opendev/system-config
Code Issues Proposed changes

Use LE cert on review.open*.org

Browse Source 
We previously had two manually issued certs (one each for opendev.org
and openstack.org) but now have a single cert with all the appropriate
names in it automatically issued by LE. Use this new cert before the old
one expires.

Change-Id: I635d2bfd820fe138ee951833dd66f157b2b7c097
This commit is contained in:
Clark Boylan 2020-02-28 08:10:24 -08:00
parent d75d70b333
commit 61caec5b77
3 changed files with 10 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
manifests/site.pp
View File

@ -46,9 +46,13 @@ node /^review\d*\.open.*\.org$/ {
gerritbot_password => hiera('gerrit_gerritbot_password'), gerritbot_password => hiera('gerrit_gerritbot_password'),
gerritbot_ssh_rsa_key_contents => hiera('gerritbot_ssh_rsa_key_contents'), gerritbot_ssh_rsa_key_contents => hiera('gerritbot_ssh_rsa_key_contents'),
gerritbot_ssh_rsa_pubkey_contents => hiera('gerritbot_ssh_rsa_pubkey_contents'), gerritbot_ssh_rsa_pubkey_contents => hiera('gerritbot_ssh_rsa_pubkey_contents'),
ssl_cert_file_contents => hiera('review_opendev_cert_file_contents'), # Empty contents forces Puppet to not write the file.
ssl_key_file_contents => hiera('review_opendev_key_file_contents'), ssl_cert_file_contents => '',
ssl_chain_file_contents => hiera('review_opendev_chain_file_contents'), ssl_key_file_contents => '',
ssl_chain_file_contents => '',
ssl_cert_file => '/etc/letsencrypt-certs/review.opendev.org/review.opendev.org.cer',
ssl_key_file => '/etc/letsencrypt-certs/review.opendev.org/review.opendev.org.key',
ssl_chain_file => '/etc/letsencrypt-certs/review.opendev.org/ca.cer',
ssh_dsa_key_contents => hiera('gerrit_ssh_dsa_key_contents'), ssh_dsa_key_contents => hiera('gerrit_ssh_dsa_key_contents'),
ssh_dsa_pubkey_contents => hiera('gerrit_ssh_dsa_pubkey_contents'), ssh_dsa_pubkey_contents => hiera('gerrit_ssh_dsa_pubkey_contents'),
ssh_rsa_key_contents => hiera('gerrit_ssh_rsa_key_contents'), ssh_rsa_key_contents => hiera('gerrit_ssh_rsa_key_contents'),
@ -65,11 +69,6 @@ node /^review\d*\.open.*\.org$/ {
swift_username => hiera('swift_store_user', 'username'), swift_username => hiera('swift_store_user', 'username'),
swift_password => hiera('swift_store_key'), swift_password => hiera('swift_store_key'),
storyboard_password => hiera('gerrit_storyboard_token'), storyboard_password => hiera('gerrit_storyboard_token'),
# Compatibility layer vars for the old domain name below here.
# TODO rename the hiera keys to reduce confusion
review_openstack_cert_file_contents => hiera('gerrit_ssl_cert_file_contents'),
review_openstack_key_file_contents => hiera('gerrit_ssl_key_file_contents'),
review_openstack_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),
} }
} }

25
modules/openstack_project/manifests/review.pp
View File

@ -81,10 +81,6 @@ class openstack_project::review (
$project_config_repo = '', $project_config_repo = '',
$projects_config = 'openstack_project/review.projects.ini.erb', $projects_config = 'openstack_project/review.projects.ini.erb',
$gerrit_configure = true, $gerrit_configure = true,
# Compatibility for old domain name vars below here.
$review_openstack_cert_file_contents = '',
$review_openstack_key_file_contents = '',
$review_openstack_chain_file_contents = '',
) { ) {
class { 'project_config': class { 'project_config':
@ -394,27 +390,6 @@ class openstack_project::review (
} }
} }
file { '/etc/ssl/certs/review-redirect.openstack.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $review_openstack_cert_file_contents,
}
file { '/etc/ssl/private/review-redirect.openstack.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $review_openstack_key_file_contents,
}
file { '/etc/ssl/certs/review-redirect.openstack.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $review_openstack_chain_file_contents,
}
::httpd::vhost { 'review.openstack.org': ::httpd::vhost { 'review.openstack.org':
port => 443, # Is required despite not being used. port => 443, # Is required despite not being used.
docroot => 'MEANINGLESS_ARGUMENT', docroot => 'MEANINGLESS_ARGUMENT',

6
modules/openstack_project/templates/review-openstack-redirect.vhost.erb
View File

@ -24,9 +24,9 @@
# only is guarenteed. # only is guarenteed.
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on SSLHonorCipherOrder on
SSLCertificateFile /etc/ssl/certs/review-redirect.openstack.org.pem SSLCertificateFile /etc/letsencrypt-certs/review.opendev.org/review.opendev.org.cer
SSLCertificateKeyFile /etc/ssl/private/review-redirect.openstack.org.key SSLCertificateKeyFile /etc/letsencrypt-certs/review.opendev.org/review.opendev.org.key
SSLCertificateChainFile /etc/ssl/certs/review-redirect.openstack.org_intermediate.pem SSLCertificateChainFile /etc/letsencrypt-certs/review.opendev.org/ca.cer
LogLevel warn LogLevel warn
ErrorLog /var/log/apache2/<%= @srvname %>_error.log ErrorLog /var/log/apache2/<%= @srvname %>_error.log