RobH has submitted this change and it was merged. Change subject: ishmael.wikimedia.org to use its own cert, not wildcard ......................................................................
ishmael.wikimedia.org to use its own cert, not wildcard Setting ishmael.wikimedia.org to install and use its own cert, rather than the wildcard Change-Id: Id5f19522f1927a28e5099579d3494fa67c5fb02f RT: 6732 --- A files/ssl/ishmael.wikimedia.org.pem M manifests/role/ishmael.pp M modules/ishmael/templates/apache/ishmael.wikimedia.org.erb 3 files changed, 34 insertions(+), 2 deletions(-) Approvals: RobH: Looks good to me, approved jenkins-bot: Verified diff --git a/files/ssl/ishmael.wikimedia.org.pem b/files/ssl/ishmael.wikimedia.org.pem new file mode 100644 index 0000000..5ee85c6 --- /dev/null +++ b/files/ssl/ishmael.wikimedia.org.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFMDCCBBigAwIBAgIDEOLnMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT +MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew +HhcNMTQwMjIyMjMxNTAzWhcNMTUwMjI2MTkyMzQ2WjCBxDEpMCcGA1UEBRMgMEhj +U0RDZlBaMFRuZTl4TEN4VDZ2RzhjR2M2VUxvb2kxEzARBgNVBAsTCkdUMTgyODQz +MTUxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg +KGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk +U1NMKFIpMR4wHAYDVQQDExVpc2htYWVsLndpa2ltZWRpYS5vcmcwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC144qrhl0YcppwjdiZw4jkmqoA0TSx4eh/ +lxM4tCGmlkamk97EpoerziwpRR3k+QnltCIfvKNdX/uwR4PvmVXnpe0o6zmTAuhe +48d/l82xQc1/aHePKtWJdBpwPH8an32toUO6f8JJS1B7Ell3FJ3tEmHW834Z68w5 +b0bUZShMSds40yvHahGgMkgD69dHAJ9c1TP3m2Y6u4358iaV6ihpIc/KeqM/ACOK +p/aLzePGEZdDshsNPHUai6V5DASNWqBjcJqUSVv5xruCJomhqDyTxKUkYzr+E72D +Jtu8se8u22yQl7uRDw/7Df1siMtN89KFT73UPyZ7vLV/7NTmHw2PAgMBAAGjggGw +MIIBrDAfBgNVHSMEGDAWgBRraT1qGEJK3Y8CZTn9NSSGeJEWMDAOBgNVHQ8BAf8E +BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCAGA1UdEQQZMBeC +FWlzaG1hZWwud2lraW1lZGlhLm9yZzBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8v +cmFwaWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNybDAdBgNV +HQ4EFgQU4sKeuAKRUzv1KuM5zLwEoEUaE6UwDAYDVR0TAQH/BAIwADB4BggrBgEF +BQcBAQRsMGowLQYIKwYBBQUHMAGGIWh0dHA6Ly9yYXBpZHNzbC1vY3NwLmdlb3Ry +dXN0LmNvbTA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3NsLWFpYS5nZW90cnVz +dC5jb20vcmFwaWRzc2wuY3J0MEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEG +CCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3Bz +MA0GCSqGSIb3DQEBBQUAA4IBAQA2AKUcWFC3YlcjD1/Es7YgPwgbZrQ345MAuI3k +wS+uNCGP64FZZsIwYKl48iuhc9J199ZLmiAOqZ+qX9C3JpPko34Hlhh+E9+ER81a +K9IFXCKLwAUlJjRmxwG7bbKauhNtogmgN7Vf6UQVsX0J2462VOvh78aqvmcFl1uE ++VX5vlQfuh2ojN69Qxb9CN5YIF8l5ZQyNpwvwUQkwHrzzeBpzinHiUEYVD8qNjdY +KL9A/AzEdQFzov6VHd7ikO28X1zqspIUsBQ5+222Ep1ws8bapQUUwLQT0dW/shGn +61LLOtu56IfaC7ekNDrn7HU1vM4trV+MJp6UhQj9vKM87HpS +-----END CERTIFICATE----- diff --git a/manifests/role/ishmael.pp b/manifests/role/ishmael.pp index 8a5a4cd..ba5f09e 100644 --- a/manifests/role/ishmael.pp +++ b/manifests/role/ishmael.pp @@ -4,6 +4,8 @@ system::role { 'role::ishmael': description => 'ishmael server' } + install_certificate{ 'ishmael.wikimedia.org': ca => 'RapidSSL_CA.pem' } + class { '::ishmael': site_name => 'ishmael.wikimedia.org', config_main => '/srv/ishmael/conf.php', diff --git a/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb b/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb index 795736a..3bf43ef 100644 --- a/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb +++ b/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb @@ -10,8 +10,8 @@ SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA SSLHonorCipherOrder on - SSLCertificateFile /etc/ssl/private/star.wikimedia.org.pem - SSLCertificateKeyFile /etc/ssl/private/star.wikimedia.org.key + SSLCertificateFile /etc/ssl/private/ishmael.wikimedia.org.pem + SSLCertificateKeyFile /etc/ssl/private/ishmael.wikimedia.org.key SSLCACertificateFile /etc/ssl/certs/RapidSSL_CA.pem DocumentRoot <%= @docroot %> -- To view, visit https://gerrit.wikimedia.org/r/115318 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Id5f19522f1927a28e5099579d3494fa67c5fb02f Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: RobH <r...@wikimedia.org> Gerrit-Reviewer: RobH <r...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits