As discussed in infra meeting 16 aug around the 14:30 mark
<https://meetbot.fedoraproject.org/teams/infrastructure/infrastructure.2018-08-16-14.00.log.html>
regarding Issue #7158: Planet Fedora doesn't have a valid certificate
<https://pagure.io/fedora-infrastructure/issue/7158>.
I created two patches (attached) based on my reading/understanding of
the certbot role README. Text below. I think we are in Freeze right now
and I probably have _many_ things to fix.
Thanks to everyone that guided me (hopefully I'm on the right track :)
diff --git a/playbooks/include/proxies-websites.yml
b/playbooks/include/proxies-websites.yml
index 8013c539e..5cd82375c 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -932,3 +932,15 @@
tags:
- pkgs.fedoraproject.org
when: env == "staging" and "phx2" in inventory_hostname
+# cert for https://fedoraplanet.org which redirects to
http://fedoraplanet.org
+
+ - role: httpd/website
+ site_name: fedoraplanet.org
+ server_aliases:
+ - www.fedoraplanet.org
+ ssl: true
+ sslonly: true
+ certbot: true
+ certbot_addhost: fedoraplanet.org
+ tags:
+ - fedoraplanet.org
---------------------------------------
diff --git a/roles/planet/templates/planet.conf
b/roles/planet/templates/planet.conf
index 319923d2a..f4f1eb622 100644
--- a/roles/planet/templates/planet.conf
+++ b/roles/planet/templates/planet.conf
@@ -15,6 +15,10 @@
ErrorLog logs/planet-error.log
CustomLog logs/fedoraplanet.org-access.log common
+ RewriteEngine on
+ RewriteRule ^/\.well-known/(.*)
/srv/web/acme-challenge/.well-known/$1 [L]
+ RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE]
+
UserDir disable
AddCharset UTF-8 .xml
@@ -79,3 +83,32 @@
RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
</VirtualHost>
+<VirtualHost {{public_ip}}:443 _default_:443>
+ ##
+ # Domain: fedoraplanet.org
+ # Owner: ad...@fedoraplanet.org
+ #
+ ServerName fedoraplanet.org
+
+ SSLEngine on
+ SSLCertificateFile /etc/letsencrypt/live/fedoraplanet.org/cert.pem
+ SSLCertificateKeyFile
/etc/letsencrypt/live/fedoraplanet.org/privkey.pem
+ SSLCertificateChainFile
/etc/letsencrypt/live/fedoraplanet.org/fullchain.pem
+ SSLHonorCipherOrder On
+ SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
+ SSLProtocol ALL -SSLv2
+
+ ServerAdmin ad...@fedoraplanet.org
+ ServerName fedoraplanet.org
+
+ DocumentRoot "/srv/planet/site/"
+
+ ErrorLog logs/planet-error.log
+ CustomLog logs/planet.fedoraproject.org-access.log common
+
+ UserDir disable
+ AddCharset UTF-8 .xml
+
+ RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
+
+</VirtualHost>
diff --git a/roles/planet/templates/planet.conf b/roles/planet/templates/planet.conf
index 319923d2a..f4f1eb622 100644
--- a/roles/planet/templates/planet.conf
+++ b/roles/planet/templates/planet.conf
@@ -15,6 +15,10 @@
ErrorLog logs/planet-error.log
CustomLog logs/fedoraplanet.org-access.log common
+ RewriteEngine on
+ RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
+ RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE]
+
UserDir disable
AddCharset UTF-8 .xml
@@ -79,3 +83,32 @@
RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
</VirtualHost>
+<VirtualHost {{public_ip}}:443 _default_:443>
+ ##
+ # Domain: fedoraplanet.org
+ # Owner: ad...@fedoraplanet.org
+ #
+ ServerName fedoraplanet.org
+
+ SSLEngine on
+ SSLCertificateFile /etc/letsencrypt/live/fedoraplanet.org/cert.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/fedoraplanet.org/privkey.pem
+ SSLCertificateChainFile /etc/letsencrypt/live/fedoraplanet.org/fullchain.pem
+ SSLHonorCipherOrder On
+ SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
+ SSLProtocol ALL -SSLv2
+
+ ServerAdmin ad...@fedoraplanet.org
+ ServerName fedoraplanet.org
+
+ DocumentRoot "/srv/planet/site/"
+
+ ErrorLog logs/planet-error.log
+ CustomLog logs/planet.fedoraproject.org-access.log common
+
+ UserDir disable
+ AddCharset UTF-8 .xml
+
+ RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
+
+</VirtualHost>
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index 8013c539e..5cd82375c 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -932,3 +932,15 @@
tags:
- pkgs.fedoraproject.org
when: env == "staging" and "phx2" in inventory_hostname
+# cert for https://fedoraplanet.org which redirects to http://fedoraplanet.org
+
+ - role: httpd/website
+ site_name: fedoraplanet.org
+ server_aliases:
+ - www.fedoraplanet.org
+ ssl: true
+ sslonly: true
+ certbot: true
+ certbot_addhost: fedoraplanet.org
+ tags:
+ - fedoraplanet.org
_______________________________________________
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org