As discussed in infra meeting 16 aug around the 14:30 mark https://meetbot.fedoraproject.org/teams/infrastructure/infrastructure.2018-08-16-14.00.log.html regarding Issue #7158: Planet Fedora doesn't have a valid certificate https://pagure.io/fedora-infrastructure/issue/7158.
I created two patches (attached) based on my reading/understanding of the certbot role README. Text below. I think we are in Freeze right now and I probably have _many_ things to fix.
Thanks to everyone that guided me (hopefully I'm on the right track :)
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 8013c539e..5cd82375c 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -932,3 +932,15 @@ tags: - pkgs.fedoraproject.org when: env == "staging" and "phx2" in inventory_hostname +# cert for https://fedoraplanet.org which redirects to http://fedoraplanet.org + + - role: httpd/website + site_name: fedoraplanet.org + server_aliases: + - www.fedoraplanet.org + ssl: true + sslonly: true + certbot: true + certbot_addhost: fedoraplanet.org + tags: + - fedoraplanet.org
---------------------------------------
diff --git a/roles/planet/templates/planet.conf b/roles/planet/templates/planet.conf index 319923d2a..f4f1eb622 100644 --- a/roles/planet/templates/planet.conf +++ b/roles/planet/templates/planet.conf @@ -15,6 +15,10 @@ ErrorLog logs/planet-error.log CustomLog logs/fedoraplanet.org-access.log common
+ RewriteEngine on + RewriteRule ^/.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L] + RewriteRule "^/?(.*)" "https://%%7BHTTP_HOST%7D/$1" [L,R=301,NE] + UserDir disable AddCharset UTF-8 .xml
@@ -79,3 +83,32 @@ RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
</VirtualHost> +<VirtualHost {{public_ip}}:443 _default_:443> + ## + # Domain: fedoraplanet.org + # Owner: admin@fedoraplanet.org + # + ServerName fedoraplanet.org + + SSLEngine on + SSLCertificateFile /etc/letsencrypt/live/fedoraplanet.org/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/fedoraplanet.org/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/fedoraplanet.org/fullchain.pem + SSLHonorCipherOrder On + SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL + SSLProtocol ALL -SSLv2 + + ServerAdmin admin@fedoraplanet.org + ServerName fedoraplanet.org + + DocumentRoot "/srv/planet/site/" + + ErrorLog logs/planet-error.log + CustomLog logs/planet.fedoraproject.org-access.log common + + UserDir disable + AddCharset UTF-8 .xml + + RedirectMatch permanent /(.*) http://fedoraplanet.org/$1 + +</VirtualHost>
On 08/29/2018 11:51 AM, Zach Villers wrote:
As discussed in infra meeting 16 aug around the 14:30 mark https://meetbot.fedoraproject.org/teams/infrastructure/infrastructure.2018-08-16-14.00.log.html regarding Issue #7158: Planet Fedora doesn't have a valid certificate https://pagure.io/fedora-infrastructure/issue/7158.
I created two patches (attached) based on my reading/understanding of the certbot role README. Text below. I think we are in Freeze right now and I probably have _many_ things to fix.
Thanks to everyone that guided me (hopefully I'm on the right track :)
Sorry for taking so long to look this over. ;(
And thanks a bunch for working on it...
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 8013c539e..5cd82375c 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -932,3 +932,15 @@ tags: - pkgs.fedoraproject.org when: env == "staging" and "phx2" in inventory_hostname +# cert for https://fedoraplanet.org which redirects to http://fedoraplanet.org
+ - role: httpd/website + site_name: fedoraplanet.org + server_aliases: + - www.fedoraplanet.org + ssl: true + sslonly: true + certbot: true + certbot_addhost: fedoraplanet.org + tags: + - fedoraplanet.org
So, this will work if we add this to our proxies, so we would need to change DNS to point there (currently fedoraplanet.org is pointing only to the people02 server, not the proxies), but that won't work as the content is still on fedoapeople.org. ;( So I think we should drop this part unless we just proxy everything from our proxies to people02, which could be slow.
The problem is that our certbot/letsencrypt role is setup mostly for the proxies and not for people02, but we can still do it with a but more poking. :) So, look at roles/httpd/website/tasks/main.yml, and you will see:
- name: Letsencrypt certificate stuff include_role: name=letsencrypt when: certbot == True
we can call this in our 'people' role at the end... but we will also need to pass it all those variables that the httpd/website role already uses, ie, site_name, certbot, certbot_addhost, etc.
diff --git a/roles/planet/templates/planet.conf b/roles/planet/templates/planet.conf index 319923d2a..f4f1eb622 100644 --- a/roles/planet/templates/planet.conf +++ b/roles/planet/templates/planet.conf @@ -15,6 +15,10 @@ ErrorLog logs/planet-error.log CustomLog logs/fedoraplanet.org-access.log common
+ RewriteEngine on + RewriteRule ^/.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L] + RewriteRule "^/?(.*)" "https://%%7BHTTP_HOST%7D/$1" [L,R=301,NE]
Here, we need the rewrite to whatever machine is running the letsencrypt role, so certgetter01, ie:
RewriteRule "^/?(.*)" "https://certgetter01/$1" [L,R=301,NE]
UserDir disable AddCharset UTF-8 .xml
@@ -79,3 +83,32 @@ RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
</VirtualHost> +<VirtualHost {{public_ip}}:443 _default_:443> + ## + # Domain: fedoraplanet.org + # Owner: admin@fedoraplanet.org + # + ServerName fedoraplanet.org
+ SSLEngine on + SSLCertificateFile /etc/letsencrypt/live/fedoraplanet.org/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/fedoraplanet.org/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/fedoraplanet.org/fullchain.pem + SSLHonorCipherOrder On + SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL + SSLProtocol ALL -SSLv2
+ ServerAdmin admin@fedoraplanet.org + ServerName fedoraplanet.org
+ DocumentRoot "/srv/planet/site/"
+ ErrorLog logs/planet-error.log + CustomLog logs/planet.fedoraproject.org-access.log common
+ UserDir disable + AddCharset UTF-8 .xml
+ RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
+</VirtualHost>
That looks good. ;)
So, if you could adjust it for the above we can look again. I think you are close... and this is a complex one. ;)
Thanks again for working on it.
kevin
Kevin - Thanks so much for the review! This is great feedback. I really wasn't super clear on what was happening with the proxies or not. I will work on this more and re-submit.
Cheers!
Zach
On 9/3/18 7:48 PM, Kevin Fenzi wrote:
On 08/29/2018 11:51 AM, Zach Villers wrote:
As discussed in infra meeting 16 aug around the 14:30 mark https://meetbot.fedoraproject.org/teams/infrastructure/infrastructure.2018-08-16-14.00.log.html regarding Issue #7158: Planet Fedora doesn't have a valid certificate https://pagure.io/fedora-infrastructure/issue/7158.
I created two patches (attached) based on my reading/understanding of the certbot role README. Text below. I think we are in Freeze right now and I probably have _many_ things to fix.
Thanks to everyone that guided me (hopefully I'm on the right track :)
Sorry for taking so long to look this over. ;(
And thanks a bunch for working on it...
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 8013c539e..5cd82375c 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -932,3 +932,15 @@ tags: - pkgs.fedoraproject.org when: env == "staging" and "phx2" in inventory_hostname +# cert for https://fedoraplanet.org which redirects to http://fedoraplanet.org
+ - role: httpd/website + site_name: fedoraplanet.org + server_aliases: + - www.fedoraplanet.org + ssl: true + sslonly: true + certbot: true + certbot_addhost: fedoraplanet.org + tags: + - fedoraplanet.org
So, this will work if we add this to our proxies, so we would need to change DNS to point there (currently fedoraplanet.org is pointing only to the people02 server, not the proxies), but that won't work as the content is still on fedoapeople.org. ;( So I think we should drop this part unless we just proxy everything from our proxies to people02, which could be slow.
The problem is that our certbot/letsencrypt role is setup mostly for the proxies and not for people02, but we can still do it with a but more poking. :) So, look at roles/httpd/website/tasks/main.yml, and you will see:
- name: Letsencrypt certificate stuff include_role: name=letsencrypt when: certbot == True
we can call this in our 'people' role at the end... but we will also need to pass it all those variables that the httpd/website role already uses, ie, site_name, certbot, certbot_addhost, etc.
diff --git a/roles/planet/templates/planet.conf b/roles/planet/templates/planet.conf index 319923d2a..f4f1eb622 100644 --- a/roles/planet/templates/planet.conf +++ b/roles/planet/templates/planet.conf @@ -15,6 +15,10 @@ ErrorLog logs/planet-error.log CustomLog logs/fedoraplanet.org-access.log common
+ RewriteEngine on + RewriteRule ^/.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L] + RewriteRule "^/?(.*)" "https://%%7BHTTP_HOST%7D/$1" [L,R=301,NE]
Here, we need the rewrite to whatever machine is running the letsencrypt role, so certgetter01, ie:
RewriteRule "^/?(.*)" "https://certgetter01/$1" [L,R=301,NE]
UserDir disable AddCharset UTF-8 .xml
@@ -79,3 +83,32 @@ RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
</VirtualHost> +<VirtualHost {{public_ip}}:443 _default_:443> + ## + # Domain: fedoraplanet.org + # Owner: admin@fedoraplanet.org + # + ServerName fedoraplanet.org
+ SSLEngine on + SSLCertificateFile /etc/letsencrypt/live/fedoraplanet.org/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/fedoraplanet.org/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/fedoraplanet.org/fullchain.pem + SSLHonorCipherOrder On + SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL + SSLProtocol ALL -SSLv2
+ ServerAdmin admin@fedoraplanet.org + ServerName fedoraplanet.org
+ DocumentRoot "/srv/planet/site/"
+ ErrorLog logs/planet-error.log + CustomLog logs/planet.fedoraproject.org-access.log common
+ UserDir disable + AddCharset UTF-8 .xml
+ RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
+</VirtualHost>
That looks good. ;)
So, if you could adjust it for the above we can look again. I think you are close... and this is a complex one. ;)
Thanks again for working on it.
kevin
infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro...
Sorry this has taken so long - I've been fooling around trying to test locally. I _believe_ I've followed Kevin's guidance. Without further ado;
- adding planet vars to people role;
diff --git a/playbooks/groups/people.yml b/playbooks/groups/people.yml index e7661b4b4..1d00f77ca 100644 --- a/playbooks/groups/people.yml +++ b/playbooks/groups/people.yml @@ -68,7 +68,6 @@ - cgit/clean_lock_cron - cgit/make_pkgs_list - clamav - - planet - fedmsg/base - git/server @@ -79,6 +78,18 @@ SSLCertificateChainFile: wildcard-2017.fedorapeople.org.intermediate.cert - people + + - role: planet + certbot: true + certbot_addhost: fedoraplanet.org + site_name: fedoraplanet.org + cert_name: wildcard-2018.fedoraplanet.org + server_aliases: planet.fedoraproject.org + server_admin: webmaster@fedoraproject.org + ssl: true + sslonly: false + SSLCertificateChainFile: wildcard-2018.fedoraplanet.org.intermediate.cert + gzip: false tasks: - import_tasks: "{{ tasks_path }}/yumrepos.yml"
-------------------------------
And planet redirect https -> http patch;
diff --git a/roles/planet/templates/planet.conf b/roles/planet/templates/planet.conf index 319923d2a..7e12b8f35 100644 --- a/roles/planet/templates/planet.conf +++ b/roles/planet/templates/planet.conf @@ -14,6 +14,11 @@ ErrorLog logs/planet-error.log CustomLog logs/fedoraplanet.org-access.log common + + # let certbot get an answer from certgetter01 + RewriteEngine on + RewriteRule ^/.well-known/(.*)/srv/web/acme-challenge/.well-known/$1 [L] + RewriteRule "^/?(.*)" "https://certgetter01/$1" [L,R=301,NE] UserDir disable AddCharset UTF-8 .xml @@ -79,3 +84,32 @@ RedirectMatch permanent /(.*) http://fedoraplanet.org/$1 </VirtualHost> +<VirtualHost {{public_ip}}:443 _default_:443> + ## + # Domain: fedoraplanet.org + # Owner: admin@fedoraplanet.org + # + ServerName fedoraplanet.org + + SSLEngine on + SSLCertificateFile /etc/letsencrypt/live/fedoraplanet.org/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/fedoraplanet.org/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/fedoraplanet.org/fullchain.pem + SSLHonorCipherOrder On + SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL + SSLProtocol ALL -SSLv2 + + ServerAdmin admin@fedoraplanet.org + ServerName fedoraplanet.org + + DocumentRoot "/srv/planet/site/" + + ErrorLog logs/planet-error.log + CustomLog logs/planet.fedoraproject.org-access.log common + + UserDir disable + AddCharset UTF-8 .xml + + RedirectMatch permanent /(.*) http://fedoraplanet.org/$1 + +</VirtualHost>
________________
Regards!
On 9/3/18 7:48 PM, Kevin Fenzi wrote:
On 08/29/2018 11:51 AM, Zach Villers wrote:
As discussed in infra meeting 16 aug around the 14:30 mark https://meetbot.fedoraproject.org/teams/infrastructure/infrastructure.2018-08-16-14.00.log.html regarding Issue #7158: Planet Fedora doesn't have a valid certificate https://pagure.io/fedora-infrastructure/issue/7158.
I created two patches (attached) based on my reading/understanding of the certbot role README. Text below. I think we are in Freeze right now and I probably have _many_ things to fix.
Thanks to everyone that guided me (hopefully I'm on the right track :)
Sorry for taking so long to look this over. ;(
And thanks a bunch for working on it...
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 8013c539e..5cd82375c 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -932,3 +932,15 @@ tags: - pkgs.fedoraproject.org when: env == "staging" and "phx2" in inventory_hostname +# cert for https://fedoraplanet.org which redirects to http://fedoraplanet.org
+ - role: httpd/website + site_name: fedoraplanet.org + server_aliases: + - www.fedoraplanet.org + ssl: true + sslonly: true + certbot: true + certbot_addhost: fedoraplanet.org + tags: + - fedoraplanet.org
So, this will work if we add this to our proxies, so we would need to change DNS to point there (currently fedoraplanet.org is pointing only to the people02 server, not the proxies), but that won't work as the content is still on fedoapeople.org. ;( So I think we should drop this part unless we just proxy everything from our proxies to people02, which could be slow.
The problem is that our certbot/letsencrypt role is setup mostly for the proxies and not for people02, but we can still do it with a but more poking. :) So, look at roles/httpd/website/tasks/main.yml, and you will see:
- name: Letsencrypt certificate stuff include_role: name=letsencrypt when: certbot == True
we can call this in our 'people' role at the end... but we will also need to pass it all those variables that the httpd/website role already uses, ie, site_name, certbot, certbot_addhost, etc.
diff --git a/roles/planet/templates/planet.conf b/roles/planet/templates/planet.conf index 319923d2a..f4f1eb622 100644 --- a/roles/planet/templates/planet.conf +++ b/roles/planet/templates/planet.conf @@ -15,6 +15,10 @@ ErrorLog logs/planet-error.log CustomLog logs/fedoraplanet.org-access.log common
+ RewriteEngine on + RewriteRule ^/.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L] + RewriteRule "^/?(.*)" "https://%%7BHTTP_HOST%7D/$1" [L,R=301,NE]
Here, we need the rewrite to whatever machine is running the letsencrypt role, so certgetter01, ie:
RewriteRule "^/?(.*)" "https://certgetter01/$1" [L,R=301,NE]
UserDir disable AddCharset UTF-8 .xml
@@ -79,3 +83,32 @@ RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
</VirtualHost> +<VirtualHost {{public_ip}}:443 _default_:443> + ## + # Domain: fedoraplanet.org + # Owner: admin@fedoraplanet.org + # + ServerName fedoraplanet.org
+ SSLEngine on + SSLCertificateFile /etc/letsencrypt/live/fedoraplanet.org/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/fedoraplanet.org/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/fedoraplanet.org/fullchain.pem + SSLHonorCipherOrder On + SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL + SSLProtocol ALL -SSLv2
+ ServerAdmin admin@fedoraplanet.org + ServerName fedoraplanet.org
+ DocumentRoot "/srv/planet/site/"
+ ErrorLog logs/planet-error.log + CustomLog logs/planet.fedoraproject.org-access.log common
+ UserDir disable + AddCharset UTF-8 .xml
+ RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
+</VirtualHost>
That looks good. ;)
So, if you could adjust it for the above we can look again. I think you are close... and this is a complex one. ;)
Thanks again for working on it.
kevin
infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro...
On 09/11/2018 09:12 AM, Zach Villers wrote:
Sorry this has taken so long - I've been fooling around trying to test locally. I _believe_ I've followed Kevin's guidance. Without further ado;
- adding planet vars to people role;
diff --git a/playbooks/groups/people.yml b/playbooks/groups/people.yml index e7661b4b4..1d00f77ca 100644 --- a/playbooks/groups/people.yml +++ b/playbooks/groups/people.yml @@ -68,7 +68,6 @@ - cgit/clean_lock_cron - cgit/make_pkgs_list - clamav - - planet - fedmsg/base - git/server @@ -79,6 +78,18 @@ SSLCertificateChainFile: wildcard-2017.fedorapeople.org.intermediate.cert - people + + - role: planet + certbot: true + certbot_addhost: fedoraplanet.org + site_name: fedoraplanet.org + cert_name: wildcard-2018.fedoraplanet.org + server_aliases: planet.fedoraproject.org + server_admin: webmaster@fedoraproject.org + ssl: true + sslonly: false + SSLCertificateChainFile: wildcard-2018.fedoraplanet.org.intermediate.cert + gzip: false
So, very close, but we don't want to use the wildcard cert here, just let certbot handle it.
Confusingly, we have a 'certbot' rule, but thats old and we should nuke it. The new one is the 'letencrypt' role. It handles requesting a cert from letsencrypt for the site it's called with and putting certs on any other machines.
So, keep the planet role as it is.
Instead add to the playbooks/groups/people.yml the letencrypt role with the site_name as fedoraplanet.org. Take a look at the taskotron.yml playbook, I added this setup for taskotron-dev eariler today.
Then, when that playbook runs it delegates to the 'certgetter01' host, which runs certbot command to get a cert, as part of that it writes out a challenge file locally that it gets back from letsencrypt. Then, letsencrypt tries to get that file from fedorapeople.org, which redirects it to the proxies which proxies it to certgetter01 and it's happy. ;)
tasks: - import_tasks: "{{ tasks_path }}/yumrepos.yml"
And planet redirect https -> http patch;
diff --git a/roles/planet/templates/planet.conf b/roles/planet/templates/planet.conf index 319923d2a..7e12b8f35 100644 --- a/roles/planet/templates/planet.conf +++ b/roles/planet/templates/planet.conf @@ -14,6 +14,11 @@ ErrorLog logs/planet-error.log CustomLog logs/fedoraplanet.org-access.log common
+ # let certbot get an answer from certgetter01 + RewriteEngine on + RewriteRule ^/.well-known/(.*)/srv/web/acme-challenge/.well-known/$1 [L] + RewriteRule "^/?(.*)" "https://certgetter01/$1" [L,R=301,NE]
Change 'certgetter01' here to 'fedoraproject.org'. That will hit our proxies and get proxied into certgetter.
UserDir disable AddCharset UTF-8 .xml @@ -79,3 +84,32 @@ RedirectMatch permanent /(.*) http://fedoraplanet.org/$1 </VirtualHost> +<VirtualHost {{public_ip}}:443 _default_:443> + ## + # Domain: fedoraplanet.org + # Owner: admin@fedoraplanet.org + # + ServerName fedoraplanet.org
+ SSLEngine on + SSLCertificateFile /etc/letsencrypt/live/fedoraplanet.org/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/fedoraplanet.org/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/fedoraplanet.org/fullchain.pem + SSLHonorCipherOrder On + SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL + SSLProtocol ALL -SSLv2
+ ServerAdmin admin@fedoraplanet.org + ServerName fedoraplanet.org
+ DocumentRoot "/srv/planet/site/"
+ ErrorLog logs/planet-error.log + CustomLog logs/planet.fedoraproject.org-access.log common
+ UserDir disable + AddCharset UTF-8 .xml
+ RedirectMatch permanent /(.*) http://fedoraplanet.org/$1
+</VirtualHost>
That looks perfect for the https->http redirect. :)
Thanks again at poking at this and I am sorry I have been so slow to provide feedback. ;(
kevin
infrastructure@lists.fedoraproject.org