pagure: handle stunnel bundled cert in letsencrypt renews

This commit removes the old tasks to try and create a cert/intermediate bundle file for stunnel in favor of just doing it when we renew/get the cert. It also fixes stunnel to use the correct bundled cert. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2023-01-20 11:55:13 -08:00 · 2023-01-20 11:55:13 -08:00 · d44bc3991c
commit d44bc3991c
parent ff51231e77
4 changed files with 18 additions and 25 deletions
--- a/playbooks/groups/pagure.yml
+++ b/playbooks/groups/pagure.yml
@ -47,6 +47,7 @@
  #
  - role: letsencrypt
    site_name: "stg.pagure.io"
+    certbot_bundlehost: pagure02.fedoraproject.org
    server_aliases:
    - stg.pagure.io
    - docs.stg.pagure.org
@ -58,6 +59,7 @@

  - role: letsencrypt
    site_name: "pagure.io"
+    certbot_bundlehost: pagure-stg01.fedoraproject.org
    server_aliases:
    - docs.pagure.org
    - lists.pagure.io
--- a/roles/letsencrypt/tasks/main.yml
+++ b/roles/letsencrypt/tasks/main.yml
@ -135,3 +135,17 @@
  - letsencrypt
  delegate_to: "{{ certbot_addhost }}"
  when: certbot_addhost is defined
+
+- name: Install certificate bundle
+  copy: >
+    dest=/etc/pki/tls/certs/{{site_name}}.bundle.cert
+    content="{{certbot_chain.stdout}} {{certbot_certificate.stdout}}"
+    owner=root
+    group=root
+    mode=0644
+  notify:
+  - reload stunnel
+  tags:
+  - letsencrypt
+  delegate_to: "{{ certbot_bundlehost }}"
+  when: certbot_bundlehost is defined
--- a/roles/pagure/tasks/main.yml
+++ b/roles/pagure/tasks/main.yml
@ -214,29 +214,6 @@
  - pagure
  - stunnel

- name: ensure old stunnel init file is gone
-  file: dest=/etc/init.d/stunnel/stunnel.init state=absent
-  tags:
-  - pagure
-  - stunnel
-  - config
-
- name: make a bundle file of the cert and intermediate for stunnel
-  shell: cat /etc/pki/tls/certs/pagure.io.cert /etc/pki/tls/certs/pagure.io.intermediate.cert > /etc/pki/tls/certs/pagure.io.bundle.cert creates=/etc/pki/tls/certs/pagure.io.bundle.cert
-  tags:
-  - pagure
-  - stunnel
-  - config
-  when: env != 'pagure-staging'
-
- name: make a bundle file of the cert and intermediate for stunnel (stg)
-  shell: cat /etc/pki/tls/certs/stg.pagure.io.cert /etc/pki/tls/certs/stg.pagure.io.intermediate.cert > /etc/pki/tls/certs/stg.pagure.io.bundle.cert creates=/etc/pki/tls/certs/stg.pagure.io.bundle.cert
-  tags:
-  - pagure
-  - stunnel
-  - config
-  when: env == 'pagure-staging'
-
 - name: install stunnel.conf
  template: src={{ item.file }}
            dest={{ item.dest }}
--- a/roles/pagure/templates/stunnel-conf.j2
+++ b/roles/pagure/templates/stunnel-conf.j2
@ -1,8 +1,8 @@
 {% if env == 'pagure-staging' %}
-cert = /etc/pki/tls/certs/stg.pagure.io.cert
+cert = /etc/pki/tls/certs/stg.pagure.io.bundle.cert
 key = /etc/pki/tls/private/stg.pagure.io.key
 {% else %}
-cert = /etc/pki/tls/certs/pagure.io.cert
+cert = /etc/pki/tls/certs/pagure.io.bundle.cert
 key = /etc/pki/tls/private/pagure.io.key
 {% endif %}
 pid = /var/run/stunnel.pid