Happy Monday all. Here's an updated set of patches for issue 7158, with
some of Kevin's comments on my previous attempt for context;
On 9/18/18 5:44 PM, Kevin Fenzi wrote:
Confusingly, we have a 'certbot' rule, but thats old and we should nuke
it. The new one is the 'letencrypt' role. It handles requesting a cert
from letsencrypt for the site it's called with and putting certs on any
other machines.
So, keep the planet role as it is.
Instead add to the playbooks/groups/people.yml the letencrypt role with
the site_name as
fedoraplanet.org. Take a look at the taskotron.yml
playbook, I added this setup for taskotron-dev eariler today.
New people.yml patch adding certgetter role - tried to follow the
taskotron-dev example;
diff --git a/playbooks/groups/people.yml b/playbooks/groups/people.yml
index e7661b4b4..77b34cb23 100644
--- a/playbooks/groups/people.yml
+++ b/playbooks/groups/people.yml
@@ -69,6 +69,7 @@
- cgit/make_pkgs_list
- clamav
- planet
+ - { role: letsencrypt, site_name: 'fedoraplanet.org' }
- fedmsg/base
- git/server
> ^/\.well-known/(.*)/srv/web/acme-challenge/.well-known/$1 [L]
> + RewriteRule "^/?(.*)" "https://certgetter01/$1"
[L,R=301,NE]
Change 'certgetter01' here to 'fedoraproject.org'. That will hit our
proxies and get proxied into certgetter.
>
kevin
New planet.conf patch with above change;
diff --git a/roles/planet/templates/planet.conf
b/roles/planet/templates/planet.conf
index 319923d2a..0875e7aa4 100644
--- a/roles/planet/templates/planet.conf
+++ b/roles/planet/templates/planet.conf
@@ -14,6 +14,11 @@
ErrorLog logs/planet-error.log
CustomLog logs/fedoraplanet.org-access.log common
+
+ # let certbot get an answer from certgetter01
+ RewriteEngine on
+ RewriteRule
^/\.well-known/(.*)/srv/web/acme-challenge/.well-known/$1 [L]
+ RewriteRule "^/?(.*)" "https://fedoraproject.org/$1" [L,R=301,NE]
UserDir disable
AddCharset UTF-8 .xml
@@ -79,3 +84,32 @@
RedirectMatch permanent /(.*)
http://fedoraplanet.org/$1
</VirtualHost>
+<VirtualHost {{public_ip}}:443 _default_:443>
+ ##
+ # Domain:
fedoraplanet.org
+ # Owner: admin(a)fedoraplanet.org
+ #
+ ServerName
fedoraplanet.org
+
+ SSLEngine on
+ SSLCertificateFile /etc/letsencrypt/live/fedoraplanet.org/cert.pem
+ SSLCertificateKeyFile
/etc/letsencrypt/live/fedoraplanet.org/privkey.pem
+ SSLCertificateChainFile
/etc/letsencrypt/live/fedoraplanet.org/fullchain.pem
+ SSLHonorCipherOrder On
+ SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
+ SSLProtocol ALL -SSLv2
+
+ ServerAdmin admin(a)fedoraplanet.org
+ ServerName
fedoraplanet.org
+
+ DocumentRoot "/srv/planet/site/"
+
+ ErrorLog logs/planet-error.log
+ CustomLog logs/planet.fedoraproject.org-access.log common
+
+ UserDir disable
+ AddCharset UTF-8 .xml
+
+ RedirectMatch permanent /(.*)
http://fedoraplanet.org/$1
+
+</VirtualHost>
Thanks!
Zach