From b31730d841794be42868a6e94a5ea558de5175ca Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Jan 04 2021 19:52:09 +0000 Subject: pagure / staging: combine certs to 1, clean up logic There's no reason to not just use one letsencrypt cert for stg.pagure. Also clean up logic in the web config and make sure all the servernames are handled correctly. Once this works, will roll this to production. Signed-off-by: Kevin Fenzi --- diff --git a/roles/pagure/tasks/main.yml b/roles/pagure/tasks/main.yml index 781b6bd..9b15a97 100644 --- a/roles/pagure/tasks/main.yml +++ b/roles/pagure/tasks/main.yml @@ -463,47 +463,12 @@ - pagure - logrotate -- name: Letsencrypt for releases.stg.pagure.org - include_role: name=letsencrypt - vars: - site_name: releases.stg.pagure.org - when: env == 'pagure-staging' - tags: - - pagure - - letsencrypt - -- name: Letsencrypt for docs.stg.pagure.org - include_role: name=letsencrypt - vars: - site_name: docs.stg.pagure.org - when: env == 'pagure-staging' - tags: - - pagure - - letsencrypt - -- name: Letsencrypt for stg.pagure.org - include_role: name=letsencrypt - vars: - site_name: stg.pagure.org - when: env == 'pagure-staging' - tags: - - pagure - - letsencrypt - - name: Letsencrypt for stg.pagure.io include_role: name=letsencrypt vars: site_name: stg.pagure.io + server_aliases: [www.stg.pagure.io lists.stg.pagure.io releases.stg.pagure.org docs.stg.pagure.org stg.pagure.org] when: env == 'pagure-staging' tags: - pagure - letsencrypt - -- name: Letsencrypt for pagure.org - include_role: name=letsencrypt - vars: - site_name: pagure.org - when: env != 'pagure-staging' - tags: - - pagure - - letsencrypt diff --git a/roles/pagure/templates/0_pagure.conf b/roles/pagure/templates/0_pagure.conf index c32ef13..ff2fd29 100644 --- a/roles/pagure/templates/0_pagure.conf +++ b/roles/pagure/templates/0_pagure.conf @@ -15,6 +15,7 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na Redirect permanent / https://stg.pagure.io/ {% else %} ServerName pagure.io + ProxyPass "/.well-known/acme-challenge" "http://certgetter01/.well-known/acme-challenge" Redirect permanent / https://pagure.io/ {% endif %} @@ -25,6 +26,7 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na ProxyPass "/.well-known/acme-challenge" "http://certgetter01/.well-known/acme-challenge" Redirect permanent / https://docs.stg.pagure.org/ {% else %} + ProxyPass "/.well-known/acme-challenge" "http://certgetter01/.well-known/acme-challenge" ServerName docs.pagure.org Redirect permanent / https://docs.pagure.org/ {% endif %} @@ -36,6 +38,7 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na ProxyPass "/.well-known/acme-challenge" "http://certgetter01/.well-known/acme-challenge" Redirect permanent / https://releases.stg.pagure.org/ {% else %} + ProxyPass "/.well-known/acme-challenge" "http://certgetter01/.well-known/acme-challenge" ServerName releases.pagure.org Redirect permanent / https://releases.pagure.org/ {% endif %} @@ -87,9 +90,15 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na # Use secure TLSv1.1 and TLSv1.2 ciphers Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" +{% if env == 'pagure-staging' %} + SSLCertificateFile /etc/pki/tls/certs/stg.pagure.io.cert + SSLCertificateChainFile /etc/pki/tls/certs/stg.pagure.io.intermediate.cert + SSLCertificateKeyFile /etc/pki/tls/certs/stg.pagure.io.key +{% else %} SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert SSLCertificateKeyFile /etc/pki/tls/certs/pagure.io.key +{% endif %} SetEnv GIT_PROJECT_ROOT /srv/git/repositories @@ -107,7 +116,11 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na +{% if env == 'pagure-staging' %} + Redirect "/releases" https://releases.stg.pagure.org +{% else %} Redirect "/releases" https://releases.pagure.org +{% endif %} @@ -136,9 +149,9 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" {% if env == 'pagure-staging' %} - SSLCertificateFile /etc/pki/tls/certs/stg.pagure.org.cert - SSLCertificateChainFile /etc/pki/tls/certs/stg.pagure.org.intermediate.cert - SSLCertificateKeyFile /etc/pki/tls/private/stg.pagure.org.key + SSLCertificateFile /etc/pki/tls/certs/stg.pagure.io.cert + SSLCertificateChainFile /etc/pki/tls/certs/stg.pagure.io.intermediate.cert + SSLCertificateKeyFile /etc/pki/tls/private/stg.pagure.io.key {% else %} SSLCertificateFile /etc/pki/tls/certs/pagure.org.cert SSLCertificateChainFile /etc/pki/tls/certs/pagure.org.intermediate.cert @@ -168,9 +181,9 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" {% if env == 'pagure-staging' %} - SSLCertificateFile /etc/pki/tls/certs/docs.stg.pagure.org.cert - SSLCertificateChainFile /etc/pki/tls/certs/docs.stg.pagure.org.intermediate.cert - SSLCertificateKeyFile /etc/pki/tls/private/docs.stg.pagure.org.key + SSLCertificateFile /etc/pki/tls/certs/stg.pagure.io.cert + SSLCertificateChainFile /etc/pki/tls/certs/stg.pagure.io.intermediate.cert + SSLCertificateKeyFile /etc/pki/tls/private/stg.pagure.io.key {% else %} SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert @@ -203,14 +216,21 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na {% if env == 'pagure-staging' %} ServerName releases.stg.pagure.org SSLEngine on - SSLCertificateFile /etc/pki/tls/certs/releases.stg.pagure.org.cert - SSLCertificateKeyFile /etc/pki/tls/private/releases.stg.pagure.org.key - SSLCertificateChainFile /etc/pki/tls/certs/releases.stg.pagure.org.intermediate.cert + SSLCertificateFile /etc/pki/tls/certs/stg.pagure.io.cert + SSLCertificateKeyFile /etc/pki/tls/private/stg.pagure.io.key + SSLCertificateChainFile /etc/pki/tls/certs/stg.pagure.io.intermediate.cert SSLHonorCipherOrder On SSLProtocol {{ ssl_protocols }} SSLCipherSuite {{ ssl_ciphers }} {% else %} ServerName releases.pagure.org + SSLEngine on + SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert + SSLCertificateKeyFile /etc/pki/tls/private/pagure.io.key + SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert + SSLHonorCipherOrder On + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} {% endif %} AddType application/octet-stream msi