Use LE certs for Apache

We're getting LE certs for the hosts now, use them in the apache config. Also add the redirects. Change-Id: I67d33b4c542182a2474ac0d2416357541b1c3a47
2020-02-04 08:17:22 -06:00 · 2020-02-04 08:17:22 -06:00 · bbe8086726
parent 23b0667c45
commit bbe8086726
7 changed files with 52 additions and 11 deletions
--- a/playbooks/host_vars/review-dev01.opendev.org.yaml
+++ b/playbooks/host_vars/review-dev01.opendev.org.yaml
@ -9,5 +9,4 @@ letsencrypt_certs:
 letsencrypt_gid: 3001
 gerrit_storyboard_url: https://storyboard-dev.openstack.org
 gerrit_vhost_name: review-dev.opendev.org
-gerrit_ssl_cert_file: /etc/letsencrypt-certs/review-dev.opendev.org/review-dev.opendev.org.cer
-gerrit_ssl_key_file: /etc/letsencrypt-certs/review-dev.opendev.org/review-dev.opendev.org.key
+gerrit_redirect_vhost: review-dev.openstack.org
--- a/playbooks/host_vars/review01.opendev.org.yaml
+++ b/playbooks/host_vars/review01.opendev.org.yaml
@ -72,6 +72,7 @@ gerrit_replication:
    mirror: true
 gerrit_storyboard_url: https://storyboard.openstack.org
 gerrit_vhost_name: review.opendev.org
+gerrit_redirect_vhost: review.openstack.org
 letsencrypt_certs:
  review01-opendev-org-main:
    - review.opendev.org
--- a/playbooks/roles/gerrit/tasks/main.yaml
+++ b/playbooks/roles/gerrit/tasks/main.yaml
@ -256,6 +256,16 @@
    mode: 0644
  notify: gerrit Reload apache2

+- name: Copy redirect config
+  template:
+    src: redirect.vhost.j2
+    dest: "/etc/apache2/sites-enabled/010-{{ gerrit_redirect_vhost }}.conf"
+    owner: root
+    group: root
+    mode: 0644
+  when: gerrit_redirect_vhost is defined
+  notify: gerrit Reload apache2
+
 - name: Install podman-compose
  pip:
    name: podman-compose
--- a/playbooks/roles/gerrit/templates/gerrit.vhost.j2
+++ b/playbooks/roles/gerrit/templates/gerrit.vhost.j2
@ -31,11 +31,9 @@
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
  SSLHonorCipherOrder on

-  SSLCertificateFile      {{ gerrit_ssl_cert_file }}
-  SSLCertificateKeyFile   {{ gerrit_ssl_key_file }}
-{% if gerrit_ssl_chain_file is defined %}
-  SSLCertificateChainFile {{ gerrit_ssl_chain_file }}
-{% endif %}
+  SSLCertificateFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.cer
+  SSLCertificateKeyFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/ca.cer

  <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
--- a/playbooks/roles/gerrit/templates/redirect.vhost.j2
+++ b/playbooks/roles/gerrit/templates/redirect.vhost.j2
@ -0,0 +1,37 @@
+# ************************************
+# Managed by Ansible
+# ************************************
+
+<VirtualHost *:80>
+  ServerName {{ gerrit_redirect_vhost }}
+
+  LogLevel warn
+  ErrorLog /var/log/apache2/{{ gerrit_redirect_vhost }}_error.log
+  CustomLog /var/log/apache2/{{ gerrit_redirect_vhost }}_access.log combined
+  ServerSignature Off
+
+  Redirect / https://{{ gerrit_vhost_name }}/
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+  ServerName {{ gerrit_redirect_vhost }}
+
+  SSLEngine on
+  SSLProtocol All -SSLv2 -SSLv3
+  # Note: this list should ensure ciphers that provide forward secrecy
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+
+  SSLCertificateFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.cer
+  SSLCertificateKeyFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/ca.cer
+
+  LogLevel warn
+  ErrorLog /var/log/apache2/{{ gerrit_redirect_vhost }}_error.log
+  CustomLog /var/log/apache2/{{ gerrit_redirect_vhost }}_access.log combined
+  ServerSignature Off
+
+  Redirect / https://{{ gerrit_vhost_name }}/
+</VirtualHost>
+</IfModule>
--- a/playbooks/zuul/run-base.yaml
+++ b/playbooks/zuul/run-base.yaml
@ -92,7 +92,6 @@
        - host_vars/mirror-update01.opendev.org.yaml
        - host_vars/backup-test01.opendev.org.yaml
        - host_vars/backup-test02.opendev.org.yaml
-        - host_vars/review01.opendev.org.yaml
    - name: Display group membership
      command: ansible localhost -m debug -a 'var=groups'
    - name: Run base.yaml
--- a/playbooks/zuul/templates/host_vars/review01.opendev.org.yaml.j2
+++ b/playbooks/zuul/templates/host_vars/review01.opendev.org.yaml.j2
@ -1,3 +0,0 @@
-# TODO(mordred) Replace this with LE certs
-gerrit_ssl_cert_file: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
-gerrit_ssl_key_file: '/etc/ssl/private/ssl-cert-snakeoil.key'