#8549 Move retrace.fedoraproject.org to letsencrypt
Closed: Fixed 4 years ago by smooge. Opened 4 years ago by smooge.

Describe what you would like us to do:

Current certs run out in 20 days. need to move to letsencrypt or renew.


When do you need this to be done by? (YYYY/MM/DD)



Needs to be reviewed to see if certget can be used since it uses the proxies.

Metadata Update from @smooge:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: websites-general

4 years ago

@ekulik thanks for the patch, it needs a rewrite/proxy to certgetter for the challenge to work. You can look at how this is done for fedora-planet https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/planet/templates/planet.conf#n20

Hope that helps :smile:

you latest patch would still not work :(, because retrace does not go through our proxies, so the redirect needs to be done directly in the apache conf of retrace

Right right right, then I misinterpreted the “since it uses the proxies” bit. I knew the staging bit looked suspect. Pardon me being dense here, I might need some guidance later.

No it is ok.. this is a complex problem of our own making :smile: . I would look at how a system like pagure.io is set up to use letsencrypt. It does not sit behind our proxies and has the rewrites in apache 'to do the right thing' when the letsencrypt servers check on things.

The bigger issue here is that our deployment has diverged from the playbook and it’s kind of painful to try to redeploy it on some staging machine without having all the keys. I can try involving someone else for assistance.

So good news. I have a new retrace box in a rack and I was going to work with your team on getting it set up and running.

0001-playbooks-retrace-Run-httpd-website-role.patch
Another attempt. I’m trying my best to reuse what is available in the repo already.

Okay, so it proxies to certgetter, which I guess was the original problem (that it uses proxies), since it’s not accessible on port 80 from retrace.

In any case, I’ve set up LE on the machine, but I’ll be still looking into translating that into our playbook.

So I see that the COPR playbooks have a large set of rules on how to use certgetter in their environment. I am looking to see if we can copy that over.

Metadata Update from @smooge:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 years ago

retrace team did the work to make letsencrypt work and certificate says it is using letsencrypt.

Login to comment on this ticket.

Metadata