Browse Source
This autogenerates the list of ssl domains for the ssl-cert-check tool directly from the letsencrypt list. The first step is the install-certcheck role that replaces the puppet-ssl_cert_check module that does the same. The reason for this is so that during gate testing we can test this on the test bridge.openstack.org server, and avoid adding another node as a requirement for this test. letsencrypt-request-certs is updated to set a fact letsencrypt_certcheck_domains for each host that is generating a certificate. As described in the comments, this defaults to the first host specified for the certificate and the listening port can be indicated (if set, this new port value is stripped when generating certs as is not necessary for certificate generation). The new letsencrypt-config-certcheck role runs and iterates all letsencrypt hosts to build the final list of domains that should be checked. This is then extended with the letsencrypt_certcheck_additional_domains value that covers any hosts using certificates not provisioned by letsencrypt using this mechanism. These additional domains are pre-populated from the openstack.org domains in the extant check file, minus those openstack.org domain certificates we are generating via letsencrypt (see letsencrypt-create-certs/handlers/main.yaml). Additionally, we update some of the certificate variables in host_vars that are listening on port !443. As mentioned, bridge.openstack.org is placed in the new certcheck group for gate testing, so the tool and config file will be deployed to it. For production, cacti is added to the group, which is where the tool currently runs. The extant puppet installation is disabled, pending removal in a follow-on change. Change-Id: Idbe084f13f3684021e8efd9ac69b63fe31484606changes/43/728743/19
28 changed files with 212 additions and 21 deletions
@ -0,0 +1,17 @@
|
||||
letsencrypt_certcheck_additional_domains: |
||||
- ask.openstack.org 443 |
||||
- ethercalc.openstack.org 443 |
||||
- etherpad.openstack.org 443 |
||||
- firehose.openstack.org 8883 |
||||
- git.openstack.org 443 |
||||
- openstackid-dev.openstack.org 443 |
||||
- openstackid.org 443 |
||||
- refstack.openstack.org 443 |
||||
- review.openstack.org 443 |
||||
- storyboard.openstack.org 443 |
||||
- survey.openstack.org 443 |
||||
- static.openstack.org 443 |
||||
- translate.openstack.org 443 |
||||
- wiki.openstack.org 443 |
||||
- www.openstack.org 443 |
||||
- zuul.openstack.org 443 |
@ -1,4 +1,4 @@
|
||||
letsencrypt_certs: |
||||
gitea01-main: |
||||
- gitea01.opendev.org |
||||
- gitea01.opendev.org:3000 |
||||
- opendev.org |
||||
|
@ -1,4 +1,4 @@
|
||||
letsencrypt_certs: |
||||
gitea02-main: |
||||
- gitea02.opendev.org |
||||
- gitea02.opendev.org:3000 |
||||
- opendev.org |
||||
|
@ -1,4 +1,4 @@
|
||||
letsencrypt_certs: |
||||
gitea03-main: |
||||
- gitea03.opendev.org |
||||
- gitea03.opendev.org:3000 |
||||
- opendev.org |
||||
|
@ -1,4 +1,4 @@
|
||||
letsencrypt_certs: |
||||
gitea04-main: |
||||
- gitea04.opendev.org |
||||
- gitea04.opendev.org:3000 |
||||
- opendev.org |
||||
|
@ -1,4 +1,4 @@
|
||||
letsencrypt_certs: |
||||
gitea05-main: |
||||
- gitea05.opendev.org |
||||
- gitea05.opendev.org:3000 |
||||
- opendev.org |
||||
|
@ -1,4 +1,4 @@
|
||||
letsencrypt_certs: |
||||
gitea06-main: |
||||
- gitea06.opendev.org |
||||
- gitea06.opendev.org:3000 |
||||
- opendev.org |
||||
|
@ -1,4 +1,4 @@
|
||||
letsencrypt_certs: |
||||
gitea07-main: |
||||
- gitea07.opendev.org |
||||
- gitea07.opendev.org:3000 |
||||
- opendev.org |
||||
|
@ -1,4 +1,4 @@
|
||||
letsencrypt_certs: |
||||
gitea08-main: |
||||
- gitea08.opendev.org |
||||
- gitea08.opendev.org:3000 |
||||
- opendev.org |
||||
|
@ -1,4 +1,4 @@
|
||||
letsencrypt_certs: |
||||
insecure-ci-registry01-main: |
||||
- insecure-ci-registry01.opendev.org |
||||
- insecure-ci-registry01.opendev.org:5000 |
||||
- insecure-ci-registry.opendev.org |
||||
|
@ -0,0 +1,24 @@
|
||||
Install ssl-cert-check |
||||
|
||||
Installs the ssl-cert-check tool and a cron job to check the freshness |
||||
of the SSL certificates for the configured domains daily. |
||||
|
||||
**Role Variables** |
||||
|
||||
.. zuul:rolevar:: ssl_cert_check_domain_list |
||||
:default: /var/lib/certcheck/domainlist |
||||
|
||||
The list of domains to check |
||||
|
||||
.. zuul:rolevar:: ssl_cert_check_days |
||||
:default: 30 |
||||
|
||||
Warn about certificates who have less than this number of days to |
||||
expiry. |
||||
|
||||
.. zuul:rolevar:: ssl_cert_check_email |
||||
:default: root |
||||
|
||||
The email to send reports to |
||||
|
||||
|
@ -0,0 +1,3 @@
|
||||
cert_check_domain_list: /var/lib/certcheck/domainlist |
||||
cert_check_days: 30 |
||||
cert_check_email: root |
@ -0,0 +1,32 @@
|
||||
- name: Ensure dependencies |
||||
package: |
||||
name: |
||||
- openssl |
||||
- bsd-mailx |
||||
|
||||
- name: Ensure certcheck user |
||||
user: |
||||
name: certcheck |
||||
comment: User for SSL validation |
||||
|
||||
- name: Ensure certcheck config directory |
||||
file: |
||||
state: directory |
||||
path: '{{ cert_check_domain_list | dirname }}' |
||||
owner: certcheck |
||||
group: certcheck |
||||
mode: 0755 |
||||
|
||||
- name: Pull latest ssl-cert-check from git |
||||
git: |
||||
repo: 'https://github.com/Matty9191/ssl-cert-check' |
||||
dest: /opt/ssl-cert-check |
||||
|
||||
- name: Install cron job |
||||
cron: |
||||
user: certcheck |
||||
name: 'Run certcheck' |
||||
state: present |
||||
job: "/opt/ssl-cert-check/ssl-cert-check -a -q -f {{ cert_check_domain_list }} -x {{ cert_check_days }} -e {{ cert_check_email }}" |
||||
hour: 12 |
||||
minute: 04 |
@ -0,0 +1,27 @@
|
||||
Generate SSL check list |
||||
|
||||
This role automatically generates a list of domains for the |
||||
certificate validation checks. This ensures our certificates are |
||||
valid and are being renewed as expected. |
||||
|
||||
This role must run after ``letsencrypt-request-certs`` role, as that |
||||
builds the ``letsencrypt_certcheck_domains`` variable for each |
||||
host and certificate. It must also run on a host that has already run |
||||
the ``install-certcheck`` role. |
||||
|
||||
**Role Variables** |
||||
|
||||
.. zuul:rolevar:: letsencrypt_certcheck_domain_list |
||||
:default: /var/lib/certcheck/ssldomains |
||||
|
||||
The ssl-cert-check domain configuration file to write. See also |
||||
the ``install-certcheck`` role. |
||||
|
||||
.. zuul:rolevar:: letsencrypt_certcheck_additional_domains |
||||
:default: [] |
||||
|
||||
A list of additional domains to check for hosts not using the |
||||
``letsencrypt-*`` roles. Each entry should be in the format |
||||
``hostname port``. |
||||
|
||||
|
@ -0,0 +1 @@
|
||||
letsencrypt_certcheck_domain_list: /var/lib/certcheck/ssldomains |
@ -0,0 +1,17 @@
|
||||
- name: Make domain list |
||||
set_fact: |
||||
letsencrypt_certcheck_domains: [] |
||||
|
||||
- name: Build SSL domain list |
||||
set_fact: |
||||
letsencrypt_certcheck_domains: '{{ letsencrypt_certcheck_domains }} + {{ hostvars[item]["letsencrypt_certcheck_domains" ] }}' |
||||
with_inventory_hostnames: |
||||
- letsencrypt:!disabled |
||||
|
||||
- name: Write configuration file |
||||
template: |
||||
dest: '{{ letsencrypt_certcheck_domain_list }}' |
||||
src: ssldomains.j2 |
||||
owner: certcheck |
||||
group: certcheck |
||||
mode: 0644 |
@ -0,0 +1,6 @@
|
||||
{% for domain in letsencrypt_certcheck_domains %} |
||||
{{ domain }} |
||||
{% endfor %} |
||||
{% for domain in letsencrypt_certcheck_additional_domains %} |
||||
{{ domain }} |
||||
{% endfor %} |
@ -1,7 +1,7 @@
|
||||
letsencrypt_certs: |
||||
letsencrypt01-main-service: |
||||
- letsencrypt01.opendev.org |
||||
- letsencrypt01.opendev.org:5000 |
||||
- letsencrypt.opendev.org |
||||
- alias.opendev.org |
||||
letsencrypt01-other-service: |
||||
- someotherservice.opendev.org |
||||
- someotherservice.opendev.org |
||||
|
Loading…
Reference in new issue