jenkins-bot has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/398703 )
Change subject: Puppetize certbot
......................................................................
Puppetize certbot
Bug: T181053
Change-Id: I02965dc636f28609c670c3e5bb6efd0c70626a15
---
M puppet/Puppetfile
M puppet/Puppetfile.lock
D puppet/modules/nginx/files/rapidssl.pem
D puppet/modules/nginx/files/ssl.conf
M puppet/modules/nginx/files/translatewiki.net
M puppet/modules/nginx/manifests/ssl.pp
6 files changed, 36 insertions(+), 79 deletions(-)
Approvals:
jenkins-bot: Verified
Nikerabbit: Looks good to me, approved
diff --git a/puppet/Puppetfile b/puppet/Puppetfile
index 017ca1b..413f02d 100644
--- a/puppet/Puppetfile
+++ b/puppet/Puppetfile
@@ -4,3 +4,4 @@
mod 'elastic-elasticsearch', '6.0.0'
mod 'thias-sysctl', '1.0.6'
mod 'puppetlabs-java', '2.3.0'
+mod 'puppet-letsencrypt', '2.1.0'
diff --git a/puppet/Puppetfile.lock b/puppet/Puppetfile.lock
index f9c7986..b10f3f5 100644
--- a/puppet/Puppetfile.lock
+++ b/puppet/Puppetfile.lock
@@ -8,10 +8,16 @@
richardc-datacat (< 1.0.0, >= 0.6.2)
puppet-archive (2.2.0)
puppetlabs-stdlib (< 5.0.0, >= 4.13.1)
+ puppet-letsencrypt (2.1.0)
+ puppetlabs-inifile (< 2.0.0, >= 1.4.1)
+ puppetlabs-stdlib (< 5.0.0, >= 4.13.1)
+ puppetlabs-vcsrepo (< 2.0.0, >= 1.3.1)
+ stahnma-epel (< 2.0.0, >= 1.0.0)
puppet-staging (2.2.0)
puppet-tea (0.2.0)
puppetlabs-apt (4.4.1)
puppetlabs-stdlib (< 5.0.0, >= 4.16.0)
+ puppetlabs-inifile (1.6.0)
puppetlabs-java (2.3.0)
puppet-archive (< 3.0.0, >= 1.1.0)
puppetlabs-stdlib (< 5.0.0, >= 4.13.1)
@@ -21,11 +27,15 @@
puppetlabs-translate (< 2.0.0, >= 1.0.0)
puppetlabs-stdlib (4.24.0)
puppetlabs-translate (1.1.0)
+ puppetlabs-vcsrepo (1.5.0)
richardc-datacat (0.6.2)
+ stahnma-epel (1.3.0)
+ puppetlabs-stdlib (>= 3.0.0)
thias-sysctl (1.0.6)
DEPENDENCIES
elastic-elasticsearch (= 6.0.0)
+ puppet-letsencrypt (= 2.1.0)
puppetlabs-java (= 2.3.0)
puppetlabs-mysql (= 5.1.0)
thias-sysctl (= 1.0.6)
diff --git a/puppet/modules/nginx/files/rapidssl.pem
b/puppet/modules/nginx/files/rapidssl.pem
deleted file mode 100644
index 8149c78..0000000
--- a/puppet/modules/nginx/files/rapidssl.pem
+++ /dev/null
@@ -1,45 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
-MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
-YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
-EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
-R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
-9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
-fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
-iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
-1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
-bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
-MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
-ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
-uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
-Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
-tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
-PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
-hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
-5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
-MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
-YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG
-EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg
-U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
-VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp
-SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS
-1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ
-DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM
-QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp
-YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7
-qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD
-VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
-JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
-BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF
-MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry
-dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs
-rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp
-fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B
-kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH
-uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O
-ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh
-gP8L8mJMcCaY
------END CERTIFICATE-----
diff --git a/puppet/modules/nginx/files/ssl.conf
b/puppet/modules/nginx/files/ssl.conf
deleted file mode 100644
index fcfad38..0000000
--- a/puppet/modules/nginx/files/ssl.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# file managed by puppet
-
-# https://mozilla.github.io/server-side-tls/ssl-config-generator/
-# nginx 1.10.1 | intermediate profile | OpenSSL 1.0.1e
-ssl_certificate /etc/ssl/private/translatewiki.net.pem;
-ssl_certificate_key /etc/ssl/private/translatewiki.net.key;
-ssl_session_timeout 1d;
-ssl_session_cache shared:SSL:50m;
-ssl_session_tickets off;
-
-ssl_dhparam /etc/ssl/certs/dhparam.pem;
-
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers
'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
-ssl_prefer_server_ciphers on;
-
-add_header Strict-Transport-Security max-age=31536000;
-
-ssl_stapling on;
-ssl_stapling_verify on;
-ssl_trusted_certificate /etc/ssl/private/rapidssl.pem;
-resolver 8.8.8.8;
-
-ssl_buffer_size 4k;
-
diff --git a/puppet/modules/nginx/files/translatewiki.net
b/puppet/modules/nginx/files/translatewiki.net
index 3c63e15..9dd0804 100644
--- a/puppet/modules/nginx/files/translatewiki.net
+++ b/puppet/modules/nginx/files/translatewiki.net
@@ -11,7 +11,7 @@
listen 443 ssl default_server deferred http2;
listen [2a03:4000:6:b01e::1]:443 default_server deferred ssl http2;
- include includes/ssl.conf;
+ include includes/ssl-certbot.conf;
server_name translatewiki.net;
root /www/$host/docroot;
diff --git a/puppet/modules/nginx/manifests/ssl.pp
b/puppet/modules/nginx/manifests/ssl.pp
index 332321e..2a9a86c 100644
--- a/puppet/modules/nginx/manifests/ssl.pp
+++ b/puppet/modules/nginx/manifests/ssl.pp
@@ -5,10 +5,6 @@
class nginx::ssl {
include nginx
- file { '/etc/ssl/private/rapidssl.pem':
- source => 'puppet:///modules/nginx/rapidssl.pem',
- }
-
exec { 'dhparam':
command => '/usr/bin/openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048',
creates => '/etc/ssl/certs/dhparam.pem'
@@ -18,11 +14,31 @@
ensure => 'directory',
}
- file { '/etc/nginx/includes/ssl.conf':
- source => 'puppet:///modules/nginx/ssl.conf',
- }
-
file { '/etc/nginx/includes/ssl-certbot.conf':
source => 'puppet:///modules/nginx/ssl-certbot.conf',
}
+
+ class { '::letsencrypt':
+ email => '[email protected]',
+ }
+
+ letsencrypt::certonly { 'translatewiki.net':
+ plugin => 'webroot',
+ manage_cron => true,
+ cron_success_command => 'systemctl reload nginx.service',
+ domains => [
+ 'translatewiki.net',
+ 'translatewiki.org',
+ 'lists.translatewiki.net',
+ 'stats.translatewiki.net',
+ 'dev.translatewiki.net',
+ ],
+ webroot_paths => [
+ '/www/translatewiki.net/docroot',
+ '/www/translatewiki.net/docroot',
+ '/usr/lib/cgi-bin/mailman',
+ '/www/stats.translatewiki.net',
+ '/www/translatewiki.net/docroot',
+ ],
+ }
}
--
To view, visit https://gerrit.wikimedia.org/r/398703
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I02965dc636f28609c670c3e5bb6efd0c70626a15
Gerrit-PatchSet: 3
Gerrit-Project: translatewiki
Gerrit-Branch: master
Gerrit-Owner: Nikerabbit <[email protected]>
Gerrit-Reviewer: Nikerabbit <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
