diff options
author | Kelley Spoon <kelley.spoon@linaro.org> | 2018-09-07 11:04:47 -0500 |
---|---|---|
committer | Kelley Spoon <kelley.spoon@linaro.org> | 2018-09-07 20:55:50 +0000 |
commit | 9470240caeb03bff7e49edcad0205077350358e4 (patch) | |
tree | b6865915c2630891010422ea48e9e255d36397c0 | |
parent | 88debed39619df71ac78fccbe68d4aef3bd3ffc7 (diff) |
DockerPublishing: update publishing-ap to include releases-ap
This change also ensures that the acme-challenge
proxypass is included in the apache proxy vhost for
the container and changes the ssl vhost to use the
container's cert.
Change-Id: I3c3b6bfa4fbbc4fb1667bdec3f45ca4b6312adf7
Reviewed-on: https://review.linaro.org/28401
Reviewed-by: Benjamin Copeland <ben.copeland@linaro.org>
-rw-r--r-- | host_vars/publishing-ap.linaro.org | 2 | ||||
-rw-r--r-- | roles/docker-publishing/files/apache-proxy.conf | 12 |
2 files changed, 11 insertions, 3 deletions
diff --git a/host_vars/publishing-ap.linaro.org b/host_vars/publishing-ap.linaro.org index c7cfa353..b72537d3 100644 --- a/host_vars/publishing-ap.linaro.org +++ b/host_vars/publishing-ap.linaro.org @@ -14,3 +14,5 @@ login_groups: sudo_groups: - systems - its + +certbot_domains: ["publishing-ap.linaro.org", "releases-ap.linaro.org"] diff --git a/roles/docker-publishing/files/apache-proxy.conf b/roles/docker-publishing/files/apache-proxy.conf index ebb43264..a7dc776f 100644 --- a/roles/docker-publishing/files/apache-proxy.conf +++ b/roles/docker-publishing/files/apache-proxy.conf @@ -10,8 +10,14 @@ ServerAlias {{args.apache_aliases|join(' ')}} {% endif %} + ProxyPass /.well-known/acme-challenge/ ! ProxyPass "/" "http://{{container}}:{{llp_port}}/" ProxyPassReverse "/" "http://{{container}}" + + Alias "/.well-known/acme-challenge/" "/srv/certbot/.well-known/acme-challenge/" + <Directory "/srv/certbot/.well-known/acme-challenge/"> + Require all granted + </Directory> </VirtualHost> <IfModule mod_ssl.c> @@ -27,9 +33,9 @@ ServerAlias {{args.apache_aliases|join(' ')}} {% endif %} - SSLCertificateFile {{ssl_cert | default('/etc/ssl/certs/ssl-cert-snakeoil.pem')}} - SSLCertificateKeyFile {{ssl_key| default('/etc/ssl/private/ssl-cert-snakeoil.key' )}} - SSLCACertificateFile {{ssl_ca_cert | default('/etc/ssl/certs/ssl-cert-snakeoil.pem')}} + SSLCertificateFile /etc/letsencrypt/live/{{container}}/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/{{container}}/privkey.pem + SSLCACertificateFile /etc/letsencrypt/live/{{container}}/fullchain.pem RequestHeader set X-Forwarded-Proto 'https' env=HTTPS |