removing pagure.io certs, enabling letsencrypt

2017-05-18 16:18:55 +00:00 · 2017-05-18 16:18:55 +00:00 · e3ab9901ae
commit e3ab9901ae
parent 17a44d5b2f
3 changed files with 20 additions and 23 deletions
--- a/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml
+++ b/playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml
@ -30,6 +30,7 @@
  - sudo
  - collectd/base
  - postgresql_server
  - certbot
  tasks:
  - include: "{{ tasks_path }}/yumrepos.yml"
--- a/roles/pagure/upstreamfirst-frontend/tasks/main.yml
+++ b/roles/pagure/upstreamfirst-frontend/tasks/main.yml
@ -235,23 +235,6 @@
  - web
  - pagure
 - name: Install the SSL cert so that we can use https
  copy: >
      src={{ private}}/files/httpd/{{ item }} dest=/etc/pki/tls/certs/{{ item }}
      owner=root group=root mode=0600
  notify: restart stunnel
  with_items:
  - pagure.io.cert
  - pagure.io.key
  - pagure.io.intermediate.cert
  - docs.pagure.org.crt
  - docs.pagure.org.intermediate.crt
  - docs.pagure.org.key
  tags:
  - config
  - pagure
  - httpd/certificate
 - name: Install the configuration file to activate https
  template: src={{ item }} dest=/etc/httpd/conf.d/{{ item }}
            owner=root group=root mode=0644
--- a/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf
+++ b/roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf
@ -9,16 +9,22 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
 ## Redirects http -> https
 <VirtualHost *:80>
  RewriteEngine on
  RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
  ServerName {{ external_hostname }}
  Redirect permanent / https://{{ external_hostname }}/
 </VirtualHost>
 <VirtualHost *:80>
  RewriteEngine on
  RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
  ServerName docs.{{ external_hostname }}
  Redirect permanent / https://docs.{{ external_hostname }}/
 </VirtualHost>
 <VirtualHost *:80>
  RewriteEngine on
  RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
  ServerName releases.{{ external_hostname }}
  Redirect permanent / https://releases.{{ external_hostname }}/
@ -52,9 +58,12 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
  # Use secure TLSv1.1 and TLSv1.2 ciphers
  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
-  SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
+  SSLCertificateFile    /etc/letsencrypt/live/{{ external_hostname }}/cert.pem
-  SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
+  SSLCertificateKeyFile /etc/letsencrypt/live/{{ external_hostname }}/privkey.pem
-  SSLCertificateKeyFile /etc/pki/tls/certs/pagure.io.key
+  SSLCertificateChainFile /etc/letsencrypt/live/{{ external_hostname }}/fullchain.pem
  SSLHonorCipherOrder On
  SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
  SSLProtocol ALL -SSLv2
  Alias /static /usr/lib/python2.7/site-packages/pagure/static/
@ -100,9 +109,13 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
  # Use secure TLSv1.1 and TLSv1.2 ciphers
  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
-  SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
+
-  SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
+  SSLCertificateFile    /etc/letsencrypt/live/{{ external_hostname }}/cert.pem
-  SSLCertificateKeyFile /etc/pki/tls/certs/pagure.io.key
+  SSLCertificateKeyFile /etc/letsencrypt/live/{{ external_hostname }}/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/{{ external_hostname }}/fullchain.pem
  SSLHonorCipherOrder On
  SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
  SSLProtocol ALL -SSLv2
  Alias /static /usr/lib/python2.7/site-packages/pagure/static/