Sorry this has taken so long - I've been fooling around trying to test locally. I believe I've followed Kevin's guidance. Without further ado;

- adding planet vars to people role;

diff --git a/playbooks/groups/people.yml b/playbooks/groups/people.yml
index e7661b4b4..1d00f77ca 100644
--- a/playbooks/groups/people.yml
+++ b/playbooks/groups/people.yml
@@ -68,7 +68,6 @@
   - cgit/clean_lock_cron
   - cgit/make_pkgs_list
   - clamav
-  - planet
   - fedmsg/base
   - git/server
 
@@ -79,6 +78,18 @@
     SSLCertificateChainFile: wildcard-2017.fedorapeople.org.intermediate.cert
 
   - people

+  - role: planet
+    certbot: true
+    certbot_addhost: fedoraplanet.org
+    site_name: fedoraplanet.org
+    cert_name: wildcard-2018.fedoraplanet.org
+    server_aliases: planet.fedoraproject.org
+    server_admin: webmaster@fedoraproject.org
+    ssl: true
+    sslonly: false
+    SSLCertificateChainFile: wildcard-2018.fedoraplanet.org.intermediate.cert
+    gzip: false
 
   tasks:
   - import_tasks: "{{ tasks_path }}/yumrepos.yml"

-------------------------------

And planet redirect https -> http patch;

diff --git a/roles/planet/templates/planet.conf b/roles/planet/templates/planet.conf
index 319923d2a..7e12b8f35 100644
--- a/roles/planet/templates/planet.conf
+++ b/roles/planet/templates/planet.conf
@@ -14,6 +14,11 @@
 
     ErrorLog logs/planet-error.log
     CustomLog logs/fedoraplanet.org-access.log common
+
+    # let certbot get an answer from certgetter01
+    RewriteEngine on
+    RewriteRule ^/\.well-known/(.*)/srv/web/acme-challenge/.well-known/$1 [L]
+    RewriteRule "^/?(.*)" "https://certgetter01/$1" [L,R=301,NE]
 
     UserDir disable
     AddCharset UTF-8 .xml
@@ -79,3 +84,32 @@
     RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
 
 </VirtualHost>
+<VirtualHost {{public_ip}}:443 _default_:443>
+    ##
+    # Domain: fedoraplanet.org
+    # Owner: admin@fedoraplanet.org
+    #
+    ServerName fedoraplanet.org
+
+    SSLEngine on
+    SSLCertificateFile /etc/letsencrypt/live/fedoraplanet.org/cert.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/fedoraplanet.org/privkey.pem
+    SSLCertificateChainFile /etc/letsencrypt/live/fedoraplanet.org/fullchain.pem
+    SSLHonorCipherOrder On
+    SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
+    SSLProtocol ALL -SSLv2
+
+    ServerAdmin admin@fedoraplanet.org
+    ServerName fedoraplanet.org
+
+    DocumentRoot "/srv/planet/site/"
+
+    ErrorLog logs/planet-error.log
+    CustomLog logs/planet.fedoraproject.org-access.log common
+
+    UserDir disable
+    AddCharset UTF-8 .xml
+
+    RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
+
+</VirtualHost>


________________

Regards!

On 9/3/18 7:48 PM, Kevin Fenzi wrote:
On 08/29/2018 11:51 AM, Zach Villers wrote:

As discussed in infra meeting 16 aug around the 14:30 mark
<https://meetbot.fedoraproject.org/teams/infrastructure/infrastructure.2018-08-16-14.00.log.html>
regarding Issue #7158: Planet Fedora doesn't have a valid certificate
<https://pagure.io/fedora-infrastructure/issue/7158>.

I created two patches (attached) based on my reading/understanding of
the certbot role README. Text below. I think we are in Freeze right now
and I probably have _many_ things to fix.

Thanks to everyone that guided me (hopefully I'm on the right track :)

Sorry for taking so long to look this over. ;(

And thanks a bunch for working on it...




diff --git a/playbooks/include/proxies-websites.yml
b/playbooks/include/proxies-websites.yml
index 8013c539e..5cd82375c 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -932,3 +932,15 @@
     tags:
     - pkgs.fedoraproject.org
     when: env == "staging" and "phx2" in inventory_hostname
+# cert for https://fedoraplanet.org which redirects to
http://fedoraplanet.org
+
+  - role: httpd/website
+    site_name: fedoraplanet.org
+    server_aliases:
+    - www.fedoraplanet.org
+    ssl: true
+    sslonly: true
+    certbot: true
+    certbot_addhost: fedoraplanet.org
+    tags:
+    - fedoraplanet.org

So, this will work if we add this to our proxies, so we would need to
change DNS to point there (currently fedoraplanet.org is pointing only
to the people02 server, not the proxies), but that won't work as the
content is still on fedoapeople.org. ;( So I think we should drop this
part unless we just proxy everything from our proxies to people02, which
could be slow.

The problem is that our certbot/letsencrypt role is setup mostly for the
proxies and not for people02, but we can still do it with a but more
poking. :) So, look at roles/httpd/website/tasks/main.yml, and you will
see:

- name: Letsencrypt certificate stuff
  include_role: name=letsencrypt
  when: certbot == True

we can call this in our 'people' role at the end...
but we will also need to pass it all those variables that the
httpd/website role already uses, ie, site_name, certbot,
certbot_addhost, etc.


diff --git a/roles/planet/templates/planet.conf
b/roles/planet/templates/planet.conf
index 319923d2a..f4f1eb622 100644
--- a/roles/planet/templates/planet.conf
+++ b/roles/planet/templates/planet.conf
@@ -15,6 +15,10 @@
     ErrorLog logs/planet-error.log
     CustomLog logs/fedoraplanet.org-access.log common

+    RewriteEngine on
+    RewriteRule ^/\.well-known/(.*)
/srv/web/acme-challenge/.well-known/$1 [L]
+    RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE]

Here, we need the rewrite to whatever machine is running the letsencrypt
role, so certgetter01, ie:

RewriteRule "^/?(.*)" "https://certgetter01/$1" [L,R=301,NE]


     UserDir disable
     AddCharset UTF-8 .xml

@@ -79,3 +83,32 @@
     RedirectMatch permanent /(.*) http://fedoraplanet.org/$1

 </VirtualHost>
+<VirtualHost {{public_ip}}:443 _default_:443>
+    ##
+    # Domain: fedoraplanet.org
+    # Owner: admin@fedoraplanet.org
+    #
+    ServerName fedoraplanet.org
+
+    SSLEngine on
+    SSLCertificateFile /etc/letsencrypt/live/fedoraplanet.org/cert.pem
+    SSLCertificateKeyFile
/etc/letsencrypt/live/fedoraplanet.org/privkey.pem
+    SSLCertificateChainFile
/etc/letsencrypt/live/fedoraplanet.org/fullchain.pem
+    SSLHonorCipherOrder On
+    SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
+    SSLProtocol ALL -SSLv2
+
+    ServerAdmin admin@fedoraplanet.org
+    ServerName fedoraplanet.org
+
+    DocumentRoot "/srv/planet/site/"
+
+    ErrorLog logs/planet-error.log
+    CustomLog logs/planet.fedoraproject.org-access.log common
+
+    UserDir disable
+    AddCharset UTF-8 .xml
+
+    RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
+
+</VirtualHost>

That looks good. ;)

So, if you could adjust it for the above we can look again. I think you
are close... and this is a complex one. ;)

Thanks again for working on it.

kevin





_______________________________________________
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org