diff --git a/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml b/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml
index b09d0fa24b..5b92522d44 100644
--- a/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml
+++ b/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml
@@ -30,6 +30,7 @@
- sudo
- collectd/base
- postgresql_server
+ - certbot
tasks:
- include: "{{ tasks_path }}/yumrepos.yml"
diff --git a/roles/pagure/upstreamfirst-frontend/tasks/main.yml b/roles/pagure/upstreamfirst-frontend/tasks/main.yml
index ba1441dfcc..513c254ed4 100644
--- a/roles/pagure/upstreamfirst-frontend/tasks/main.yml
+++ b/roles/pagure/upstreamfirst-frontend/tasks/main.yml
@@ -235,23 +235,6 @@
- web
- pagure
-- name: Install the SSL cert so that we can use https
- copy: >
- src={{ private}}/files/httpd/{{ item }} dest=/etc/pki/tls/certs/{{ item }}
- owner=root group=root mode=0600
- notify: restart stunnel
- with_items:
- - pagure.io.cert
- - pagure.io.key
- - pagure.io.intermediate.cert
- - docs.pagure.org.crt
- - docs.pagure.org.intermediate.crt
- - docs.pagure.org.key
- tags:
- - config
- - pagure
- - httpd/certificate
-
- name: Install the configuration file to activate https
template: src={{ item }} dest=/etc/httpd/conf.d/{{ item }}
owner=root group=root mode=0644
diff --git a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf
index dfc53adbf3..83c32fc643 100644
--- a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf
+++ b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf
@@ -9,16 +9,22 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
## Redirects http -> https
+ RewriteEngine on
+ RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
ServerName {{ external_hostname }}
Redirect permanent / https://{{ external_hostname }}/
+ RewriteEngine on
+ RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
ServerName docs.{{ external_hostname }}
Redirect permanent / https://docs.{{ external_hostname }}/
+ RewriteEngine on
+ RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
ServerName releases.{{ external_hostname }}
Redirect permanent / https://releases.{{ external_hostname }}/
@@ -52,9 +58,12 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
# Use secure TLSv1.1 and TLSv1.2 ciphers
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
- SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
- SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
- SSLCertificateKeyFile /etc/pki/tls/certs/pagure.io.key
+ SSLCertificateFile /etc/letsencrypt/live/{{ external_hostname }}/cert.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/{{ external_hostname }}/privkey.pem
+ SSLCertificateChainFile /etc/letsencrypt/live/{{ external_hostname }}/fullchain.pem
+ SSLHonorCipherOrder On
+ SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
+ SSLProtocol ALL -SSLv2
Alias /static /usr/lib/python2.7/site-packages/pagure/static/
@@ -100,9 +109,13 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
# Use secure TLSv1.1 and TLSv1.2 ciphers
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
- SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
- SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
- SSLCertificateKeyFile /etc/pki/tls/certs/pagure.io.key
+
+ SSLCertificateFile /etc/letsencrypt/live/{{ external_hostname }}/cert.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/{{ external_hostname }}/privkey.pem
+ SSLCertificateChainFile /etc/letsencrypt/live/{{ external_hostname }}/fullchain.pem
+ SSLHonorCipherOrder On
+ SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
+ SSLProtocol ALL -SSLv2
Alias /static /usr/lib/python2.7/site-packages/pagure/static/