diff --git a/playbooks/include/proxies-certificates.yml b/playbooks/include/proxies-certificates.yml index e316c621d3..c63df9db4f 100644 --- a/playbooks/include/proxies-certificates.yml +++ b/playbooks/include/proxies-certificates.yml @@ -16,20 +16,20 @@ - role: httpd/mod_ssl - role: httpd/certificate - name: wildcard-2014.fedoraproject.org - SSLCertificateChainFile: wildcard-2014.fedoraproject.org.intermediate.cert + name: wildcard-2017.fedoraproject.org + SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert - role: httpd/certificate name: wildcard-2014.fedorahosted.org SSLCertificateChainFile: wildcard-2014.fedorahosted.org.intermediate.cert - role: httpd/certificate - name: wildcard-2014.id.fedoraproject.org - SSLCertificateChainFile: wildcard-2014.id.fedoraproject.org.intermediate.cert + name: wildcard-2017.id.fedoraproject.org + SSLCertificateChainFile: wildcard-2017.id.fedoraproject.org.intermediate.cert - role: httpd/certificate - name: wildcard-2014.stg.fedoraproject.org - SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert + name: wildcard-2017.stg.fedoraproject.org + SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert - role: httpd/certificate name: fedoramagazine.org diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index e6036a58bb..d91dec6973 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -533,7 +533,7 @@ name: developer.fedoraproject.org server_aliases: [developer.stg.fedoraproject.org] # Set this explicitly to stg here.. as per the original puppet config. - SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert + SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert sslonly: true cert_name: "{{wildcard_cert_name}}" @@ -596,7 +596,7 @@ name: taskotron.stg.fedoraproject.org server_aliases: [taskotron.stg.fedoraproject.org] # Set this explicitly to stg here.. as per the original puppet config. - SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert + SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert sslonly: true cert_name: "{{wildcard_cert_name}}" when: env == "staging" @@ -606,7 +606,7 @@ server_aliases: [lists.stg.fedoraproject.org] sslonly: true # Set this explicitly to stg here.. as per the original puppet config. - SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert + SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert cert_name: "{{wildcard_cert_name}}" - role: httpd/website @@ -614,7 +614,7 @@ server_aliases: [lists.stg.fedorahosted.org] sslonly: true # Set this explicitly to stg here.. as per the original puppet config. - SSLCertificateChainFile: wildcard-2014.fedorahosted.org.intermediate.cert + SSLCertificateChainFile: wildcard-2017.fedorahosted.org.intermediate.cert cert_name: wildcard-2014.fedorahosted.org - role: httpd/website @@ -623,8 +623,8 @@ - "*.id.fedoraproject.org" # Must not be sslonly, because example.id.fedoraproject.org must be reachable # via plain http for openid identity support - cert_name: wildcard-2014.id.fedoraproject.org - SSLCertificateChainFile: wildcard-2014.id.fedoraproject.org.intermediate.cert + cert_name: wildcard-2017.id.fedoraproject.org + SSLCertificateChainFile: wildcard-2017.id.fedoraproject.org.intermediate.cert - role: httpd/website name: id.stg.fedoraproject.org @@ -633,7 +633,7 @@ # Must not be sslonly, because example.id.fedoraproject.org must be reachable # via plain http for openid identity support cert_name: "{{wildcard_cert_name}}" - SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert + SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert when: env == "staging" - role: httpd/website @@ -685,7 +685,7 @@ name: beaker.stg.fedoraproject.org server_aliases: [beaker.stg.fedoraproject.org] # Set this explicitly to stg here.. as per the original puppet config. - SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert + SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert sslonly: true cert_name: "{{wildcard_cert_name}}" when: env == "staging" @@ -731,7 +731,7 @@ - role: httpd/website name: nagios.stg.fedoraproject.org server_aliases: [nagios.stg.fedoraproject.org] - SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert + SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert sslonly: true cert_name: "{{wildcard_cert_name}}" when: env == "staging" diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml index ec91e36c79..c756c093bb 100644 --- a/roles/download/tasks/main.yml +++ b/roles/download/tasks/main.yml @@ -59,13 +59,13 @@ - selinux - name: Copy wildcard cert from puppet private - copy: src="{{private}}/files/httpd/wildcard-2014.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2014.fedoraproject.org.cert owner=root group=root mode=0644 + copy: src="{{private}}/files/httpd/wildcard-2017.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2017.fedoraproject.org.cert owner=root group=root mode=0644 - name: Copy wildcard key from puppet private - copy: src="{{private}}/files/httpd/wildcard-2014.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2014.fedoraproject.org.key owner=root group=root mode=0600 + copy: src="{{private}}/files/httpd/wildcard-2017.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2017.fedoraproject.org.key owner=root group=root mode=0600 - name: Copy intermediate wildcard cert from puppet private - copy: src="{{private}}/files/httpd/wildcard-2014.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2014.fedoraproject.org.intermediate.cert owner=root group=root mode=0644 + copy: src="{{private}}/files/httpd/wildcard-2017.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2017.fedoraproject.org.intermediate.cert owner=root group=root mode=0644 - name: Configure httpd dl main conf template: src=httpd/dl.fedoraproject.org.conf dest=/etc/httpd/conf.d/dl.fedoraproject.org.conf diff --git a/roles/download/templates/httpd/dl.fedoraproject.org.conf b/roles/download/templates/httpd/dl.fedoraproject.org.conf index 8043e46eda..02da8c2386 100644 --- a/roles/download/templates/httpd/dl.fedoraproject.org.conf +++ b/roles/download/templates/httpd/dl.fedoraproject.org.conf @@ -15,9 +15,9 @@ SSLEngine on - SSLCertificateFile /etc/pki/tls/certs/wildcard-2014.fedoraproject.org.cert - SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2014.fedoraproject.org.key - SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedoraproject.org.intermediate.cert + SSLCertificateFile /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.cert + SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2017.fedoraproject.org.key + SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.intermediate.cert SSLHonorCipherOrder On # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14 diff --git a/roles/httpd/website/defaults/main.yml b/roles/httpd/website/defaults/main.yml index 417600e8f7..99aa8b0794 100644 --- a/roles/httpd/website/defaults/main.yml +++ b/roles/httpd/website/defaults/main.yml @@ -6,5 +6,5 @@ server_aliases: [] server_admin: webmaster@fedoraproject.org ssl: true sslonly: false -SSLCertificateChainFile: wildcard-2014.fedoraproject.org.intermediate.cert +SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert gzip: false