Add HTTPS to developer and docs.openstack.org

Add X.509 certificates, certificate chains and private keys for
https://developer.openstack.org/ and https://docs.openstack.org/
separately using SNI (as the list grows we can consider condensing
these into a single cert using ServerAltNames later).

Change-Id: Ia365be3363b611e5ee3b6dceb38ec311456466ec

manifests/site.pp

@@ -667,6 +667,7 @@ node 'design-summit-prep.openstack.org' {
 # Serve static AFS content for docs and other sites.
 # Node-OS: trusty
 node 'files01.openstack.org' {
+  $group = "files"
   class { 'openstack_project::server':
     iptables_public_tcp_ports => [22, 80],
     sysadmins                 => hiera('sysadmins', []),
@@ -675,8 +676,14 @@ node 'files01.openstack.org' {
   }
 
   class { 'openstack_project::files':
-    vhost_name => 'files.openstack.org',
-    require    => Class['Openstack_project::Server'],
+    vhost_name                    => 'files.openstack.org',
+    developer_cert_file_contents  => hiera('developer_ssl_cert_file_contents'),
+    developer_key_file_contents   => hiera('developer_ssl_key_file_contents'),
+    developer_chain_file_contents => hiera('developer_ssl_chain_file_contents'),
+    docs_cert_file_contents       => hiera('docs_ssl_cert_file_contents'),
+    docs_key_file_contents        => hiera('docs_ssl_key_file_contents'),
+    docs_chain_file_contents      => hiera('docs_ssl_chain_file_contents'),
+    require                       => Class['Openstack_project::Server'],
   }
 }
 

modules/openstack_project/files/puppetmaster/groups.txt

@@ -6,6 +6,7 @@ ci-backup ci-backup-*.openstack.org
 disabled ci-backup-rs-ord.openstack.org:db368fcd-e61a-4294-a5cb-851c16650f7a:wiki.openstack.org
 elasticsearch ~elasticsearch0[1-7]\.openstack\.org
 ethercalc ~ethercalc\d+\.openstack\.org
+files ~files\d+\.openstack\.org
 git-loadbalancer ~git(-fe\d+)?\.openstack\.org
 git-server ~git\d+\.openstack\.org
 logstash-worker ~logstash-worker\d+\.openstack\.org

modules/openstack_project/files/ssl_cert_check/ssldomains

@@ -1,4 +1,6 @@
 ask.openstack.org 443
+developer.openstack.org 443
+docs.openstack.org 443
 ethercalc.openstack.org 443
 etherpad.openstack.org 443
 git.openstack.org 443

modules/openstack_project/manifests/files.pp

@@ -2,6 +2,12 @@
 #
 class openstack_project::files (
   $vhost_name = $::fqdn,
+  $developer_cert_file_contents,
+  $developer_key_file_contents,
+  $developer_chain_file_contents,
+  $docs_cert_file_contents,
+  $docs_key_file_contents,
+  $docs_chain_file_contents,
 ) {
 
   $afs_root = '/afs/openstack.org/'
@@ -24,6 +30,22 @@ class openstack_project::files (
     require  => File["${www_base}"],
   }
 
+  #####################################################
+  # Set up directories needed by HTTPS certs/keys
+  file { '/etc/ssl/certs':
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+
+  file { '/etc/ssl/private':
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0700',
+  }
+
   #####################################################
   # Build VHost
   include ::httpd
@@ -59,19 +81,69 @@ class openstack_project::files (
   # docs.openstack.org
 
   ::httpd::vhost { 'docs.openstack.org':
-    port       => 80,
+    port       => 443, # Is required despite not being used.
     docroot    => "${afs_root}docs",
     priority   => '50',
     template   => 'openstack_project/docs.vhost.erb',
   }
+  file { '/etc/ssl/certs/docs.openstack.org.pem':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => $docs_cert_file_contents,
+    require => File['/etc/ssl/certs'],
+  }
+  file { '/etc/ssl/private/docs.openstack.org.key':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600',
+    content => $docs_key_file_contents,
+    require => File['/etc/ssl/private'],
+  }
+  file { '/etc/ssl/certs/docs.openstack.org_intermediate.pem':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => $docs_chain_file_contents,
+    require => File['/etc/ssl/certs'],
+    before  => File['/etc/ssl/certs/docs.openstack.org.pem'],
+  }
 
   ###########################################################
   # developer.openstack.org
 
   ::httpd::vhost { 'developer.openstack.org':
-    port       => 80,
+    port       => 443, # Is required despite not being used.
     docroot    => "${afs_root}developer-docs",
     priority   => '50',
-    template   => 'openstack_project/docs.vhost.erb',
+    template   => 'openstack_project/developer.vhost.erb',
+  }
+  file { '/etc/ssl/certs/developer.openstack.org.pem':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => $developer_cert_file_contents,
+    require => File['/etc/ssl/certs'],
+  }
+  file { '/etc/ssl/private/developer.openstack.org.key':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600',
+    content => $developer_key_file_contents,
+    require => File['/etc/ssl/private'],
+  }
+  file { '/etc/ssl/certs/developer.openstack.org_intermediate.pem':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => $developer_chain_file_contents,
+    require => File['/etc/ssl/certs'],
+    before  => File['/etc/ssl/certs/developer.openstack.org.pem'],
   }
 }

modules/openstack_project/templates/developer.vhost.erb

@@ -0,0 +1,68 @@
+# ************************************
+# Managed by Puppet
+# ************************************
+
+<VirtualHost *:80>
+    ServerName <%= @srvname %>
+    <% if @serveraliases.is_a? Array -%>
+      <% @serveraliases.each do |name| -%><%= "  ServerAlias #{name}\n" %><% end -%>
+    <% elsif @serveraliases != nil -%>
+      <%= "  ServerAlias #{@serveraliases}" -%>
+    <% end -%>
+
+    RewriteEngine on
+
+    DocumentRoot <%= @docroot %>
+    <Directory <%= @docroot %>>
+        Options Indexes FollowSymLinks MultiViews
+        Satisfy any
+        Require all granted
+        # Allow mod_rewrite rules
+        AllowOverride FileInfo
+        ErrorDocument 404 /errorpage.html
+    </Directory>
+
+    ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
+    LogLevel warn
+    CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
+    ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName <%= @srvname %>
+    <% if @serveraliases.is_a? Array -%>
+      <% @serveraliases.each do |name| -%><%= "  ServerAlias #{name}\n" %><% end -%>
+    <% elsif @serveraliases != nil -%>
+      <%= "  ServerAlias #{@serveraliases}" -%>
+    <% end -%>
+
+    RewriteEngine on
+
+    SSLEngine on
+    SSLProtocol All -SSLv2 -SSLv3
+    # Once the machine is using something to terminate TLS that supports ECDHE
+    # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+    # only is guarenteed.
+    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+    SSLHonorCipherOrder on
+    SSLCertificateFile /etc/ssl/certs/developer.openstack.org.pem
+    SSLCertificateKeyFile /etc/ssl/private/developer.openstack.org.key
+    SSLCertificateChainFile /etc/ssl/certs/developer.openstack.org_intermediate.pem
+
+    DocumentRoot <%= @docroot %>
+    <Directory <%= @docroot %>>
+        Options Indexes FollowSymLinks MultiViews
+        Satisfy any
+        Require all granted
+        # Allow mod_rewrite rules
+        AllowOverride FileInfo
+        ErrorDocument 404 /errorpage.html
+    </Directory>
+
+    ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
+    LogLevel warn
+    CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
+    ServerSignature Off
+</VirtualHost>
+</IfModule>

modules/openstack_project/templates/docs.vhost.erb

@@ -2,8 +2,7 @@
 # Managed by Puppet
 # ************************************
 
-NameVirtualHost <%= @vhost_name %>:<%= @port %>
-<VirtualHost <%= @vhost_name %>:<%= @port %>>
+<VirtualHost *:80>
     ServerName <%= @srvname %>
     <% if @serveraliases.is_a? Array -%>
       <% @serveraliases.each do |name| -%><%= "  ServerAlias #{name}\n" %><% end -%>
@@ -28,3 +27,42 @@ NameVirtualHost <%= @vhost_name %>:<%= @port %>
     CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
     ServerSignature Off
 </VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName <%= @srvname %>
+    <% if @serveraliases.is_a? Array -%>
+      <% @serveraliases.each do |name| -%><%= "  ServerAlias #{name}\n" %><% end -%>
+    <% elsif @serveraliases != nil -%>
+      <%= "  ServerAlias #{@serveraliases}" -%>
+    <% end -%>
+
+    RewriteEngine on
+
+    SSLEngine on
+    SSLProtocol All -SSLv2 -SSLv3
+    # Once the machine is using something to terminate TLS that supports ECDHE
+    # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+    # only is guarenteed.
+    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+    SSLHonorCipherOrder on
+    SSLCertificateFile /etc/ssl/certs/docs.openstack.org.pem
+    SSLCertificateKeyFile /etc/ssl/private/docs.openstack.org.key
+    SSLCertificateChainFile /etc/ssl/certs/docs.openstack.org_intermediate.pem
+
+    DocumentRoot <%= @docroot %>
+    <Directory <%= @docroot %>>
+        Options Indexes FollowSymLinks MultiViews
+        Satisfy any
+        Require all granted
+        # Allow mod_rewrite rules
+        AllowOverride FileInfo
+        ErrorDocument 404 /errorpage.html
+    </Directory>
+
+    ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
+    LogLevel warn
+    CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
+    ServerSignature Off
+</VirtualHost>
+</IfModule>