Skip to content

Use the new ACME-generated certs #615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 4, 2025
Merged

Use the new ACME-generated certs #615

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Vagrantfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ SERVERS = [
{:name => "docs", :codename => "noble"},
{:name => "downloads", :codename => "noble"},
{:name => "hg", :codename => "noble"},
{:name => "loadbalancer", :codename => "noble", :ports => [20000, 20001, 20002, 20003, 20004, 20005, 20010, 20011]},
{:name => "loadbalancer", :codename => "noble", :ports => [20000, 20001, 20002, 20004, 20010, 20011]},
"mail",
"moin",
"planet",
Expand Down
9 changes: 0 additions & 9 deletions pillar/base/firewall/loadbalancer.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,18 +11,9 @@ firewall:
http_2:
port: 20002

http_3:
port: 20003

http_4:
port: 20004

http_5:
port: 20005

http_6:
port: 20006

http_map:
port: 20010

Expand Down
17 changes: 8 additions & 9 deletions salt/haproxy/config/haproxy.cfg.jinja
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,15 +92,14 @@ frontend main

# HTTPS Binds
# Advertise http/1.1 over NPN to enable TLS False Start
bind :20003 ssl alpn h2,http/1.1 crt star.python.org.pem
bind :20005 ssl alpn h2,http/1.1 crt star.pypa.io.pem
bind :20006 ssl alpn h2,http/1.1 crt speed.pypy.org.pem
bind :20007 ssl alpn h2,http/1.1 crt star.pycon.org.pem
bind :20008 ssl alpn h2,http/1.1 crt jython.org.pem
bind 0.0.0.0:443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pycon.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
bind :::443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pycon.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
bind :20010 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pycon.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
bind :20011 accept-proxy ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pycon.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
{% set acme_certs = [] -%}
{% for domain in salt["pillar.get"]("tls:acme_cert_configs", {}).keys() -%}
{%- set _ = acme_certs.append("acme-" ~ domain ~ ".pem") -%}
{% endfor -%}
bind 0.0.0.0:443 ssl alpn h2,http/1.1 {% for cert in acme_certs %}crt {{ cert }} {% endfor %}
bind :::443 ssl alpn h2,http/1.1 {% for cert in acme_certs %}crt {{ cert }} {% endfor %}
bind :20010 ssl alpn h2,http/1.1 {% for cert in acme_certs %}crt {{ cert }} {% endfor %}
bind :20011 accept-proxy ssl alpn h2,http/1.1 {% for cert in acme_certs %}crt {{ cert }} {% endfor %}

# Define a stick table for all services
stick-table type ipv6 size 100k expire 30s store http_req_rate(10s)
Expand Down