From 8d19f4e47491b67394d8ae61b607a38574d2fa5e Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Wed, 10 Aug 2016 18:51:27 +0000
Subject: [PATCH] Set up HTTPS for releases.openstack.org site

Add separate HTTPS cert/key/chain files for the
releases.openstack.org site since our current certificate vendor
requires us to renew a cert to update the SubjectAltNames list in
it. Note that this depends on RFC 4366 (Server Name Indication)
support in browsers, but basically all "modern" browsers should be
fine with it (if someone is still using IE6, I'll be happy to print
out and mail them a copy of the site). Also, the relatively strict
TLS options we've been using for the other HTTPS sites on this
server basically already preclude browsers of that vintage, so it's
unlikely to come up at all.

This site can be folded into the static.openstack.org multi-site
cert when it's renewed next year and switched to the normal
static-https-redirect.vhost.erb template at that time.

Change-Id: I92f7fd163fc36ab06116233622a9a07c5f20440d
---
 manifests/site.pp                             | 23 +++++-----
 modules/openstack_project/manifests/static.pp | 37 +++++++++++++--
 .../templates/static-releases.vhost.erb       | 45 +++++++++++++++++++
 3 files changed, 92 insertions(+), 13 deletions(-)
 create mode 100644 modules/openstack_project/templates/static-releases.vhost.erb

diff --git a/manifests/site.pp b/manifests/site.pp
index 794f3dac0c..14376262db 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -662,16 +662,19 @@ node 'static.openstack.org' {
     sysadmins                 => hiera('sysadmins', []),
   }
   class { 'openstack_project::static':
-    project_config_repo     => 'https://git.openstack.org/openstack-infra/project-config',
-    swift_authurl           => 'https://identity.api.rackspacecloud.com/v2.0/',
-    swift_user              => 'infra-files-ro',
-    swift_key               => hiera('infra_files_ro_password'),
-    swift_tenant_name       => hiera('infra_files_tenant_name', 'tenantname'),
-    swift_region_name       => 'DFW',
-    swift_default_container => 'infra-files',
-    ssl_cert_file_contents  => hiera('static_ssl_cert_file_contents'),
-    ssl_key_file_contents   => hiera('static_ssl_key_file_contents'),
-    ssl_chain_file_contents => hiera('static_ssl_chain_file_contents'),
+    project_config_repo          => 'https://git.openstack.org/openstack-infra/project-config',
+    swift_authurl                => 'https://identity.api.rackspacecloud.com/v2.0/',
+    swift_user                   => 'infra-files-ro',
+    swift_key                    => hiera('infra_files_ro_password'),
+    swift_tenant_name            => hiera('infra_files_tenant_name', 'tenantname'),
+    swift_region_name            => 'DFW',
+    swift_default_container      => 'infra-files',
+    ssl_cert_file_contents       => hiera('static_ssl_cert_file_contents'),
+    ssl_key_file_contents        => hiera('static_ssl_key_file_contents'),
+    ssl_chain_file_contents      => hiera('static_ssl_chain_file_contents'),
+    releases_cert_file_contents  => hiera('releases_ssl_cert_file_contents'),
+    releases_key_file_contents   => hiera('releases_ssl_key_file_contents'),
+    releases_chain_file_contents => hiera('releases_ssl_chain_file_contents'),
   }
 }
 
diff --git a/modules/openstack_project/manifests/static.pp b/modules/openstack_project/manifests/static.pp
index 2b68d9bb6e..6318369e64 100644
--- a/modules/openstack_project/manifests/static.pp
+++ b/modules/openstack_project/manifests/static.pp
@@ -14,6 +14,9 @@ class openstack_project::static (
   $ssl_key_file_contents = '',
   $ssl_chain_file = '',
   $ssl_chain_file_contents = '',
+  $releases_cert_file_contents = '',
+  $releases_key_file_contents = '',
+  $releases_chain_file_contents = '',
   $jenkins_gitfullname = 'OpenStack Jenkins',
   $jenkins_gitemail = 'jenkins@openstack.org',
 ) {
@@ -362,17 +365,45 @@ class openstack_project::static (
   ###########################################################
   # Releases
 
+  # Temporary separate HTTPS cert/key/chain for releases.o.o so that we
+  # don't have to renew the static.o.o cert just to add one SubjectAltName
+  file { '/etc/ssl/certs/releases.openstack.org.pem':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => $releases_cert_file_contents,
+    require => File['/etc/ssl/certs'],
+  }
+  file { '/etc/ssl/private/releases.openstack.org.key':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600',
+    content => $releases_key_file_contents,
+    require => File['/etc/ssl/private'],
+  }
+  file { '/etc/ssl/certs/releases.openstack.org_intermediate.pem':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => $releases_chain_file_contents,
+    require => File['/etc/ssl/certs'],
+    before  => File['/etc/ssl/certs/releases.openstack.org.pem'],
+  }
+
   ::httpd::vhost { 'releases.openstack.org':
     port       => 443, # Is required despite not being used.
     docroot    => '/srv/static/releases',
     priority   => '50',
     ssl        => true,
-    template   => 'openstack_project/static-http-and-https.vhost.erb',
+    template   => 'openstack_project/static-releases.vhost.erb',
     vhost_name => 'releases.openstack.org',
     require    => [
       File['/srv/static/releases'],
-      File[$cert_file],
-      File[$key_file],
+      File['/etc/ssl/certs/releases.openstack.org.pem'],
+      File['/etc/ssl/private/releases.openstack.org.key'],
     ],
   }
 
diff --git a/modules/openstack_project/templates/static-releases.vhost.erb b/modules/openstack_project/templates/static-releases.vhost.erb
new file mode 100644
index 0000000000..6472d3cb34
--- /dev/null
+++ b/modules/openstack_project/templates/static-releases.vhost.erb
@@ -0,0 +1,45 @@
+# ************************************
+# Managed by Puppet
+# ************************************
+
+<VirtualHost *:80>
+  ServerName <%= @vhost_name %>
+<% if @serveraliases.is_a? Array -%>
+<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
+<% elsif @serveraliases != '' -%>
+<%= " ServerAlias #{@serveraliases}" %>
+<% end -%>
+  RewriteEngine On
+  RewriteRule ^/(.*) https://<%= @vhost_name %>/$1 [last,redirect=permanent]
+  LogLevel warn
+  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+  ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+  ServerName <%= @vhost_name %>
+  DocumentRoot <%= @docroot %>
+  SSLEngine on
+  SSLProtocol All -SSLv2 -SSLv3
+  # Once the machine is using something to terminate TLS that supports ECDHE
+  # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+  # only is guarenteed.
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+  SSLCertificateFile /etc/ssl/certs/releases.openstack.org.pem
+  SSLCertificateKeyFile /etc/ssl/private/releases.openstack.org.key
+  SSLCertificateChainFile /etc/ssl/certs/releases.openstack.org_intermediate.pem
+  <Directory <%= @docroot %>>
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Satisfy Any
+    Require all granted
+  </Directory>
+  LogLevel warn
+  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+  ServerSignature Off
+</VirtualHost>
+</IfModule>