[MediaWiki-commits] [Gerrit] operations/puppet[production]: tendril: use Letsencrypt for SSL cert

2017-01-09 Thread Dzahn (Code Review) 
Dzahn has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/330829 )

Change subject: tendril: use Letsencrypt for SSL cert
..


tendril: use Letsencrypt for SSL cert

I have done this for Icinga in Change-Id: I39abcfcc264619
and follow-ups and tendril is on the same host.
(for now, it will move eventually to "dbmonitor1001/2001).
So we can also do this here now.

- replace sslcert::certificate with letsencrypt::cert::integrated

- adjust path to cert, chain file, key in Apache config

- include the Apache config snippet that allows Letsencrypt
  to retrieve the challenge response file which proofs we
  control this domain

- move ssl settings and cert part to module, and use $sitename
  instead of hardcoded name for cert subject

Bug: T133717
Change-Id: I4188411f611b6a24a5888507fcb70eb0f0a34c21
---
M modules/role/manifests/tendril.pp
M modules/tendril/manifests/init.pp
M modules/tendril/templates/apache/tendril.wikimedia.org.erb
3 files changed, 18 insertions(+), 8 deletions(-)

Approvals:
  jenkins-bot: Verified
  Dzahn: Looks good to me, approved



diff --git a/modules/role/manifests/tendril.pp 
b/modules/role/manifests/tendril.pp
index de587c0..ffebb3e 100644
--- a/modules/role/manifests/tendril.pp
+++ b/modules/role/manifests/tendril.pp
@@ -7,9 +7,6 @@
 
 system::role { 'role::tendril': description => 'tendril server' }
 
-sslcert::certificate { 'tendril.wikimedia.org': }
-$ssl_settings = ssl_ciphersuite('apache', 'mid', true)
-
 monitoring::service { 'https-tendril':
 description   => 'HTTPS-tendril',
 check_command => 'check_ssl_http!tendril.wikimedia.org',
diff --git a/modules/tendril/manifests/init.pp 
b/modules/tendril/manifests/init.pp
index 4848210..36e1e11 100644
--- a/modules/tendril/manifests/init.pp
+++ b/modules/tendril/manifests/init.pp
@@ -16,6 +16,8 @@
 $tendril_user_web = $passwords::tendril::db_user_web
 $tendril_pass_web = $passwords::tendril::db_pass_web
 
+$ssl_settings = ssl_ciphersuite('apache', 'mid', true)
+
 include ::apache::mod::rewrite
 include ::apache::mod::headers
 include ::apache::mod::ssl
@@ -25,6 +27,14 @@
 apache::site { $site_name:
 content => template("tendril/apache/${site_name}.erb");
 }
+
+letsencrypt::cert::integrated { 'tendril':
+subjects   => $site_name,
+puppet_svc => 'apache2',
+system_svc => 'apache2',
+require=> Class['apache::mod::ssl']
+}
+
 require_package('php5-mysql')
 
 file { '/srv/tendril':
diff --git a/modules/tendril/templates/apache/tendril.wikimedia.org.erb 
b/modules/tendril/templates/apache/tendril.wikimedia.org.erb
index cfefaf4..baa4eb4 100644
--- a/modules/tendril/templates/apache/tendril.wikimedia.org.erb
+++ b/modules/tendril/templates/apache/tendril.wikimedia.org.erb
@@ -6,9 +6,9 @@
 # https://httpoxy.org/
 RequestHeader unset Proxy early
 SSLEngine On
-SSLCertificateFile /etc/ssl/localcerts/tendril.wikimedia.org.crt
-SSLCertificateChainFile /etc/ssl/localcerts/tendril.wikimedia.org.chain.crt
-SSLCertificateKeyFile /etc/ssl/private/tendril.wikimedia.org.key
+SSLCertificateFile /etc/acme/cert/tendril.crt
+SSLCertificateChainFile /etc/acme/cert/tendril.chain.crt
+SSLCertificateKeyFile /etc/acme/key/tendril.key
 <%= @ssl_settings.join("\n") %>
 DocumentRoot <%= @docroot %>
 php_admin_flag short_open_tag on
@@ -18,8 +18,8 @@
 Options +ExecCGI +FollowSymLinks
 DirectoryIndex index.php
 AllowOverride All
-   # This is only for pre 2.4 apache versions. In apache 2.4 IP based
-   # authorization is just another Require and is chained
+# This is only for pre 2.4 apache versions. In apache 2.4 IP based
+# authorization is just another Require and is chained
 
 Order Allow,Deny
 Allow From All
@@ -44,7 +44,10 @@
 ServerName <%= @site_name %>
 DocumentRoot <%= @docroot %>
 
+Include /etc/acme/challenge-apache.conf
+
 RewriteEngine on
 RewriteCond %{SERVER_PORT} !^443$
+RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
 RewriteRule ^/(.*)$ https://<%= @site_name %>/$1 [L,R=301]
 

-- 
To view, visit https://gerrit.wikimedia.org/r/330829
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I4188411f611b6a24a5888507fcb70eb0f0a34c21
Gerrit-PatchSet: 8
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn 
Gerrit-Reviewer: Alexandros Kosiaris 
Gerrit-Reviewer: BBlack 
Gerrit-Reviewer: Dzahn 
Gerrit-Reviewer: Jcrespo 
Gerrit-Reviewer: RobH 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list

[MediaWiki-commits] [Gerrit] operations/puppet[production]: tendril: use Letsencrypt for SSL cert

2017-01-05 Thread Dzahn (Code Review) 
Dzahn has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/330829 )

Change subject: tendril: use Letsencrypt for SSL cert
..

tendril: use Letsencrypt for SSL cert

Since we are doing this for Icinga in Change-Id: I39abcfcc264619
and tendril is on the same host (for now, it will move
eventually to "dbmonitor1001/2001), we should do both
at the same time, to avoid mixing both certificate
methods on the same host.

Bug: T133717
Change-Id: I4188411f611b6a24a5888507fcb70eb0f0a34c21
---
M modules/role/manifests/tendril.pp
M modules/tendril/manifests/init.pp
M modules/tendril/templates/apache/tendril.wikimedia.org.erb
3 files changed, 13 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/29/330829/1

diff --git a/modules/role/manifests/tendril.pp 
b/modules/role/manifests/tendril.pp
index de587c0..839e135 100644
--- a/modules/role/manifests/tendril.pp
+++ b/modules/role/manifests/tendril.pp
@@ -7,9 +7,15 @@
 
 system::role { 'role::tendril': description => 'tendril server' }
 
-sslcert::certificate { 'tendril.wikimedia.org': }
 $ssl_settings = ssl_ciphersuite('apache', 'mid', true)
 
+letsencrypt::cert::integrated { 'tendril':
+subjects   => 'tendril.wikimedia.org',
+puppet_svc => 'apache2',
+system_svc => 'apache2',
+require=> Class['apache::mod::ssl']
+}
+
 monitoring::service { 'https-tendril':
 description   => 'HTTPS-tendril',
 check_command => 'check_ssl_http!tendril.wikimedia.org',
diff --git a/modules/tendril/manifests/init.pp 
b/modules/tendril/manifests/init.pp
index 4848210..f14d79e 100644
--- a/modules/tendril/manifests/init.pp
+++ b/modules/tendril/manifests/init.pp
@@ -23,8 +23,10 @@
 include ::apache::mod::authnz_ldap
 
 apache::site { $site_name:
-content => template("tendril/apache/${site_name}.erb");
+content => template("tendril/apache/${site_name}.erb"),
+require => Letsencrypt::Cert::Integrated['tendril'],
 }
+
 require_package('php5-mysql')
 
 file { '/srv/tendril':
diff --git a/modules/tendril/templates/apache/tendril.wikimedia.org.erb 
b/modules/tendril/templates/apache/tendril.wikimedia.org.erb
index 519f5c4..c93189a 100644
--- a/modules/tendril/templates/apache/tendril.wikimedia.org.erb
+++ b/modules/tendril/templates/apache/tendril.wikimedia.org.erb
@@ -6,9 +6,9 @@
 # https://httpoxy.org/
 RequestHeader unset Proxy early
 SSLEngine On
-SSLCertificateFile /etc/ssl/localcerts/tendril.wikimedia.org.crt
-SSLCertificateChainFile /etc/ssl/localcerts/tendril.wikimedia.org.chain.crt
-SSLCertificateKeyFile /etc/ssl/private/tendril.wikimedia.org.key
+SSLCertificateFile /etc/acme/cert/tendril.crt
+SSLCertificateChainFile /etc/acme/cert/tendril.chain.crt
+SSLCertificateKeyFile /etc/acme/key/tendril.key
 <%= @ssl_settings.join("\n") %>
 DocumentRoot <%= @docroot %>
 php_admin_flag short_open_tag on

-- 
To view, visit https://gerrit.wikimedia.org/r/330829
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I4188411f611b6a24a5888507fcb70eb0f0a34c21
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits