diff --git a/inventory/group_vars/all b/inventory/group_vars/all index f388c0de0d..8e473b5af7 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -1,4 +1,4 @@ ---- +h- ####### # BEGIN: Ansible roles_path variables # @@ -260,10 +260,10 @@ virt_install_command_two_nic_unsafe: virt-install -n {{ inventory_hostname }} -- vpn: False # This is the wildcard certname for our proxies. It has a different name for # the staging group and is used in the proxies.yml playbook. -wildcard_cert_name: wildcard-2022.fedoraproject.org -wildcard_crt_file: wildcard-2022.fedoraproject.org.cert -wildcard_int_file: wildcard-2022.fedoraproject.org.intermediate.cert -wildcard_key_file: wildcard-2022.fedoraproject.org.key +wildcard_cert_name: wildcard-2023.fedoraproject.org +wildcard_crt_file: wildcard-2023.fedoraproject.org.cert +wildcard_int_file: wildcard-2023.fedoraproject.org.intermediate.cert +wildcard_key_file: wildcard-2023.fedoraproject.org.key # # say if we want the apache role dependency for mod_wsgi or not # In some cases we want mod_wsgi and no apache (for python3 httpaio stuff) diff --git a/playbooks/include/proxies-certificates.yml b/playbooks/include/proxies-certificates.yml index 90a8b81e5b..caa4d26230 100644 --- a/playbooks/include/proxies-certificates.yml +++ b/playbooks/include/proxies-certificates.yml @@ -16,12 +16,12 @@ - role: httpd/mod_ssl - role: httpd/certificate - certname: wildcard-2022.fedoraproject.org - SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert + certname: wildcard-2023.fedoraproject.org + SSLCertificateChainFile: wildcard-2023.fedoraproject.org.intermediate.cert - role: httpd/certificate - certname: wildcard-2022.fedoraproject.org - SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert + certname: wildcard-2023.fedoraproject.org + SSLCertificateChainFile: wildcard-2023.fedoraproject.org.intermediate.cert - role: httpd/certificate certname: wildcard-2022.id.fedoraproject.org @@ -42,7 +42,7 @@ SSLCertificateChainFile: wildcard-2023.apps.ocp.stg.fedoraproject.org.intermediate.cert when: env == "staging" tags: - - apps.ocp.stg.fedoraproject.org + --- apps.ocp.stg.fedoraproject.org - role: httpd/certificate certname: wildcard-2022.apps.ocp.fedoraproject.org diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 25ab35ec8b..4a9afda8b6 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -899,7 +899,7 @@ - role: httpd/website site_name: nagios.fedoraproject.org server_aliases: [nagios.stg.fedoraproject.org] - SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert + SSLCertificateChainFile: wildcard-2023.fedoraproject.org.intermediate.cert sslonly: true cert_name: "{{wildcard_cert_name}}" diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml index 1c3c4f2040..765bcaf812 100644 --- a/roles/download/tasks/main.yml +++ b/roles/download/tasks/main.yml @@ -56,13 +56,13 @@ - selinux - name: Copy wildcard cert from puppet private - copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.cert owner=root group=root mode=0644 + copy: src="{{private}}/files/httpd/wildcard-2023.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2023.fedoraproject.org.cert owner=root group=root mode=0644 - name: Copy wildcard key from puppet private - copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2022.fedoraproject.org.key owner=root group=root mode=0600 + copy: src="{{private}}/files/httpd/wildcard-2023.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2023.fedoraproject.org.key owner=root group=root mode=0600 - name: Copy intermediate wildcard cert from puppet private - copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.intermediate.cert owner=root group=root mode=0644 + copy: src="{{private}}/files/httpd/wildcard-2023.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2023.fedoraproject.org.intermediate.cert owner=root group=root mode=0644 - name: Configure httpd dl main conf template: src=httpd/dl.fedoraproject.org.conf dest=/etc/httpd/conf.d/dl.fedoraproject.org.conf diff --git a/roles/fedmsg/gateway/slave/tasks/main.yml b/roles/fedmsg/gateway/slave/tasks/main.yml index e2aeb94f0e..0c5eedb979 100644 --- a/roles/fedmsg/gateway/slave/tasks/main.yml +++ b/roles/fedmsg/gateway/slave/tasks/main.yml @@ -98,8 +98,8 @@ - name: put our combined cert in place copy: > - src={{private}}/files/httpd/wildcard-2022.fedoraproject.org.combined.cert - dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.combined.cert + src={{private}}/files/httpd/wildcard-2023.fedoraproject.org.combined.cert + dest=/etc/pki/tls/certs/wildcard-2023.fedoraproject.org.combined.cert owner=root group=root mode=0644 notify: restart stunnel tags: diff --git a/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 b/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 index 1fa9cd5474..fe7a41a729 100644 --- a/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 +++ b/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 @@ -1,5 +1,5 @@ -cert = /etc/pki/tls/certs/wildcard-2022.fedoraproject.org.combined.cert -key = /etc/pki/tls/private/wildcard-2022.fedoraproject.org.key +cert = /etc/pki/tls/certs/wildcard-2023.fedoraproject.org.combined.cert +key = /etc/pki/tls/private/wildcard-2023.fedoraproject.org.key pid = /var/run/stunnel.pid [{{ stunnel_service }}] diff --git a/roles/httpd/website/defaults/main.yml b/roles/httpd/website/defaults/main.yml index 1d74294387..cc2de22523 100644 --- a/roles/httpd/website/defaults/main.yml +++ b/roles/httpd/website/defaults/main.yml @@ -8,7 +8,7 @@ server_admin: webmaster@fedoraproject.org certbot: false ssl: true sslonly: false -SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert +SSLCertificateChainFile: wildcard-2023.fedoraproject.org.intermediate.cert gzip: false stssubdomains: true # set to true to enable the proxy to redirect the http01 challenge