copr: letsencrypt configuration for copr-fe production instance

inventory/group_vars/copr_front_aws

@@ -13,6 +13,16 @@ csi_relationship: |
   - This host provides the frontend part of copr only.
   - It's the point of contact between end users and the copr build system (backend, package singer)
 
+# consumed by roles/copr/certbot
+letsencrypt:
+  predefined_deploy_script: httpd
+  certificates:
+    copr.fedorainfracloud.org:
+      domains:
+      - copr.fedorainfracloud.org
+      challenge_dir: /var/www/html
+      mail: copr-devel@lists.fedorahosted.org
+
 copr_pagure_events:
   io.pagure.prod.pagure: "https://pagure.io/"
   org.fedoraproject.prod.pagure: "https://src.fedoraproject.org/"

roles/copr/frontend-cloud/tasks/main.yml

@@ -89,17 +89,8 @@
   register: alembic_result
   changed_when: alembic_result.stdout is search("Running upgrade")
 
-# TODO: move production to lets-encrypt as well
-- name: install ssl certificates for production
-  import_tasks: "install_certs.yml"
-  when: not devel
-  tags:
-  - config
-
-# development servers use Let's Encrypt
 - name: install letsencrypt ssl certificates for dev
   include_role: name=copr/certbot
-  when: devel|bool
   tags:
   - config
 

roles/copr/frontend-cloud/templates/httpd/coprs.conf

@@ -54,15 +54,9 @@ WSGIApplicationGroup %{GLOBAL}
     SSLHonorCipherOrder on
     Header always add Strict-Transport-Security "max-age=31536000; preload"
 
-{% if not devel %}
-    SSLCertificateFile      /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
-    SSLCertificateKeyFile   /etc/pki/tls/private/copr.fedorainfracloud.org.key
-    SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt
-{% else %}
     SSLCertificateFile      /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem
     SSLCertificateKeyFile   /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem
     SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem
-{% endif %}
 
     WSGIPassAuthorization On