From 4430178b29f481dde2b69b115fec9d9452b1f8d0 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 31 Jan 2022 12:39:49 -0800 Subject: [PATCH] Revert "wildcard-2022.fedoraproject.org cert" This reverts commit 57f0d4fdb676b4df8a14ddb38a841175eef8b1e1. For an anoying reason, armv7 image builds come up with the time as 10 days ago, which makes this cert invalid. So, move back to the old cert for a week or so and then switch to the new one again. ;( --- inventory/group_vars/all | 8 ++++---- playbooks/include/proxies-certificates.yml | 4 ---- playbooks/include/proxies-websites.yml | 2 +- roles/download/tasks/main.yml | 6 +++--- roles/fedmsg/gateway/slave/tasks/main.yml | 4 ++-- roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 | 4 ++-- roles/httpd/website/defaults/main.yml | 2 +- 7 files changed, 13 insertions(+), 17 deletions(-) diff --git a/inventory/group_vars/all b/inventory/group_vars/all index a55ce1e7fd..c647757097 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -254,10 +254,10 @@ virt_install_command_two_nic_unsafe: virt-install -n {{ inventory_hostname }} -- vpn: False # This is the wildcard certname for our proxies. It has a different name for # the staging group and is used in the proxies.yml playbook. -wildcard_cert_name: wildcard-2022.fedoraproject.org -wildcard_crt_file: wildcard-2022.fedoraproject.org.cert -wildcard_int_file: wildcard-2022.fedoraproject.org.intermediate.cert -wildcard_key_file: wildcard-2022.fedoraproject.org.key +wildcard_cert_name: wildcard-2020.fedoraproject.org +wildcard_crt_file: wildcard-2020.fedoraproject.org.cert +wildcard_int_file: wildcard-2020.fedoraproject.org.intermediate.cert +wildcard_key_file: wildcard-2020.fedoraproject.org.key # # say if we want the apache role dependency for mod_wsgi or not # In some cases we want mod_wsgi and no apache (for python3 httpaio stuff) diff --git a/playbooks/include/proxies-certificates.yml b/playbooks/include/proxies-certificates.yml index 7a6dc26267..2ba6a8921a 100644 --- a/playbooks/include/proxies-certificates.yml +++ b/playbooks/include/proxies-certificates.yml @@ -19,10 +19,6 @@ certname: wildcard-2020.fedoraproject.org SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert - - role: httpd/certificate - certname: wildcard-2022.fedoraproject.org - SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert - - role: httpd/certificate certname: wildcard-2020.id.fedoraproject.org SSLCertificateChainFile: wildcard-2020.id.fedoraproject.org.intermediate.cert diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index fed6c518c9..a17c2af85a 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -918,7 +918,7 @@ - role: httpd/website site_name: nagios.fedoraproject.org server_aliases: [nagios.stg.fedoraproject.org] - SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert + SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert sslonly: true cert_name: "{{wildcard_cert_name}}" diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml index 1c3c4f2040..fa3686906d 100644 --- a/roles/download/tasks/main.yml +++ b/roles/download/tasks/main.yml @@ -56,13 +56,13 @@ - selinux - name: Copy wildcard cert from puppet private - copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.cert owner=root group=root mode=0644 + copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.cert owner=root group=root mode=0644 - name: Copy wildcard key from puppet private - copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2022.fedoraproject.org.key owner=root group=root mode=0600 + copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2020.fedoraproject.org.key owner=root group=root mode=0600 - name: Copy intermediate wildcard cert from puppet private - copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.intermediate.cert owner=root group=root mode=0644 + copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.intermediate.cert owner=root group=root mode=0644 - name: Configure httpd dl main conf template: src=httpd/dl.fedoraproject.org.conf dest=/etc/httpd/conf.d/dl.fedoraproject.org.conf diff --git a/roles/fedmsg/gateway/slave/tasks/main.yml b/roles/fedmsg/gateway/slave/tasks/main.yml index e2aeb94f0e..d50260d844 100644 --- a/roles/fedmsg/gateway/slave/tasks/main.yml +++ b/roles/fedmsg/gateway/slave/tasks/main.yml @@ -98,8 +98,8 @@ - name: put our combined cert in place copy: > - src={{private}}/files/httpd/wildcard-2022.fedoraproject.org.combined.cert - dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.combined.cert + src={{private}}/files/httpd/wildcard-2020.fedoraproject.org.combined.cert + dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.combined.cert owner=root group=root mode=0644 notify: restart stunnel tags: diff --git a/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 b/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 index 1fa9cd5474..53f69497cc 100644 --- a/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 +++ b/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 @@ -1,5 +1,5 @@ -cert = /etc/pki/tls/certs/wildcard-2022.fedoraproject.org.combined.cert -key = /etc/pki/tls/private/wildcard-2022.fedoraproject.org.key +cert = /etc/pki/tls/certs/wildcard-2020.fedoraproject.org.combined.cert +key = /etc/pki/tls/private/wildcard-2020.fedoraproject.org.key pid = /var/run/stunnel.pid [{{ stunnel_service }}] diff --git a/roles/httpd/website/defaults/main.yml b/roles/httpd/website/defaults/main.yml index 1d74294387..b7aa68040b 100644 --- a/roles/httpd/website/defaults/main.yml +++ b/roles/httpd/website/defaults/main.yml @@ -8,7 +8,7 @@ server_admin: webmaster@fedoraproject.org certbot: false ssl: true sslonly: false -SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert +SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert gzip: false stssubdomains: true # set to true to enable the proxy to redirect the http01 challenge