[MediaWiki-commits] [Gerrit] operations/puppet[production]: icinga: use Letsencrypt for SSL cert, spend less donor money...

Thu, 05 Jan 2017 19:09:37 -0800 

Dzahn has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/330633 )

Change subject: icinga: use Letsencrypt for SSL cert, spend less donor money on 
prime numbers
......................................................................


icinga: use Letsencrypt for SSL cert, spend less donor money on prime numbers

On 2017-02-06 the icinga.wikimedia.org cert will expire.

Instead of renewing and paying for a new icinga SSL cert
as we did in the past, start using Letsencrypt for Icinga.

We have been using Letsencrypt for Gerrit and RT for a while
now and haven't had any complaints or problems.

This saves money and having to deal with the cert renewal at all.

Also see general tracking task to make all the things use LE.

Bug: T133717
Change-Id: I39abcfcc26461933e9afeb93bd229ce1f25d1266
---
M modules/icinga/manifests/web.pp
M modules/icinga/templates/icinga.wikimedia.org.erb
2 files changed, 11 insertions(+), 4 deletions(-)

Approvals:
  jenkins-bot: Verified
  Dzahn: Looks good to me, approved



diff --git a/modules/icinga/manifests/web.pp b/modules/icinga/manifests/web.pp
index 9e09932..b6f90a1 100644
--- a/modules/icinga/manifests/web.pp
+++ b/modules/icinga/manifests/web.pp
@@ -41,10 +41,17 @@
     include ::apache::mod::authnz_ldap
 
     $ssl_settings = ssl_ciphersuite('apache', 'mid', true)
-    sslcert::certificate { 'icinga.wikimedia.org': }
+
+    letsencrypt::cert::integrated { 'icinga':
+        subjects   => 'icinga.wikimedia.org',
+        puppet_svc => 'apache2',
+        system_svc => 'apache2',
+        require    => Class['apache::mod::ssl']
+    }
 
     apache::site { 'icinga.wikimedia.org':
         content => template('icinga/icinga.wikimedia.org.erb'),
+        require => Letsencrypt::Cert::Integrated['icinga'],
     }
 
     # remove icinga default config
diff --git a/modules/icinga/templates/icinga.wikimedia.org.erb 
b/modules/icinga/templates/icinga.wikimedia.org.erb
index 0d054c2..fe8829b 100644
--- a/modules/icinga/templates/icinga.wikimedia.org.erb
+++ b/modules/icinga/templates/icinga.wikimedia.org.erb
@@ -20,9 +20,9 @@
     # https://httpoxy.org/
     RequestHeader unset Proxy early
     SSLEngine On
-    SSLCertificateFile /etc/ssl/localcerts/icinga.wikimedia.org.crt
-    SSLCertificateChainFile /etc/ssl/localcerts/icinga.wikimedia.org.chain.crt
-    SSLCertificateKeyFile /etc/ssl/private/icinga.wikimedia.org.key
+    SSLCertificateFile /etc/acme/cert/icinga.crt
+    SSLCertificateChainFile /etc/acme/cert/icinga.chain.crt
+    SSLCertificateKeyFile /etc/acme/key/icinga.key
     <%= @ssl_settings.join("\n") %>
 
     DocumentRoot /usr/share/icinga/htdocs

-- 
To view, visit https://gerrit.wikimedia.org/r/330633
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I39abcfcc26461933e9afeb93bd229ce1f25d1266
Gerrit-PatchSet: 9
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <dz...@wikimedia.org>
Gerrit-Reviewer: Alex Monk <kren...@gmail.com>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: Dzahn <dz...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org>
Gerrit-Reviewer: Muehlenhoff <mmuhlenh...@wikimedia.org>
Gerrit-Reviewer: RobH <r...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to