbot: false certbot: false
ssl: true ssl: true
sslonly: false sslonly: false
SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert
gzip: false gzip: false
stssubdomains: true stssubdomains: true
# set to true to enable the proxy to redirect the http01 challenge # set to true to enable the proxy to redirect the http01 challenge