Revert "Revert "wildcard-2022.fedoraproject.org cert""

This reverts commit 4430178b29. It's time to put this back before the cert expires and before we go into Beta freeze. Hopefully the odd issue with armv7 qemu guests having a time behind real time is not still happening.
2026-03-20 03:57:02 +08:00 · 2022-02-21 10:19:17 -08:00
parent c98410fd08
commit 1e712cdc30
7 changed files with 17 additions and 13 deletions
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -254,10 +254,10 @@ virt_install_command_two_nic_unsafe: virt-install -n {{ inventory_hostname }} --
 vpn: False
 # This is the wildcard certname for our proxies.  It has a different name for
 # the staging group and is used in the proxies.yml playbook.
-wildcard_cert_name: wildcard-2020.fedoraproject.org
-wildcard_crt_file: wildcard-2020.fedoraproject.org.cert
-wildcard_int_file: wildcard-2020.fedoraproject.org.intermediate.cert
-wildcard_key_file: wildcard-2020.fedoraproject.org.key
+wildcard_cert_name: wildcard-2022.fedoraproject.org
+wildcard_crt_file: wildcard-2022.fedoraproject.org.cert
+wildcard_int_file: wildcard-2022.fedoraproject.org.intermediate.cert
+wildcard_key_file: wildcard-2022.fedoraproject.org.key
 #
 # say if we want the apache role dependency for mod_wsgi or not
 # In some cases we want mod_wsgi and no apache (for python3 httpaio stuff)
--- a/playbooks/include/proxies-certificates.yml
+++ b/playbooks/include/proxies-certificates.yml
@@ -19,6 +19,10 @@
    certname: wildcard-2020.fedoraproject.org
    SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert

+  - role: httpd/certificate
+    certname: wildcard-2022.fedoraproject.org
+    SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert
+
  - role: httpd/certificate
    certname: wildcard-2020.id.fedoraproject.org
    SSLCertificateChainFile: wildcard-2020.id.fedoraproject.org.intermediate.cert
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -911,7 +911,7 @@
  - role: httpd/website
    site_name: nagios.fedoraproject.org
    server_aliases: [nagios.stg.fedoraproject.org]
-    SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert
+    SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

--- a/roles/download/tasks/main.yml
+++ b/roles/download/tasks/main.yml
@@ -56,13 +56,13 @@
  - selinux

 - name: Copy wildcard cert from puppet private
-  copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.cert owner=root group=root mode=0644
+  copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.cert owner=root group=root mode=0644

 - name: Copy wildcard key from puppet private
-  copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2020.fedoraproject.org.key owner=root group=root mode=0600
+  copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2022.fedoraproject.org.key owner=root group=root mode=0600

 - name: Copy intermediate wildcard cert from puppet private
-  copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.intermediate.cert owner=root group=root mode=0644
+  copy: src="{{private}}/files/httpd/wildcard-2022.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.intermediate.cert owner=root group=root mode=0644

 - name: Configure httpd dl main conf
  template: src=httpd/dl.fedoraproject.org.conf dest=/etc/httpd/conf.d/dl.fedoraproject.org.conf
--- a/roles/fedmsg/gateway/slave/tasks/main.yml
+++ b/roles/fedmsg/gateway/slave/tasks/main.yml
@@ -98,8 +98,8 @@

 - name: put our combined cert in place
  copy: >
-    src={{private}}/files/httpd/wildcard-2020.fedoraproject.org.combined.cert
-    dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.combined.cert
+    src={{private}}/files/httpd/wildcard-2022.fedoraproject.org.combined.cert
+    dest=/etc/pki/tls/certs/wildcard-2022.fedoraproject.org.combined.cert
    owner=root group=root mode=0644
  notify: restart stunnel
  tags:
--- a/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2
+++ b/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2
@@ -1,5 +1,5 @@
-cert = /etc/pki/tls/certs/wildcard-2020.fedoraproject.org.combined.cert
-key = /etc/pki/tls/private/wildcard-2020.fedoraproject.org.key
+cert = /etc/pki/tls/certs/wildcard-2022.fedoraproject.org.combined.cert
+key = /etc/pki/tls/private/wildcard-2022.fedoraproject.org.key
 pid = /var/run/stunnel.pid

 [{{ stunnel_service }}]
--- a/roles/httpd/website/defaults/main.yml
+++ b/roles/httpd/website/defaults/main.yml
@@ -8,7 +8,7 @@ server_admin: webmaster@fedoraproject.org
 certbot: false
 ssl: true
 sslonly: false
-SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert
+SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert
 gzip: false
 stssubdomains: true
 # set to true to enable the proxy to redirect the http01 challenge