Merge branch 'legacy-certs' into 'master'

Add support for "legacy" RSA 4096 certs Closes releng#22 See merge request archlinux/infrastructure!852

Merge branch 'legacy-certs' into 'master'
a4212400 · Jan Alexander Steffens (heftig) · 92376891 · b713f5b3 · a4212400 · a4212400
Commit a4212400 authored 7 months ago by Jan Alexander Steffens (heftig)
--- a/docs/maintenance.md
+++ b/docs/maintenance.md
@@ -27,6 +27,7 @@ The basic configuration looks like this:
    service_name: "<service name>"
    service_domain: "{{ service_domain }}"
    service_alternate_domains: []
+    service_legacy_domains: []
    service_nginx_conf: "{{ service_nginx_conf }}"
  when: maintenance is defined
 ```

--- a/roles/archweb/defaults/main.yml
+++ b/roles/archweb/defaults/main.yml
 archweb_dir: '/srv/http/archweb'
 archweb_domain: 'archlinux.org'
-archweb_alternate_domains: ['www.archlinux.org', 'master-key.archlinux.org', 'dev.archlinux.org', 'packages.archlinux.org', 'ipxe.archlinux.org', 'planet.archlinux.org']
+archweb_alternate_domains: ['www.archlinux.org', 'master-key.archlinux.org', 'dev.archlinux.org', 'packages.archlinux.org', 'planet.archlinux.org']
+archweb_legacy_domains: ['ipxe.archlinux.org']
 archweb_domains_redirects:
        'www.archlinux.org': '$request_uri'
        'master-key.archlinux.org': '/master-keys/'

--- a/roles/archweb/tasks/main.yml
+++ b/roles/archweb/tasks/main.yml
@@ -5,6 +5,7 @@
    service_name: "site"
    service_domain: "{{ archweb_domain }}"
    service_alternate_domains: "{{ archweb_alternate_domains }}"
+    service_legacy_domains: "{{ archweb_legacy_domains }}"
    service_nginx_conf: "{{ archweb_nginx_conf }}"
    service_nginx_template: "maintenance-nginx.d.conf.j2"
  when: maintenance is defined and archweb_site
@@ -29,6 +30,15 @@
    domains: "{{ [archweb_domain] + archweb_alternate_domains }}"
  when: archweb_site | bool and maintenance is not defined
+- name: Create legacy ssl cert
+  include_role:
+    name: certificate
+  vars:
+    cert_name: "{{ archweb_domain }}_legacy"
+    domains: "{{ archweb_legacy_domains }}"
+    legacy: true
+  when: archweb_site | bool and maintenance is not defined
 - name: Set up nginx
  template: src=nginx.d.conf.j2 dest="{{ archweb_nginx_conf }}" owner=root group=root mode=644
  notify: Reload nginx

--- a/roles/archweb/templates/ipxe.archlinux.org.j2
+++ b/roles/archweb/templates/ipxe.archlinux.org.j2
@@ -27,9 +27,9 @@ server {
    ssl_ciphers AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256;
-    ssl_certificate      /etc/letsencrypt/live/{{ archweb_domain }}/fullchain.pem;
+    ssl_certificate      /etc/letsencrypt/live/{{ archweb_domain }}_legacy/fullchain.pem;
-    ssl_certificate_key  /etc/letsencrypt/live/{{ archweb_domain }}/privkey.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ archweb_domain }}_legacy/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/{{ archweb_domain }}/chain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ archweb_domain }}_legacy/chain.pem;
    location /releng/netboot/ {
        access_log   /var/log/nginx/{{ archweb_domain }}/access.log main;

--- a/roles/archweb/templates/maintenance-nginx.d.conf.j2
+++ b/roles/archweb/templates/maintenance-nginx.d.conf.j2
@@ -2,9 +2,7 @@ upstream archweb {
    server unix:///run/uwsgi/archweb.sock;
 }
-{% if service_alternate_domains %}
+{% for domain in service_alternate_domains | default([]) %}
-{% for domain in service_alternate_domains %}
 server {
    listen       80;
    listen       [::]:80;
@@ -18,7 +16,7 @@ server {
    location / {
        access_log off;
-        return 301 https://$server_name$request_uri;
+        return 302 https://$server_name$request_uri;
    }
 }
@@ -38,16 +36,51 @@ server {
    location / {
        access_log off;
-        return 301 https://{{ service_domain }};
+        return 302 https://{{ service_domain }};
    }
 }
 {% endfor %}
+{% for domain in service_legacy_domains | default([]) %}
+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  {{ domain }};
+    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
+    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log.json json_reduced;
+    error_log    {{ maintenance_logs_dir }}/{{ service_domain }}-error.log;
+    include snippets/letsencrypt.conf;
+    location / {
+        access_log off;
+        return 302 https://$server_name$request_uri;
+    }
+}
 server {
-{% else %}
+    listen       443 ssl;
+    listen       [::]:443 ssl;
+    http2        on;
+    server_name  {{ domain }};
+    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
+    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log.json json_reduced;
+    error_log    {{ maintenance_logs_dir }}/{{ service_domain }}-error.log;
+    ssl_certificate      /etc/letsencrypt/live/{{ service_domain }}_legacy/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ service_domain }}_legacy/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ service_domain }}_legacy/chain.pem;
+    location / {
+        access_log off;
+        return 302 https://{{ service_domain }};
+    }
+}
+{% endfor %}
 server {
-{% endif %}
    listen       80;
    listen       [::]:80;
    server_name  {{ service_domain }};
@@ -60,7 +93,7 @@ server {
    location / {
        access_log off;
-        return 301 https://$server_name$request_uri;
+        return 302 https://$server_name$request_uri;
    }
 }

--- a/roles/archwiki/tasks/main.yml
+++ b/roles/archwiki/tasks/main.yml
@@ -4,7 +4,6 @@
  vars:
    service_name: "wiki"
    service_domain: "{{ archwiki_domain }}"
-    service_alternate_domains: []
    service_nginx_conf: "{{ archwiki_nginx_conf }}"
  when: maintenance is defined

--- a/roles/certbot/files/certbot-renewal.service
+++ b/roles/certbot/files/certbot-renewal.service
@@ -3,7 +3,7 @@ Description=Let's Encrypt renewal
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/certbot renew --key-type ecdsa \
+ExecStart=/usr/bin/certbot renew                  \
    --no-random-sleep-on-renew                    \
    --pre-hook   "/etc/letsencrypt/hook.sh pre"   \
    --post-hook  "/etc/letsencrypt/hook.sh post"  \

--- a/roles/certificate/tasks/main.yml
+++ b/roles/certificate/tasks/main.yml
- name: Create ssl cert (HTTP-01)
+- name: Create ssl cert (HTTP-01) named {{ cert_name | default(domains | first) }}
  shell: |
    set -o pipefail
    # We can't start nginx without the certificate and we can't issue a certificate without nginx running.
    # So use Python built-in http.server for the initial certificate issuance
    python -m http.server --directory {{ letsencrypt_validation_dir }} 80 &
    trap "jobs -p | xargs --no-run-if-empty kill" EXIT
-    certbot certonly --email {{ certificate_contact_email }} --agree-tos --key-type ecdsa --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d {{ domains | join(' -d ') }}
+    certbot certonly --email {{ certificate_contact_email }} --agree-tos --key-type {{ 'ecdsa' if not (legacy | default(false)) else 'rsa --rsa-key-size 4096' }} --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d {{ domains | join(' -d ') }} --cert-name {{ cert_name | default(domains | first) }}
  args:
-    creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
+    creates: '/etc/letsencrypt/live/{{ cert_name | default(domains | first) }}/fullchain.pem'
  when: challenge | default(certificate_challenge) == "HTTP-01"
- name: Create ssl cert (DNS-01)
+- name: Create ssl cert (DNS-01) named {{ cert_name | default(domains | first) }}
-  command: certbot certonly --email {{ certificate_contact_email }} --agree-tos --key-type ecdsa --renew-by-default --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d {{ domains | join(' -d ') }}
+  command: certbot certonly --email {{ certificate_contact_email }} --agree-tos --key-type {{ 'ecdsa' if not (legacy | default(false)) else 'rsa --rsa-key-size 4096' }} --renew-by-default --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d {{ domains | join(' -d ') }} --cert-name {{ cert_name | default(domains | first) }}
  args:
-    creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
+    creates: '/etc/letsencrypt/live/{{ cert_name | default(domains | first) }}/fullchain.pem'
  when: challenge | default(certificate_challenge) == "DNS-01"
--- a/roles/gitlab/tasks/main.yml
+++ b/roles/gitlab/tasks/main.yml
@@ -34,7 +34,7 @@
        registry_external_url 'https://registry.archlinux.org'
        nginx['client_max_body_size'] = '10g'
        nginx['listen_addresses'] = {{ gitlab_primary_addresses }}
-        nginx['custom_gitlab_server_config'] = "set $bypass 0;\nif ($remote_addr = \"{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}\") {\nset $bypass 1;\n}\nif ($remote_addr = \"{{hostvars['gemini.archlinux.org']['ipv6_address']}}\") {\nset $bypass 1;\n}\nproxy_set_header Gitlab-Bypass-Rate-Limiting $bypass;\n"
+        nginx['custom_gitlab_server_config'] = "set $bypass 0;\nif ($remote_addr = \"{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}\") {\nset $bypass 1;\n}\nif ($remote_addr = \"{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}\") {\nset $bypass 1;\n}\nproxy_set_header Gitlab-Bypass-Rate-Limiting $bypass;\n"
        registry_nginx['listen_addresses'] = {{ gitlab_primary_addresses }}
        gitlab_pages['inplace_chroot'] = true
        pages_external_url "http://{{ gitlab_domain }}"

--- a/roles/maintenance/templates/nginx-maintenance.conf.j2
+++ b/roles/maintenance/templates/nginx-maintenance.conf.j2
-{% if service_alternate_domains %}
+{% for domain in service_alternate_domains | default([]) %}
-{% for domain in service_alternate_domains %}
 server {
    listen       80;
    listen       [::]:80;
@@ -14,7 +12,7 @@ server {
    location / {
        access_log off;
-        return 301 https://$server_name$request_uri;
+        return 302 https://$server_name$request_uri;
    }
 }
@@ -34,16 +32,51 @@ server {
    location / {
        access_log off;
-        return 301 https://{{ service_domain }};
+        return 302 https://{{ service_domain }};
    }
 }
 {% endfor %}
+{% for domain in service_legacy_domains | default([]) %}
+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  {{ domain }};
+    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
+    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log.json json_reduced;
+    error_log    {{ maintenance_logs_dir }}/{{ service_domain }}-error.log;
+    include snippets/letsencrypt.conf;
+    location / {
+        access_log off;
+        return 302 https://$server_name$request_uri;
+    }
+}
 server {
-{% else %}
+    listen       443 ssl;
+    listen       [::]:443 ssl;
+    http2        on;
+    server_name  {{ domain }};
+    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
+    access_log   {{ maintenance_logs_dir }}/{{ service_domain }}-access.log.json json_reduced;
+    error_log    {{ maintenance_logs_dir }}/{{ service_domain }}-error.log;
+    ssl_certificate      /etc/letsencrypt/live/{{ service_domain }}_legacy/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ service_domain }}_legacy/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ service_domain }}_legacy/chain.pem;
+    location / {
+        access_log off;
+        return 302 https://{{ service_domain }};
+    }
+}
+{% endfor %}
 server {
-{% endif %}
    listen       80;
    listen       [::]:80;
    server_name  {{ service_domain }};
@@ -56,7 +89,7 @@ server {
    location / {
        access_log off;
-        return 301 https://$server_name$request_uri;
+        return 302 https://$server_name$request_uri;
    }
 }

--- a/roles/security_tracker/tasks/main.yml
+++ b/roles/security_tracker/tasks/main.yml
@@ -4,7 +4,6 @@
  vars:
    service_name: "security tracker"
    service_domain: "{{ security_tracker_domain }}"
-    service_alternate_domains: []
    service_nginx_conf: "{{ security_tracker_nginx_conf }}"
  when: maintenance is defined