diff --git a/manifests/site.pp b/manifests/site.pp
index 794f3dac0c..14376262db 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -662,16 +662,19 @@ node 'static.openstack.org' {
sysadmins => hiera('sysadmins', []),
}
class { 'openstack_project::static':
- project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
- swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/',
- swift_user => 'infra-files-ro',
- swift_key => hiera('infra_files_ro_password'),
- swift_tenant_name => hiera('infra_files_tenant_name', 'tenantname'),
- swift_region_name => 'DFW',
- swift_default_container => 'infra-files',
- ssl_cert_file_contents => hiera('static_ssl_cert_file_contents'),
- ssl_key_file_contents => hiera('static_ssl_key_file_contents'),
- ssl_chain_file_contents => hiera('static_ssl_chain_file_contents'),
+ project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
+ swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/',
+ swift_user => 'infra-files-ro',
+ swift_key => hiera('infra_files_ro_password'),
+ swift_tenant_name => hiera('infra_files_tenant_name', 'tenantname'),
+ swift_region_name => 'DFW',
+ swift_default_container => 'infra-files',
+ ssl_cert_file_contents => hiera('static_ssl_cert_file_contents'),
+ ssl_key_file_contents => hiera('static_ssl_key_file_contents'),
+ ssl_chain_file_contents => hiera('static_ssl_chain_file_contents'),
+ releases_cert_file_contents => hiera('releases_ssl_cert_file_contents'),
+ releases_key_file_contents => hiera('releases_ssl_key_file_contents'),
+ releases_chain_file_contents => hiera('releases_ssl_chain_file_contents'),
}
}
diff --git a/modules/openstack_project/manifests/static.pp b/modules/openstack_project/manifests/static.pp
index 2b68d9bb6e..6318369e64 100644
--- a/modules/openstack_project/manifests/static.pp
+++ b/modules/openstack_project/manifests/static.pp
@@ -14,6 +14,9 @@ class openstack_project::static (
$ssl_key_file_contents = '',
$ssl_chain_file = '',
$ssl_chain_file_contents = '',
+ $releases_cert_file_contents = '',
+ $releases_key_file_contents = '',
+ $releases_chain_file_contents = '',
$jenkins_gitfullname = 'OpenStack Jenkins',
$jenkins_gitemail = 'jenkins@openstack.org',
) {
@@ -362,17 +365,45 @@ class openstack_project::static (
###########################################################
# Releases
+ # Temporary separate HTTPS cert/key/chain for releases.o.o so that we
+ # don't have to renew the static.o.o cert just to add one SubjectAltName
+ file { '/etc/ssl/certs/releases.openstack.org.pem':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $releases_cert_file_contents,
+ require => File['/etc/ssl/certs'],
+ }
+ file { '/etc/ssl/private/releases.openstack.org.key':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0600',
+ content => $releases_key_file_contents,
+ require => File['/etc/ssl/private'],
+ }
+ file { '/etc/ssl/certs/releases.openstack.org_intermediate.pem':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $releases_chain_file_contents,
+ require => File['/etc/ssl/certs'],
+ before => File['/etc/ssl/certs/releases.openstack.org.pem'],
+ }
+
::httpd::vhost { 'releases.openstack.org':
port => 443, # Is required despite not being used.
docroot => '/srv/static/releases',
priority => '50',
ssl => true,
- template => 'openstack_project/static-http-and-https.vhost.erb',
+ template => 'openstack_project/static-releases.vhost.erb',
vhost_name => 'releases.openstack.org',
require => [
File['/srv/static/releases'],
- File[$cert_file],
- File[$key_file],
+ File['/etc/ssl/certs/releases.openstack.org.pem'],
+ File['/etc/ssl/private/releases.openstack.org.key'],
],
}
diff --git a/modules/openstack_project/templates/static-releases.vhost.erb b/modules/openstack_project/templates/static-releases.vhost.erb
new file mode 100644
index 0000000000..6472d3cb34
--- /dev/null
+++ b/modules/openstack_project/templates/static-releases.vhost.erb
@@ -0,0 +1,45 @@
+# ************************************
+# Managed by Puppet
+# ************************************
+
+
+ ServerName <%= @vhost_name %>
+<% if @serveraliases.is_a? Array -%>
+<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
+<% elsif @serveraliases != '' -%>
+<%= " ServerAlias #{@serveraliases}" %>
+<% end -%>
+ RewriteEngine On
+ RewriteRule ^/(.*) https://<%= @vhost_name %>/$1 [last,redirect=permanent]
+ LogLevel warn
+ ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+ CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+ ServerSignature Off
+
+
+
+
+ ServerName <%= @vhost_name %>
+ DocumentRoot <%= @docroot %>
+ SSLEngine on
+ SSLProtocol All -SSLv2 -SSLv3
+ # Once the machine is using something to terminate TLS that supports ECDHE
+ # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+ # only is guarenteed.
+ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+ SSLHonorCipherOrder on
+ SSLCertificateFile /etc/ssl/certs/releases.openstack.org.pem
+ SSLCertificateKeyFile /etc/ssl/private/releases.openstack.org.key
+ SSLCertificateChainFile /etc/ssl/certs/releases.openstack.org_intermediate.pem
+ >
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride None
+ Satisfy Any
+ Require all granted
+
+ LogLevel warn
+ ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+ CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+ ServerSignature Off
+
+