Set up HTTPS for releases.openstack.org site

Add separate HTTPS cert/key/chain files for the
releases.openstack.org site since our current certificate vendor
requires us to renew a cert to update the SubjectAltNames list in
it. Note that this depends on RFC 4366 (Server Name Indication)
support in browsers, but basically all "modern" browsers should be
fine with it (if someone is still using IE6, I'll be happy to print
out and mail them a copy of the site). Also, the relatively strict
TLS options we've been using for the other HTTPS sites on this
server basically already preclude browsers of that vintage, so it's
unlikely to come up at all.

This site can be folded into the static.openstack.org multi-site
cert when it's renewed next year and switched to the normal
static-https-redirect.vhost.erb template at that time.

Change-Id: I92f7fd163fc36ab06116233622a9a07c5f20440d

manifests/site.pp

@@ -672,6 +672,9 @@ node 'static.openstack.org' {
     ssl_cert_file_contents       => hiera('static_ssl_cert_file_contents'),
     ssl_key_file_contents        => hiera('static_ssl_key_file_contents'),
     ssl_chain_file_contents      => hiera('static_ssl_chain_file_contents'),
+    releases_cert_file_contents  => hiera('releases_ssl_cert_file_contents'),
+    releases_key_file_contents   => hiera('releases_ssl_key_file_contents'),
+    releases_chain_file_contents => hiera('releases_ssl_chain_file_contents'),
   }
 }
 

modules/openstack_project/manifests/static.pp

@@ -14,6 +14,9 @@ class openstack_project::static (
   $ssl_key_file_contents = '',
   $ssl_chain_file = '',
   $ssl_chain_file_contents = '',
+  $releases_cert_file_contents = '',
+  $releases_key_file_contents = '',
+  $releases_chain_file_contents = '',
   $jenkins_gitfullname = 'OpenStack Jenkins',
   $jenkins_gitemail = 'jenkins@openstack.org',
 ) {
@@ -362,17 +365,45 @@ class openstack_project::static (
   ###########################################################
   # Releases
 
+  # Temporary separate HTTPS cert/key/chain for releases.o.o so that we
+  # don't have to renew the static.o.o cert just to add one SubjectAltName
+  file { '/etc/ssl/certs/releases.openstack.org.pem':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => $releases_cert_file_contents,
+    require => File['/etc/ssl/certs'],
+  }
+  file { '/etc/ssl/private/releases.openstack.org.key':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600',
+    content => $releases_key_file_contents,
+    require => File['/etc/ssl/private'],
+  }
+  file { '/etc/ssl/certs/releases.openstack.org_intermediate.pem':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => $releases_chain_file_contents,
+    require => File['/etc/ssl/certs'],
+    before  => File['/etc/ssl/certs/releases.openstack.org.pem'],
+  }
+
   ::httpd::vhost { 'releases.openstack.org':
     port       => 443, # Is required despite not being used.
     docroot    => '/srv/static/releases',
     priority   => '50',
     ssl        => true,
-    template   => 'openstack_project/static-http-and-https.vhost.erb',
+    template   => 'openstack_project/static-releases.vhost.erb',
     vhost_name => 'releases.openstack.org',
     require    => [
       File['/srv/static/releases'],
-      File[$cert_file],
-      File[$key_file],
+      File['/etc/ssl/certs/releases.openstack.org.pem'],
+      File['/etc/ssl/private/releases.openstack.org.key'],
     ],
   }
 

modules/openstack_project/templates/static-releases.vhost.erb

@@ -0,0 +1,45 @@
+# ************************************
+# Managed by Puppet
+# ************************************
+
+<VirtualHost *:80>
+  ServerName <%= @vhost_name %>
+<% if @serveraliases.is_a? Array -%>
+<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
+<% elsif @serveraliases != '' -%>
+<%= " ServerAlias #{@serveraliases}" %>
+<% end -%>
+  RewriteEngine On
+  RewriteRule ^/(.*) https://<%= @vhost_name %>/$1 [last,redirect=permanent]
+  LogLevel warn
+  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+  ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+  ServerName <%= @vhost_name %>
+  DocumentRoot <%= @docroot %>
+  SSLEngine on
+  SSLProtocol All -SSLv2 -SSLv3
+  # Once the machine is using something to terminate TLS that supports ECDHE
+  # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+  # only is guarenteed.
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+  SSLCertificateFile /etc/ssl/certs/releases.openstack.org.pem
+  SSLCertificateKeyFile /etc/ssl/private/releases.openstack.org.key
+  SSLCertificateChainFile /etc/ssl/certs/releases.openstack.org_intermediate.pem
+  <Directory <%= @docroot %>>
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Satisfy Any
+    Require all granted
+  </Directory>
+  LogLevel warn
+  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+  ServerSignature Off
+</VirtualHost>
+</IfModule>