add in openshift staging wildcard cert, keep prod pointing to fpo until we deploy there

inventory/group_vars/all

@@ -138,6 +138,12 @@ wildcard_crt_file: wildcard-2017.fedoraproject.org.cert
 wildcard_key_file: wildcard-2017.fedoraproject.org.key
 wildcard_int_file: wildcard-2017.fedoraproject.org.intermediate.cert
 
+# This is the openshift wildcard cert. Until it exists set it equal to wildcard
+os_wildcard_cert_name: wildcard-2017.fedoraproject.org
+os_wildcard_crt_file: wildcard-2017.fedoraproject.org.cert
+os_wildcard_key_file: wildcard-2017.fedoraproject.org.key
+os_wildcard_int_file: wildcard-2017.fedoraproject.org.intermediate.cert
+
 # Everywhere, always, we should sign messages and validate signatures.
 # However, we allow individual hosts and groups to override this.  Use this very
 # carefully.. and never in production (good for testing stuff in staging).

inventory/group_vars/staging

@@ -10,6 +10,11 @@ wildcard_cert_file: wildcard-2017.stg.fedoraproject.org.cert
 wildcard_key_file: wildcard-2017.stg.fedoraproject.org.key
 wildcard_int_file: wildcard-2017.stg.fedoraproject.org.intermediate.cert
 
+# This is the openshift wildcard cert for stg
+os_wildcard_cert_name: wildcard-2017.app.os.stg.fedoraproject.org
+os_wildcard_cert_file: wildcard-2017.app.os.stg.fedoraproject.org.cert
+os_wildcard_key_file: wildcard-2017.app.os.stg.fedoraproject.org.key
+os_wildcard_int_file: wildcard-2017.stg.fedoraproject.org.intermediate.cert
 
 # This only does anything if the host is not RHEL6
 collectd_graphite: True

playbooks/include/proxies-websites.yml

@@ -566,7 +566,8 @@
     name: app.os.fedoraproject.org
     server_aliases: ["*.app.os.fedoraproject.org", "*.app.os.stg.fedoraproject.org"]
     sslonly: true
-    cert_name: "{{wildcard_cert_name}}"
+    cert_name: "{{os_wildcard_cert_name}}"
+    SSLCertificateChainFile: wildcard-2017.app.os.stg.fedoraproject.org.intermediate.cert
 
   - role: httpd/website
     name: registry.fedoraproject.org