Skip to content
This repository has been archived by the owner on Jun 13, 2019. It is now read-only.

T/letsencrypt haproxy #1053

Merged
merged 25 commits into from Jul 21, 2016
Merged

T/letsencrypt haproxy #1053

merged 25 commits into from Jul 21, 2016

Conversation

till
Copy link
Owner

@till till commented Jul 18, 2016
edited

Open issues:

  • I think letsencrypt comes too late (for haproxy)
  • potentially, there is also a race condition between the instance responding to the DNS and we being able to get certs

Testing:

  • test the entire provisioning process
  • loadbalancer should start
  • loadbalancer should have cronjob setup
  • loadbalancer should have certs in /etc/letsencrypt/live
  • certs should be combined (/etc/nginx/ssl/cert.combined.pem)
  • loadbalancer should respond on https

Finishes: DEVOPS-163

@till till self-assigned this Jul 18, 2016
@till
Copy link
Owner Author

till commented Jul 18, 2016

@gilleyj can you test this as well? (There is a cs error still, feel free to push a fix up, or I will do it later.)

@till till assigned gilleyj and unassigned till Jul 18, 2016
@till
Copy link
Owner Author

till commented Jul 20, 2016

@gilleyj I think we stop/start the lb instance on Scholar Playground to test the entire lifecycle. Might be easier to do this with DNS and what not.

till added a commit that referenced this pull request Jul 20, 2016
@till
Enhancements: tests for ssl config
21e778d 
Related to: #1053
@till till mentioned this pull request Jul 20, 2016
Merged
gilleyj pushed a commit that referenced this pull request Jul 20, 2016
@till @gilleyj
Enhancements: tests for ssl config (#1060)
e79bb38 
Related to: #1053
till added 11 commits July 20, 2016 18:50
@till
Update: disable SSL deploy
b090c68
@till
Update: finish renewal process for letsencrypt/haproxy
b37f361 
 * make ssl dir configurable and inject
 * append certs into a combined file
 * reload haproxy afterwards

Related: DEVOPS-163
@till
Update: test cases
83ad5b6 
 * for ssl_dir
 * for etc_dir (see bug fixed in #1052

Related: DEVOPS-163
@till
Fix: re-add missing dependency for vagrant
0096d6e
@till
Update: consolidate setup
502aa7a 
 * ensure we don't duplicate command logic in setup and renewal
 * since all recipes are executed initially, we will have be able to retrieve initial certs

Related: DEVOPS-163
@till
Refactor: renewal script
7b1bb03 
 * wrap renewal/setup code in function
 * be a little more verbose with messaging from cron
 * ensure we can actually initially setup certs
 * update documentation

Related: DEVOPS-163
@till
Update: run let's encrypt before we install haproxy for initial setup
a2ab880 
(This may imply that we cannot reload haproxy on the first run because
it is not yet there. But I will have to try this later.) :shipit:

Related: DEVOPS-163
@till
Update: make setup process more reciliant
d862603 
 * document limitations
 * allow initial setup to fail in case dependencies are missing

Related: DEVOPS-163
@till
Refactor: move ssl config into a partial
2f2114e
@till
Fix: also subscribe to let's encrypt
145c253 
Related: DEVOPS-163
@till
Fix: CS (re-apply)
35b98c1
till added 9 commits July 20, 2016 23:36
@till
Refactor: ssl tests
f60ab83 
 * unify mock on command
 * test ssl disabled also

Related: DEVOPS-163
@till
Fix: re-configure order so haproxy can subscribe
e04e16c 
Related: DEVOPS-163
@till
Update: ensure we can start haproxy when the PEM is missing
ab8da50 
Related: DEVOPS-163
@till
Update: execute twice
d8aaca0
@till
Enhancement: LWRP to create self-sigend certificates
badb6a6 
Related: DEVOPS-163
@till
Refactor: input validation in easybib_sslcertificate
125a393 
Related: DEVOPS-163
@till
Refactor: support filenames
b2b2d73 
 * consolidate checking input (e.g. is this really a path or actual)
 * push chomp chomp into new method

Related: DEVOPS-163
@till
Update: test self-signing and remove hardcoded SSL data
99a5cd8 
Related: DEVOPS-163
@till
Fix: cs cs
8f72831
till and others added 5 commits July 21, 2016 17:55
@till
Merge branch 't/ies-ssl' into t/letsencrypt-haproxy
e107715
@till
Refactor: always have a certificate
dc6fa3f 
 * objective is to always have a cert in place so haproxy can start
 * defeats the chicken-egg problem
 * actual SSL certs will be deployed or let's encrypted later

Related: DEVOPS-163
@till
Fix: update tests
4d65440 
 * remove stubs
 * remove test
@gilleyj
Move of the is_letsencrypt acl to above the SSL Redirect action
54ef5b3 
Change of the SSL redirect action to not do if is letsencrypt
@gilleyj
make is_letsencrypt acl ALWAYS appear otherwise non-ssl haproxy setup…
2d48b17 
… will fail
@gilleyj gilleyj merged commit 6487c83 into master Jul 21, 2016
@till till mentioned this pull request Jul 21, 2016
Merged
@till till deleted the t/letsencrypt-haproxy branch September 14, 2016 22:04
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@gilleyj gilleyj

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@till @gilleyj