wildcard-2023.fedoraproject.org: new wildcard ssl cert

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2023-01-11 08:48:15 -08:00 · 2023-01-11 08:48:15 -08:00 · 47cf07184e
commit 47cf07184e
parent 6987b8bc1e
7 changed files with 19 additions and 19 deletions
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@ -1,4 +1,4 @@
---
+h-
 #######
 # BEGIN: Ansible roles_path variables
 #
@ -260,10 +260,10 @@ virt_install_command_two_nic_unsafe: virt-install -n {{ inventory_hostname }} --
 vpn: False
 # This is the wildcard certname for our proxies.  It has a different name for
 # the staging group and is used in the proxies.yml playbook.
-wildcard_cert_name: wildcard-2022.fedoraproject.org
-wildcard_crt_file: wildcard-2022.fedoraproject.org.cert
-wildcard_int_file: wildcard-2022.fedoraproject.org.intermediate.cert
-wildcard_key_file: wildcard-2022.fedoraproject.org.key
+wildcard_cert_name: wildcard-2023.fedoraproject.org
+wildcard_crt_file: wildcard-2023.fedoraproject.org.cert
+wildcard_int_file: wildcard-2023.fedoraproject.org.intermediate.cert
+wildcard_key_file: wildcard-2023.fedoraproject.org.key
 #
 # say if we want the apache role dependency for mod_wsgi or not
 # In some cases we want mod_wsgi and no apache (for python3 httpaio stuff)
--- a/playbooks/include/proxies-certificates.yml
+++ b/playbooks/include/proxies-certificates.yml
@ -16,12 +16,12 @@
  - role: httpd/mod_ssl

  - role: httpd/certificate
-    certname: wildcard-2022.fedoraproject.org
-    SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert
+    certname: wildcard-2023.fedoraproject.org
+    SSLCertificateChainFile: wildcard-2023.fedoraproject.org.intermediate.cert

  - role: httpd/certificate
-    certname: wildcard-2022.fedoraproject.org
-    SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert
+    certname: wildcard-2023.fedoraproject.org
+    SSLCertificateChainFile: wildcard-2023.fedoraproject.org.intermediate.cert

  - role: httpd/certificate
    certname: wildcard-2022.id.fedoraproject.org
@ -42,7 +42,7 @@
    SSLCertificateChainFile: wildcard-2023.apps.ocp.stg.fedoraproject.org.intermediate.cert
    when: env == "staging"
    tags:
-    - apps.ocp.stg.fedoraproject.org
+ --- apps.ocp.stg.fedoraproject.org

  - role: httpd/certificate
    certname: wildcard-2022.apps.ocp.fedoraproject.org
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@ -899,7 +899,7 @@
  - role: httpd/website
    site_name: nagios.fedoraproject.org
    server_aliases: [nagios.stg.fedoraproject.org]
-    SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert
+    SSLCertificateChainFile: wildcard-2023.fedoraproject.org.intermediate.cert
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

--- a/roles/download/tasks/main.yml
+++ b/roles/download/tasks/main.yml
@ -56,13 +56,13 @@
  - selinux

 - name: Copy wildcard cert from puppet private
-  copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.cert owner=root group=root mode=0644
+  copy: src="{{private}}/files/httpd/wildcard-2023.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2023.fedoraproject.org.cert owner=root group=root mode=0644

 - name: Copy wildcard key from puppet private
-  copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2022.fedoraproject.org.key owner=root group=root mode=0600
+  copy: src="{{private}}/files/httpd/wildcard-2023.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2023.fedoraproject.org.key owner=root group=root mode=0600

 - name: Copy intermediate wildcard cert from puppet private
-  copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.intermediate.cert owner=root group=root mode=0644
+  copy: src="{{private}}/files/httpd/wildcard-2023.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2023.fedoraproject.org.intermediate.cert owner=root group=root mode=0644

 - name: Configure httpd dl main conf
  template: src=httpd/dl.fedoraproject.org.conf dest=/etc/httpd/conf.d/dl.fedoraproject.org.conf
--- a/roles/fedmsg/gateway/slave/tasks/main.yml
+++ b/roles/fedmsg/gateway/slave/tasks/main.yml
@ -98,8 +98,8 @@

 - name: put our combined cert in place
  copy: >
-    src={{private}}/files/httpd/wildcard-2022.fedoraproject.org.combined.cert
-    dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.combined.cert
+    src={{private}}/files/httpd/wildcard-2023.fedoraproject.org.combined.cert
+    dest=/etc/pki/tls/certs/wildcard-2023.fedoraproject.org.combined.cert
    owner=root group=root mode=0644
  notify: restart stunnel
  tags:
--- a/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2
+++ b/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2
@ -1,5 +1,5 @@
-cert = /etc/pki/tls/certs/wildcard-2022.fedoraproject.org.combined.cert
-key = /etc/pki/tls/private/wildcard-2022.fedoraproject.org.key
+cert = /etc/pki/tls/certs/wildcard-2023.fedoraproject.org.combined.cert
+key = /etc/pki/tls/private/wildcard-2023.fedoraproject.org.key
 pid = /var/run/stunnel.pid

 [{{ stunnel_service }}]
--- a/roles/httpd/website/defaults/main.yml
+++ b/roles/httpd/website/defaults/main.yml
@ -8,7 +8,7 @@ server_admin: webmaster@fedoraproject.org
 certbot: false
 ssl: true
 sslonly: false
-SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert
+SSLCertificateChainFile: wildcard-2023.fedoraproject.org.intermediate.cert
 gzip: false
 stssubdomains: true
 # set to true to enable the proxy to redirect the http01 challenge