pagure: handle stunnel bundled cert in letsencrypt renews
This commit removes the old tasks to try and create a cert/intermediate bundle file for stunnel in favor of just doing it when we renew/get the cert. It also fixes stunnel to use the correct bundled cert. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi
parent
ff51231e77
commit
d44bc3991c
4 changed files with 18 additions and 25 deletions
|
|
@ -47,6 +47,7 @@
|
||||||
#
|
#
|
||||||
- role: letsencrypt
|
- role: letsencrypt
|
||||||
site_name: "stg.pagure.io"
|
site_name: "stg.pagure.io"
|
||||||
|
certbot_bundlehost: pagure02.fedoraproject.org
|
||||||
server_aliases:
|
server_aliases:
|
||||||
- stg.pagure.io
|
- stg.pagure.io
|
||||||
- docs.stg.pagure.org
|
- docs.stg.pagure.org
|
||||||
|
|
@ -58,6 +59,7 @@
|
||||||
|
|
||||||
- role: letsencrypt
|
- role: letsencrypt
|
||||||
site_name: "pagure.io"
|
site_name: "pagure.io"
|
||||||
|
certbot_bundlehost: pagure-stg01.fedoraproject.org
|
||||||
server_aliases:
|
server_aliases:
|
||||||
- docs.pagure.org
|
- docs.pagure.org
|
||||||
- lists.pagure.io
|
- lists.pagure.io
|
||||||
|
|
|
||||||
|
|
@ -135,3 +135,17 @@
|
||||||
- letsencrypt
|
- letsencrypt
|
||||||
delegate_to: "{{ certbot_addhost }}"
|
delegate_to: "{{ certbot_addhost }}"
|
||||||
when: certbot_addhost is defined
|
when: certbot_addhost is defined
|
||||||
|
|
||||||
|
- name: Install certificate bundle
|
||||||
|
copy: >
|
||||||
|
dest=/etc/pki/tls/certs/{{site_name}}.bundle.cert
|
||||||
|
content="{{certbot_chain.stdout}} {{certbot_certificate.stdout}}"
|
||||||
|
owner=root
|
||||||
|
group=root
|
||||||
|
mode=0644
|
||||||
|
notify:
|
||||||
|
- reload stunnel
|
||||||
|
tags:
|
||||||
|
- letsencrypt
|
||||||
|
delegate_to: "{{ certbot_bundlehost }}"
|
||||||
|
when: certbot_bundlehost is defined
|
||||||
|
|
|
||||||
|
|
@ -214,29 +214,6 @@
|
||||||
- pagure
|
- pagure
|
||||||
- stunnel
|
- stunnel
|
||||||
|
|
||||||
- name: ensure old stunnel init file is gone
|
|
||||||
file: dest=/etc/init.d/stunnel/stunnel.init state=absent
|
|
||||||
tags:
|
|
||||||
- pagure
|
|
||||||
- stunnel
|
|
||||||
- config
|
|
||||||
|
|
||||||
- name: make a bundle file of the cert and intermediate for stunnel
|
|
||||||
shell: cat /etc/pki/tls/certs/pagure.io.cert /etc/pki/tls/certs/pagure.io.intermediate.cert > /etc/pki/tls/certs/pagure.io.bundle.cert creates=/etc/pki/tls/certs/pagure.io.bundle.cert
|
|
||||||
tags:
|
|
||||||
- pagure
|
|
||||||
- stunnel
|
|
||||||
- config
|
|
||||||
when: env != 'pagure-staging'
|
|
||||||
|
|
||||||
- name: make a bundle file of the cert and intermediate for stunnel (stg)
|
|
||||||
shell: cat /etc/pki/tls/certs/stg.pagure.io.cert /etc/pki/tls/certs/stg.pagure.io.intermediate.cert > /etc/pki/tls/certs/stg.pagure.io.bundle.cert creates=/etc/pki/tls/certs/stg.pagure.io.bundle.cert
|
|
||||||
tags:
|
|
||||||
- pagure
|
|
||||||
- stunnel
|
|
||||||
- config
|
|
||||||
when: env == 'pagure-staging'
|
|
||||||
|
|
||||||
- name: install stunnel.conf
|
- name: install stunnel.conf
|
||||||
template: src={{ item.file }}
|
template: src={{ item.file }}
|
||||||
dest={{ item.dest }}
|
dest={{ item.dest }}
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,8 @@
|
||||||
{% if env == 'pagure-staging' %}
|
{% if env == 'pagure-staging' %}
|
||||||
cert = /etc/pki/tls/certs/stg.pagure.io.cert
|
cert = /etc/pki/tls/certs/stg.pagure.io.bundle.cert
|
||||||
key = /etc/pki/tls/private/stg.pagure.io.key
|
key = /etc/pki/tls/private/stg.pagure.io.key
|
||||||
{% else %}
|
{% else %}
|
||||||
cert = /etc/pki/tls/certs/pagure.io.cert
|
cert = /etc/pki/tls/certs/pagure.io.bundle.cert
|
||||||
key = /etc/pki/tls/private/pagure.io.key
|
key = /etc/pki/tls/private/pagure.io.key
|
||||||
{% endif %}
|
{% endif %}
|
||||||
pid = /var/run/stunnel.pid
|
pid = /var/run/stunnel.pid
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue