Bug #12836

Adjust our Puppet code to only support HTTPS mirrors

Added by Anonymous 2017-06-21 17:12:50 . Updated 2019-03-07 15:27:05 .

Status:
Confirmed
Priority:
Normal
Assignee:
espiv
Category:
Infrastructure
Target version:
Start date:
2017-06-21
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description


Subtasks


Related issues

Related to Tails - Feature #9796: HTTPS mirrors Resolved 2017-06-21

History

#1 Updated by intrigeri 2017-06-22 08:02:54

  • Target version set to 2017

(Like the parent ticket.)

#2 Updated by BitingBird 2017-08-28 18:57:53

  • Target version changed from 2017 to 2018

#3 Updated by intrigeri 2018-08-17 18:59:59

Hey espiv, since you wrote the tails::mirror class (Feature #7125), maybe you would be interested in taking care of this evolution?

I think what needs to change is:

  • The $server_name class param probably needs to become required.
  • The vhost templates (templates/mirror/*/*.erb) need to be updated for HTTPS-only.
  • The path to the X.509 cert & key must be added as class params.

And somehow we need to require a X.509 cert and key. The good news is that all our mirrors now serve our stuff over HTTPS so this requirement is already satisfied by any active mirror. I wonder if it’s a good idea to make the certbot paths (/etc/letsencrypt/live/<%= public_hostname /…@) be the default value for the new parameters. I guess it’s easy to check how many of our mirrors use Let’s Encrypt certs, and if that’s 75 or more, go for it?

Initially I thought “oh, let’s set up Let’s Encrypt in the class” but then I figured that most of our mirror operators who could be interested in this class probably use their web server for other stuff too, probably have a Let’s Encrypt client set up already, and I’d rather avoid fiddling with their config. But it would be nice to at least give a hint in the class doc, such as a pointer to the voxpopuli module, for new mirror operators :)

What do you think?

#4 Updated by espiv 2018-08-23 17:22:08

Hello there,

we’ll look into it and get back asap.

#5 Updated by intrigeri 2018-08-24 05:20:03

  • Assignee changed from intrigeri to espiv

> we’ll look into it and get back asap.

Amazing, thanks :)

#6 Updated by espiv 2018-09-08 17:37:23

So,

it seems the majority of current mirrors do use Let’s Encrypt:

user@mimi:~$ for i in $(curl -s https://tails.boum.org/mirrors.json | jq -r ".mirrors[].url_prefix" | awk -F 'https://' '{print $2}' | awk -F '/' '{print $1}') ; do echo "mirror: $i" ; echo | openssl s_client -connect ${i}:443 2>/dev/null |openssl x509 -noout -text | grep "Issuer:" ; echo; done > /tmp/tails_mirrors_certificate_authorities
user@mimi:~$ grep "mirror" /tmp/tails_mirrors_certificate_authorities | wc -l
44
user@mimi:~$ grep "Let's Encrypt" /tmp/tails_mirrors_certificate_authorities | wc -l
31

I think it should be simple enough to tweak the class so as:

- if administrator has already deployed TLS cert&key, pass the file paths as parameters
- if no TLS cert&key is specified, class will go ahead to use the existing letsencrypt module

We’ll work on such a patch.
Be back soon.

#7 Updated by intrigeri 2018-09-10 11:54:20

> I think it should be simple enough to tweak the class so as:

> - if administrator has already deployed TLS cert&key, pass the file paths as parameters
> - if no TLS cert&key is specified, class will go ahead to use the existing letsencrypt module

Makes sense to me!

#8 Updated by espiv 2018-10-16 16:55:10

Hi!

‘tails::letsencrypt’ declares ‘::letsencrypt’. Where does this module come from? https://git-tails.immerda.ch/puppet-letsencrypt/ seems empty. Would that be voxpupuli/puppet-letsencrypt or … ?

Thanks :)

#9 Updated by intrigeri 2018-10-17 07:40:30

> ‘tails::letsencrypt’ declares ‘::letsencrypt’. Where does this module come from? https://git-tails.immerda.ch/puppet-letsencrypt/ seems empty. Would that be voxpupuli/puppet-letsencrypt or … ?

Yes, that’s voxpopuli’s (currently v1.1.0).

#10 Updated by intrigeri 2019-02-24 11:13:41

  • Target version deleted (2018)

#11 Updated by intrigeri 2019-03-07 15:27:05

(It makes little sense that this ticket prevents us from closing Feature #9796.)

#12 Updated by intrigeri 2019-03-07 15:27:49