Current certs run out in 20 days. need to move to letsencrypt or renew.
Needs to be reviewed to see if certget can be used since it uses the proxies.
Metadata Update from @smooge: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: websites-general
If it can be used, then I think this patch ought to do it:
<img alt="0001-proxies-websites-Switch-retrace-to-LetsEncrypt.patch" src="/fedora-infrastructure/issue/raw/files/04947918100dfcdc95febb2db8531c872ff6a90c2d248324ea1f06c825c414d7-0001-proxies-websites-Switch-retrace-to-LetsEncrypt.patch" />
But how does one check if certget would be usable?
@ekulik thanks for the patch, it needs a rewrite/proxy to certgetter for the challenge to work. You can look at how this is done for fedora-planet https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/planet/templates/planet.conf#n20
Hope that helps :smile:
<img alt="0001-proxies-websites-Switch-retrace-to-LetsEncrypt.patch" src="/fedora-infrastructure/issue/raw/files/7320e396370f72740e8093e8941db4526c38ac72a47dc70537125a144ed645c0-0001-proxies-websites-Switch-retrace-to-LetsEncrypt.patch" />
I wonder if this would work?
you latest patch would still not work :(, because retrace does not go through our proxies, so the redirect needs to be done directly in the apache conf of retrace
Right right right, then I misinterpreted the “since it uses the proxies” bit. I knew the staging bit looked suspect. Pardon me being dense here, I might need some guidance later.
No it is ok.. this is a complex problem of our own making :smile: . I would look at how a system like pagure.io is set up to use letsencrypt. It does not sit behind our proxies and has the rewrites in apache 'to do the right thing' when the letsencrypt servers check on things.
<img alt="0001-playbooks-retrace-Run-httpd-website-role.patch" src="/fedora-infrastructure/issue/raw/files/46bf4ddba0091ead9d159dddffc6fb183f1e6a97826a80bfd989d8bab8f32b24-0001-playbooks-retrace-Run-httpd-website-role.patch" />
Another attempt. I’m trying my best to reuse what is available in the repo already.
The bigger issue here is that our deployment has diverged from the playbook and it’s kind of painful to try to redeploy it on some staging machine without having all the keys. I can try involving someone else for assistance.
So good news. I have a new retrace box in a rack and I was going to work with your team on getting it set up and running.
Okay, so it proxies to certgetter, which I guess was the original problem (that it uses proxies), since it’s not accessible on port 80 from retrace.
In any case, I’ve set up LE on the machine, but I’ll be still looking into translating that into our playbook.
So I see that the COPR playbooks have a large set of rules on how to use certgetter in their environment. I am looking to see if we can copy that over.
Metadata Update from @smooge: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
retrace team did the work to make letsencrypt work and certificate says it is using letsencrypt.
Login to comment on this ticket.