As discussed in infra meeting 16 aug around the 14:30 mark
<
https://meetbot.fedoraproject.org/teams/infrastructure/infrastructure.201...
regarding Issue #7158: Planet Fedora doesn't have a valid certificate
<
https://pagure.io/fedora-infrastructure/issue/7158>.
I created two patches (attached) based on my reading/understanding of
the certbot role README. Text below. I think we are in Freeze right now
and I probably have _many_ things to fix.
Thanks to everyone that guided me (hopefully I'm on the right track :)
diff --git a/playbooks/include/proxies-websites.yml
b/playbooks/include/proxies-websites.yml
index 8013c539e..5cd82375c 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -932,3 +932,15 @@
tags:
-
pkgs.fedoraproject.org
when: env == "staging" and "phx2" in inventory_hostname
+# cert for
https://fedoraplanet.org which redirects to
http://fedoraplanet.org
+
+ - role: httpd/website
+ site_name:
fedoraplanet.org
+ server_aliases:
+ -
www.fedoraplanet.org
+ ssl: true
+ sslonly: true
+ certbot: true
+ certbot_addhost:
fedoraplanet.org
+ tags:
+ -
fedoraplanet.org
---------------------------------------
diff --git a/roles/planet/templates/planet.conf
b/roles/planet/templates/planet.conf
index 319923d2a..f4f1eb622 100644
--- a/roles/planet/templates/planet.conf
+++ b/roles/planet/templates/planet.conf
@@ -15,6 +15,10 @@
ErrorLog logs/planet-error.log
CustomLog logs/fedoraplanet.org-access.log common
+ RewriteEngine on
+ RewriteRule ^/\.well-known/(.*)
/srv/web/acme-challenge/.well-known/$1 [L]
+ RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE]
+
UserDir disable
AddCharset UTF-8 .xml
@@ -79,3 +83,32 @@
RedirectMatch permanent /(.*)
http://fedoraplanet.org/$1
</VirtualHost>
+<VirtualHost {{public_ip}}:443 _default_:443>
+ ##
+ # Domain:
fedoraplanet.org
+ # Owner: admin(a)fedoraplanet.org
+ #
+ ServerName
fedoraplanet.org
+
+ SSLEngine on
+ SSLCertificateFile /etc/letsencrypt/live/fedoraplanet.org/cert.pem
+ SSLCertificateKeyFile
/etc/letsencrypt/live/fedoraplanet.org/privkey.pem
+ SSLCertificateChainFile
/etc/letsencrypt/live/fedoraplanet.org/fullchain.pem
+ SSLHonorCipherOrder On
+ SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
+ SSLProtocol ALL -SSLv2
+
+ ServerAdmin admin(a)fedoraplanet.org
+ ServerName
fedoraplanet.org
+
+ DocumentRoot "/srv/planet/site/"
+
+ ErrorLog logs/planet-error.log
+ CustomLog logs/planet.fedoraproject.org-access.log common
+
+ UserDir disable
+ AddCharset UTF-8 .xml
+
+ RedirectMatch permanent /(.*)
http://fedoraplanet.org/$1
+
+</VirtualHost>