[MediaWiki-commits] [Gerrit] operations/puppet[production]: tendril: use Letsencrypt for SSL cert

Thu, 05 Jan 2017 16:44:31 -0800 

Dzahn has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/330829 )

Change subject: tendril: use Letsencrypt for SSL cert
......................................................................

tendril: use Letsencrypt for SSL cert

Since we are doing this for Icinga in Change-Id: I39abcfcc264619
and tendril is on the same host (for now, it will move
eventually to "dbmonitor1001/2001), we should do both
at the same time, to avoid mixing both certificate
methods on the same host.

Bug: T133717
Change-Id: I4188411f611b6a24a5888507fcb70eb0f0a34c21
---
M modules/role/manifests/tendril.pp
M modules/tendril/manifests/init.pp
M modules/tendril/templates/apache/tendril.wikimedia.org.erb
3 files changed, 13 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/29/330829/1

diff --git a/modules/role/manifests/tendril.pp 
b/modules/role/manifests/tendril.pp
index de587c0..839e135 100644
--- a/modules/role/manifests/tendril.pp
+++ b/modules/role/manifests/tendril.pp
@@ -7,9 +7,15 @@
 
     system::role { 'role::tendril': description => 'tendril server' }
 
-    sslcert::certificate { 'tendril.wikimedia.org': }
     $ssl_settings = ssl_ciphersuite('apache', 'mid', true)
 
+    letsencrypt::cert::integrated { 'tendril':
+        subjects   => 'tendril.wikimedia.org',
+        puppet_svc => 'apache2',
+        system_svc => 'apache2',
+        require    => Class['apache::mod::ssl']
+    }
+
     monitoring::service { 'https-tendril':
         description   => 'HTTPS-tendril',
         check_command => 'check_ssl_http!tendril.wikimedia.org',
diff --git a/modules/tendril/manifests/init.pp 
b/modules/tendril/manifests/init.pp
index 4848210..f14d79e 100644
--- a/modules/tendril/manifests/init.pp
+++ b/modules/tendril/manifests/init.pp
@@ -23,8 +23,10 @@
     include ::apache::mod::authnz_ldap
 
     apache::site { $site_name:
-        content => template("tendril/apache/${site_name}.erb");
+        content => template("tendril/apache/${site_name}.erb"),
+        require => Letsencrypt::Cert::Integrated['tendril'],
     }
+
     require_package('php5-mysql')
 
     file { '/srv/tendril':
diff --git a/modules/tendril/templates/apache/tendril.wikimedia.org.erb 
b/modules/tendril/templates/apache/tendril.wikimedia.org.erb
index 519f5c4..c93189a 100644
--- a/modules/tendril/templates/apache/tendril.wikimedia.org.erb
+++ b/modules/tendril/templates/apache/tendril.wikimedia.org.erb
@@ -6,9 +6,9 @@
     # https://httpoxy.org/
     RequestHeader unset Proxy early
     SSLEngine On
-    SSLCertificateFile /etc/ssl/localcerts/tendril.wikimedia.org.crt
-    SSLCertificateChainFile /etc/ssl/localcerts/tendril.wikimedia.org.chain.crt
-    SSLCertificateKeyFile /etc/ssl/private/tendril.wikimedia.org.key
+    SSLCertificateFile /etc/acme/cert/tendril.crt
+    SSLCertificateChainFile /etc/acme/cert/tendril.chain.crt
+    SSLCertificateKeyFile /etc/acme/key/tendril.key
     <%= @ssl_settings.join("\n") %>
     DocumentRoot <%= @docroot %>
     php_admin_flag short_open_tag on

-- 
To view, visit https://gerrit.wikimedia.org/r/330829
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I4188411f611b6a24a5888507fcb70eb0f0a34c21
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <dz...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to