Use LE cert on review.open*.org

We previously had two manually issued certs (one each for opendev.org and openstack.org) but now have a single cert with all the appropriate names in it automatically issued by LE. Use this new cert before the old one expires. Change-Id: I635d2bfd820fe138ee951833dd66f157b2b7c097
2020-02-28 08:10:24 -08:00 · 2020-02-28 08:10:24 -08:00 · 61caec5b77
parent d75d70b333
commit 61caec5b77
3 changed files with 10 additions and 36 deletions
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -46,9 +46,13 @@ node /^review\d*\.open.*\.org$/ {
    gerritbot_password                   => hiera('gerrit_gerritbot_password'),
    gerritbot_ssh_rsa_key_contents       => hiera('gerritbot_ssh_rsa_key_contents'),
    gerritbot_ssh_rsa_pubkey_contents    => hiera('gerritbot_ssh_rsa_pubkey_contents'),
-    ssl_cert_file_contents               => hiera('review_opendev_cert_file_contents'),
-    ssl_key_file_contents                => hiera('review_opendev_key_file_contents'),
-    ssl_chain_file_contents              => hiera('review_opendev_chain_file_contents'),
+    # Empty contents forces Puppet to not write the file.
+    ssl_cert_file_contents               => '',
+    ssl_key_file_contents                => '',
+    ssl_chain_file_contents              => '',
+    ssl_cert_file                        => '/etc/letsencrypt-certs/review.opendev.org/review.opendev.org.cer',
+    ssl_key_file                         => '/etc/letsencrypt-certs/review.opendev.org/review.opendev.org.key',
+    ssl_chain_file                       => '/etc/letsencrypt-certs/review.opendev.org/ca.cer',
    ssh_dsa_key_contents                 => hiera('gerrit_ssh_dsa_key_contents'),
    ssh_dsa_pubkey_contents              => hiera('gerrit_ssh_dsa_pubkey_contents'),
    ssh_rsa_key_contents                 => hiera('gerrit_ssh_rsa_key_contents'),
@ -65,11 +69,6 @@ node /^review\d*\.open.*\.org$/ {
    swift_username                       => hiera('swift_store_user', 'username'),
    swift_password                       => hiera('swift_store_key'),
    storyboard_password                  => hiera('gerrit_storyboard_token'),
-    # Compatibility layer vars for the old domain name below here.
-    # TODO rename the hiera keys to reduce confusion
-    review_openstack_cert_file_contents  => hiera('gerrit_ssl_cert_file_contents'),
-    review_openstack_key_file_contents   => hiera('gerrit_ssl_key_file_contents'),
-    review_openstack_chain_file_contents => hiera('gerrit_ssl_chain_file_contents'),
  }
 }

--- a/modules/openstack_project/manifests/review.pp
+++ b/modules/openstack_project/manifests/review.pp
@ -81,10 +81,6 @@ class openstack_project::review (
  $project_config_repo = '',
  $projects_config = 'openstack_project/review.projects.ini.erb',
  $gerrit_configure = true,
-  # Compatibility for old domain name vars below here.
-  $review_openstack_cert_file_contents = '',
-  $review_openstack_key_file_contents = '',
-  $review_openstack_chain_file_contents = '',
 ) {

  class { 'project_config':
@ -394,27 +390,6 @@ class openstack_project::review (
    }
  }

-  file { '/etc/ssl/certs/review-redirect.openstack.org.pem':
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    content => $review_openstack_cert_file_contents,
-  }
-  file { '/etc/ssl/private/review-redirect.openstack.org.key':
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0600',
-    content => $review_openstack_key_file_contents,
-  }
-  file { '/etc/ssl/certs/review-redirect.openstack.org_intermediate.pem':
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    content => $review_openstack_chain_file_contents,
-  }
  ::httpd::vhost { 'review.openstack.org':
    port     => 443, # Is required despite not being used.
    docroot  => 'MEANINGLESS_ARGUMENT',
--- a/modules/openstack_project/templates/review-openstack-redirect.vhost.erb
+++ b/modules/openstack_project/templates/review-openstack-redirect.vhost.erb
@ -24,9 +24,9 @@
  # only is guarenteed.
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
  SSLHonorCipherOrder on
-  SSLCertificateFile /etc/ssl/certs/review-redirect.openstack.org.pem
-  SSLCertificateKeyFile /etc/ssl/private/review-redirect.openstack.org.key
-  SSLCertificateChainFile /etc/ssl/certs/review-redirect.openstack.org_intermediate.pem
+  SSLCertificateFile /etc/letsencrypt-certs/review.opendev.org/review.opendev.org.cer
+  SSLCertificateKeyFile /etc/letsencrypt-certs/review.opendev.org/review.opendev.org.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/review.opendev.org/ca.cer

  LogLevel warn
  ErrorLog /var/log/apache2/<%= @srvname %>_error.log