put in patches to use wildcard2020

2020-02-27 21:19:54 +00:00 · 2020-02-27 21:19:54 +00:00 · 37915eaf25
commit 37915eaf25
parent 190439f2b8
9 changed files with 19 additions and 19 deletions
--- a/files/httpd/website_id_fp_o_zanata.conf
+++ b/files/httpd/website_id_fp_o_zanata.conf
@ -14,9 +14,9 @@ Listen 44342 https

  SSLEngine on
  SSLUseStapling on
-  SSLCertificateFile /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.cert
-  SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2017.fedoraproject.org.key
-  SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.intermediate.cert
+  SSLCertificateFile /etc/pki/tls/certs/wildcard-2020.fedoraproject.org.cert
+  SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2020.fedoraproject.org.key
+  SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2020.fedoraproject.org.intermediate.cert

  SSLHonorCipherOrder On

--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@ -235,10 +235,10 @@ max_cpu: "{{ num_cpus * 5 }}"

 # This is the wildcard certname for our proxies.  It has a different name for
 # the staging group and is used in the proxies.yml playbook.
-wildcard_cert_name: wildcard-2017.fedoraproject.org
-wildcard_crt_file: wildcard-2017.fedoraproject.org.cert
-wildcard_key_file: wildcard-2017.fedoraproject.org.key
-wildcard_int_file: wildcard-2017.fedoraproject.org.intermediate.cert
+wildcard_cert_name: wildcard-2020.fedoraproject.org
+wildcard_crt_file: wildcard-2020.fedoraproject.org.cert
+wildcard_key_file: wildcard-2020.fedoraproject.org.key
+wildcard_int_file: wildcard-2020.fedoraproject.org.intermediate.cert

 # This is the openshift wildcard cert. Until it exists set it equal to wildcard
 os_wildcard_cert_name: wildcard-2017.app.os.fedoraproject.org
--- a/playbooks/include/proxies-certificates.yml
+++ b/playbooks/include/proxies-certificates.yml
@ -16,8 +16,8 @@
  - role: httpd/mod_ssl

  - role: httpd/certificate
-    certname: wildcard-2017.fedoraproject.org
-    SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert
+    certname: wildcard-2020.fedoraproject.org
+    SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert

  # - role: httpd/certificate
  #   certname: wildcard-2017.fedorahosted.org
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@ -903,7 +903,7 @@
  - role: httpd/website
    site_name: nagios.fedoraproject.org
    server_aliases: [nagios.stg.fedoraproject.org]
-    SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert
+    SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

--- a/roles/download/tasks/main.yml
+++ b/roles/download/tasks/main.yml
@ -62,13 +62,13 @@
  - selinux

 - name: Copy wildcard cert from puppet private
-  copy: src="{{private}}/files/httpd/wildcard-2017.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2017.fedoraproject.org.cert owner=root group=root mode=0644
+  copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.cert owner=root group=root mode=0644

 - name: Copy wildcard key from puppet private
-  copy: src="{{private}}/files/httpd/wildcard-2017.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2017.fedoraproject.org.key owner=root group=root mode=0600
+  copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2020.fedoraproject.org.key owner=root group=root mode=0600

 - name: Copy intermediate wildcard cert from puppet private
-  copy: src="{{private}}/files/httpd/wildcard-2017.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2017.fedoraproject.org.intermediate.cert owner=root group=root mode=0644
+  copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.intermediate.cert owner=root group=root mode=0644

 - name: Configure httpd dl main conf
  template: src=httpd/dl.fedoraproject.org.conf dest=/etc/httpd/conf.d/dl.fedoraproject.org.conf
--- a/roles/fedmsg/gateway/slave/tasks/main.yml
+++ b/roles/fedmsg/gateway/slave/tasks/main.yml
@ -98,8 +98,8 @@

 - name: put our combined cert in place
  copy: >
-    src={{private}}/files/httpd/wildcard-2017.fedoraproject.org.combined.cert
-    dest=/etc/pki/tls/certs/wildcard-2017.fedoraproject.org.combined.cert
+    src={{private}}/files/httpd/wildcard-2020.fedoraproject.org.combined.cert
+    dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.combined.cert
    owner=root group=root mode=0644
  notify: restart stunnel
  tags:
--- a/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2
+++ b/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2
@ -1,5 +1,5 @@
-cert = /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.combined.cert
-key = /etc/pki/tls/private/wildcard-2017.fedoraproject.org.key
+cert = /etc/pki/tls/certs/wildcard-2020.fedoraproject.org.combined.cert
+key = /etc/pki/tls/private/wildcard-2020.fedoraproject.org.key
 pid = /var/run/stunnel.pid

 [{{ stunnel_service }}]
--- a/roles/httpd/website/defaults/main.yml
+++ b/roles/httpd/website/defaults/main.yml
@ -8,7 +8,7 @@ server_admin: webmaster@fedoraproject.org
 certbot: false
 ssl: true
 sslonly: false
-SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert
+SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert
 gzip: false
 stssubdomains: true
 # set to true to enable the proxy to redirect the http01 challenge
--- a/roles/kojipkgs/files/squid.conf
+++ b/roles/kojipkgs/files/squid.conf
@ -1,5 +1,5 @@
 http_port 80 accel defaultsite=kojipkgs.fedoraproject.org
-https_port 443 accel defaultsite=kojipkgs.fedoraproject.org cert=/etc/pki/tls/certs/wildcard-2017.squid.cert key=/etc/pki/tls/private/wildcard-2017.fedoraproject.org.key cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA options=NO_SSLv2,NO_SSLv3
+https_port 443 accel defaultsite=kojipkgs.fedoraproject.org cert=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.combined.cert key=/etc/pki/tls/private/wildcard-2020.fedoraproject.org.key cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA options=NO_SSLv2,NO_SSLv3

 cache_peer 127.0.0.1 parent 8080 0 no-query originserver name=kojipkgs