opendev/system-config
Code Issues Proposed changes

Use fullchain.cer on graphite for nginx

Browse Source 
Nginx doesn't seem to support explcit intermedate cert chains [0] and we
need to supply all of the certs together in a single file. Thankfully
acme.sh does this and calls it the fullchain.cer file. Use that in the
nginx config for graphite to fix issues with ssl verification to this
service.

[0] http://nginx.org/en/docs/http/configuring_https_servers.html#chains

Change-Id: I318fb92a30c1593c2a2e4cb37496b16f17472f1d
This commit is contained in:
Clark Boylan 2021-09-29 15:18:10 -07:00
parent bb0f135b5b
commit c9d6b4d248
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
playbooks/roles/graphite/templates/graphite-statsd.conf.j2
View File

@ -11,7 +11,7 @@ server {
listen [::]:443 ssl; listen [::]:443 ssl;
server_name {{ inventory_hostname }}; server_name {{ inventory_hostname }};
ssl_certificate /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer; ssl_certificate /etc/letsencrypt-certs/{{ inventory_hostname }}/fullchain.cer;
ssl_certificate_key /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key; ssl_certificate_key /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key;
root /opt/graphite/static; root /opt/graphite/static;
index index.html; index index.html;