Dzahn has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/330633 )
Change subject: icinga: use Letsencrypt for SSL cert, spend less donor money on prime numbers ...................................................................... icinga: use Letsencrypt for SSL cert, spend less donor money on prime numbers On 2017-02-06 the icinga.wikimedia.org cert will expire. Instead of renewing and paying for a new icinga SSL cert as we did in the past, start using Letsencrypt for Icinga. We have been using Letsencrypt for Gerrit and RT for a while now and haven't had any complaints or problems. This saves money and having to deal with the cert renewal at all. Also see general tracking task to make all the things use LE. Bug: T133717 Change-Id: I39abcfcc26461933e9afeb93bd229ce1f25d1266 --- M modules/icinga/manifests/web.pp M modules/icinga/templates/icinga.wikimedia.org.erb 2 files changed, 11 insertions(+), 4 deletions(-) Approvals: jenkins-bot: Verified Dzahn: Looks good to me, approved diff --git a/modules/icinga/manifests/web.pp b/modules/icinga/manifests/web.pp index 9e09932..b6f90a1 100644 --- a/modules/icinga/manifests/web.pp +++ b/modules/icinga/manifests/web.pp @@ -41,10 +41,17 @@ include ::apache::mod::authnz_ldap $ssl_settings = ssl_ciphersuite('apache', 'mid', true) - sslcert::certificate { 'icinga.wikimedia.org': } + + letsencrypt::cert::integrated { 'icinga': + subjects => 'icinga.wikimedia.org', + puppet_svc => 'apache2', + system_svc => 'apache2', + require => Class['apache::mod::ssl'] + } apache::site { 'icinga.wikimedia.org': content => template('icinga/icinga.wikimedia.org.erb'), + require => Letsencrypt::Cert::Integrated['icinga'], } # remove icinga default config diff --git a/modules/icinga/templates/icinga.wikimedia.org.erb b/modules/icinga/templates/icinga.wikimedia.org.erb index 0d054c2..fe8829b 100644 --- a/modules/icinga/templates/icinga.wikimedia.org.erb +++ b/modules/icinga/templates/icinga.wikimedia.org.erb @@ -20,9 +20,9 @@ # https://httpoxy.org/ RequestHeader unset Proxy early SSLEngine On - SSLCertificateFile /etc/ssl/localcerts/icinga.wikimedia.org.crt - SSLCertificateChainFile /etc/ssl/localcerts/icinga.wikimedia.org.chain.crt - SSLCertificateKeyFile /etc/ssl/private/icinga.wikimedia.org.key + SSLCertificateFile /etc/acme/cert/icinga.crt + SSLCertificateChainFile /etc/acme/cert/icinga.chain.crt + SSLCertificateKeyFile /etc/acme/key/icinga.key <%= @ssl_settings.join("\n") %> DocumentRoot /usr/share/icinga/htdocs -- To view, visit https://gerrit.wikimedia.org/r/330633 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I39abcfcc26461933e9afeb93bd229ce1f25d1266 Gerrit-PatchSet: 9 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Dzahn <dz...@wikimedia.org> Gerrit-Reviewer: Alex Monk <kren...@gmail.com> Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: Dzahn <dz...@wikimedia.org> Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org> Gerrit-Reviewer: Muehlenhoff <mmuhlenh...@wikimedia.org> Gerrit-Reviewer: RobH <r...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits