Dzahn has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/330829 )
Change subject: tendril: use Letsencrypt for SSL cert ...................................................................... tendril: use Letsencrypt for SSL cert Since we are doing this for Icinga in Change-Id: I39abcfcc264619 and tendril is on the same host (for now, it will move eventually to "dbmonitor1001/2001), we should do both at the same time, to avoid mixing both certificate methods on the same host. Bug: T133717 Change-Id: I4188411f611b6a24a5888507fcb70eb0f0a34c21 --- M modules/role/manifests/tendril.pp M modules/tendril/manifests/init.pp M modules/tendril/templates/apache/tendril.wikimedia.org.erb 3 files changed, 13 insertions(+), 5 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/29/330829/1 diff --git a/modules/role/manifests/tendril.pp b/modules/role/manifests/tendril.pp index de587c0..839e135 100644 --- a/modules/role/manifests/tendril.pp +++ b/modules/role/manifests/tendril.pp @@ -7,9 +7,15 @@ system::role { 'role::tendril': description => 'tendril server' } - sslcert::certificate { 'tendril.wikimedia.org': } $ssl_settings = ssl_ciphersuite('apache', 'mid', true) + letsencrypt::cert::integrated { 'tendril': + subjects => 'tendril.wikimedia.org', + puppet_svc => 'apache2', + system_svc => 'apache2', + require => Class['apache::mod::ssl'] + } + monitoring::service { 'https-tendril': description => 'HTTPS-tendril', check_command => 'check_ssl_http!tendril.wikimedia.org', diff --git a/modules/tendril/manifests/init.pp b/modules/tendril/manifests/init.pp index 4848210..f14d79e 100644 --- a/modules/tendril/manifests/init.pp +++ b/modules/tendril/manifests/init.pp @@ -23,8 +23,10 @@ include ::apache::mod::authnz_ldap apache::site { $site_name: - content => template("tendril/apache/${site_name}.erb"); + content => template("tendril/apache/${site_name}.erb"), + require => Letsencrypt::Cert::Integrated['tendril'], } + require_package('php5-mysql') file { '/srv/tendril': diff --git a/modules/tendril/templates/apache/tendril.wikimedia.org.erb b/modules/tendril/templates/apache/tendril.wikimedia.org.erb index 519f5c4..c93189a 100644 --- a/modules/tendril/templates/apache/tendril.wikimedia.org.erb +++ b/modules/tendril/templates/apache/tendril.wikimedia.org.erb @@ -6,9 +6,9 @@ # https://httpoxy.org/ RequestHeader unset Proxy early SSLEngine On - SSLCertificateFile /etc/ssl/localcerts/tendril.wikimedia.org.crt - SSLCertificateChainFile /etc/ssl/localcerts/tendril.wikimedia.org.chain.crt - SSLCertificateKeyFile /etc/ssl/private/tendril.wikimedia.org.key + SSLCertificateFile /etc/acme/cert/tendril.crt + SSLCertificateChainFile /etc/acme/cert/tendril.chain.crt + SSLCertificateKeyFile /etc/acme/key/tendril.key <%= @ssl_settings.join("\n") %> DocumentRoot <%= @docroot %> php_admin_flag short_open_tag on -- To view, visit https://gerrit.wikimedia.org/r/330829 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I4188411f611b6a24a5888507fcb70eb0f0a34c21 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Dzahn <dz...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits