Dzahn has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/330829 )
Change subject: tendril: use Letsencrypt for SSL cert
..
tendril: use Letsencrypt for SSL cert
I have done this for Icinga in Change-Id: I39abcfcc264619
and follow-ups and tendril is on the same host.
(for now, it will move eventually to "dbmonitor1001/2001).
So we can also do this here now.
- replace sslcert::certificate with letsencrypt::cert::integrated
- adjust path to cert, chain file, key in Apache config
- include the Apache config snippet that allows Letsencrypt
to retrieve the challenge response file which proofs we
control this domain
- move ssl settings and cert part to module, and use $sitename
instead of hardcoded name for cert subject
Bug: T133717
Change-Id: I4188411f611b6a24a5888507fcb70eb0f0a34c21
---
M modules/role/manifests/tendril.pp
M modules/tendril/manifests/init.pp
M modules/tendril/templates/apache/tendril.wikimedia.org.erb
3 files changed, 18 insertions(+), 8 deletions(-)
Approvals:
jenkins-bot: Verified
Dzahn: Looks good to me, approved
diff --git a/modules/role/manifests/tendril.pp
b/modules/role/manifests/tendril.pp
index de587c0..ffebb3e 100644
--- a/modules/role/manifests/tendril.pp
+++ b/modules/role/manifests/tendril.pp
@@ -7,9 +7,6 @@
system::role { 'role::tendril': description => 'tendril server' }
-sslcert::certificate { 'tendril.wikimedia.org': }
-$ssl_settings = ssl_ciphersuite('apache', 'mid', true)
-
monitoring::service { 'https-tendril':
description => 'HTTPS-tendril',
check_command => 'check_ssl_http!tendril.wikimedia.org',
diff --git a/modules/tendril/manifests/init.pp
b/modules/tendril/manifests/init.pp
index 4848210..36e1e11 100644
--- a/modules/tendril/manifests/init.pp
+++ b/modules/tendril/manifests/init.pp
@@ -16,6 +16,8 @@
$tendril_user_web = $passwords::tendril::db_user_web
$tendril_pass_web = $passwords::tendril::db_pass_web
+$ssl_settings = ssl_ciphersuite('apache', 'mid', true)
+
include ::apache::mod::rewrite
include ::apache::mod::headers
include ::apache::mod::ssl
@@ -25,6 +27,14 @@
apache::site { $site_name:
content => template("tendril/apache/${site_name}.erb");
}
+
+letsencrypt::cert::integrated { 'tendril':
+subjects => $site_name,
+puppet_svc => 'apache2',
+system_svc => 'apache2',
+require=> Class['apache::mod::ssl']
+}
+
require_package('php5-mysql')
file { '/srv/tendril':
diff --git a/modules/tendril/templates/apache/tendril.wikimedia.org.erb
b/modules/tendril/templates/apache/tendril.wikimedia.org.erb
index cfefaf4..baa4eb4 100644
--- a/modules/tendril/templates/apache/tendril.wikimedia.org.erb
+++ b/modules/tendril/templates/apache/tendril.wikimedia.org.erb
@@ -6,9 +6,9 @@
# https://httpoxy.org/
RequestHeader unset Proxy early
SSLEngine On
-SSLCertificateFile /etc/ssl/localcerts/tendril.wikimedia.org.crt
-SSLCertificateChainFile /etc/ssl/localcerts/tendril.wikimedia.org.chain.crt
-SSLCertificateKeyFile /etc/ssl/private/tendril.wikimedia.org.key
+SSLCertificateFile /etc/acme/cert/tendril.crt
+SSLCertificateChainFile /etc/acme/cert/tendril.chain.crt
+SSLCertificateKeyFile /etc/acme/key/tendril.key
<%= @ssl_settings.join("\n") %>
DocumentRoot <%= @docroot %>
php_admin_flag short_open_tag on
@@ -18,8 +18,8 @@
Options +ExecCGI +FollowSymLinks
DirectoryIndex index.php
AllowOverride All
- # This is only for pre 2.4 apache versions. In apache 2.4 IP based
- # authorization is just another Require and is chained
+# This is only for pre 2.4 apache versions. In apache 2.4 IP based
+# authorization is just another Require and is chained
Order Allow,Deny
Allow From All
@@ -44,7 +44,10 @@
ServerName <%= @site_name %>
DocumentRoot <%= @docroot %>
+Include /etc/acme/challenge-apache.conf
+
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
+RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
RewriteRule ^/(.*)$ https://<%= @site_name %>/$1 [L,R=301]
--
To view, visit https://gerrit.wikimedia.org/r/330829
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I4188411f611b6a24a5888507fcb70eb0f0a34c21
Gerrit-PatchSet: 8
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn
Gerrit-Reviewer: Alexandros Kosiaris
Gerrit-Reviewer: BBlack
Gerrit-Reviewer: Dzahn
Gerrit-Reviewer: Jcrespo
Gerrit-Reviewer: RobH
Gerrit-Reviewer: jenkins-bot <>
___
MediaWiki-commits mailing list