Bug #12836
Adjust our Puppet code to only support HTTPS mirrors
0%
Description
Subtasks
History
#2 Updated by BitingBird 2017-08-28 18:57:53
- Target version changed from 2017 to 2018
#3 Updated by intrigeri 2018-08-17 18:59:59
Hey espiv, since you wrote the tails::mirror class (Feature #7125), maybe you would be interested in taking care of this evolution?
I think what needs to change is:
- The
$server_name
class param probably needs to become required. - The vhost templates (
templates/mirror/*/*.erb
) need to be updated for HTTPS-only. - The path to the X.509 cert & key must be added as class params.
And somehow we need to require a X.509 cert and key. The good news is that all our mirrors now serve our stuff over HTTPS so this requirement is already satisfied by any active mirror. I wonder if it’s a good idea to make the certbot paths (/etc/letsencrypt/live/<%=
public_hostname /…@) be the default value for the new parameters. I guess it’s easy to check how many of our mirrors use Let’s Encrypt certs, and if that’s 75 or more, go for it?
Initially I thought “oh, let’s set up Let’s Encrypt in the class” but then I figured that most of our mirror operators who could be interested in this class probably use their web server for other stuff too, probably have a Let’s Encrypt client set up already, and I’d rather avoid fiddling with their config. But it would be nice to at least give a hint in the class doc, such as a pointer to the voxpopuli module, for new mirror operators :)
What do you think?
#5 Updated by intrigeri 2018-08-24 05:20:03
- Assignee changed from intrigeri to espiv
> we’ll look into it and get back asap.
Amazing, thanks :)
#6 Updated by espiv 2018-09-08 17:37:23
So,
it seems the majority of current mirrors do use Let’s Encrypt:
user@mimi:~$ for i in $(curl -s https://tails.boum.org/mirrors.json | jq -r ".mirrors[].url_prefix" | awk -F 'https://' '{print $2}' | awk -F '/' '{print $1}') ; do echo "mirror: $i" ; echo | openssl s_client -connect ${i}:443 2>/dev/null |openssl x509 -noout -text | grep "Issuer:" ; echo; done > /tmp/tails_mirrors_certificate_authorities
user@mimi:~$ grep "mirror" /tmp/tails_mirrors_certificate_authorities | wc -l
44
user@mimi:~$ grep "Let's Encrypt" /tmp/tails_mirrors_certificate_authorities | wc -l
31
I think it should be simple enough to tweak the class so as:
- if administrator has already deployed TLS cert&key, pass the file paths as parameters
- if no TLS cert&key is specified, class will go ahead to use the existing letsencrypt module
We’ll work on such a patch.
Be back soon.
#7 Updated by intrigeri 2018-09-10 11:54:20
> I think it should be simple enough to tweak the class so as:
> - if administrator has already deployed TLS cert&key, pass the file paths as parameters
> - if no TLS cert&key is specified, class will go ahead to use the existing letsencrypt module
Makes sense to me!
#8 Updated by espiv 2018-10-16 16:55:10
Hi!
‘tails::letsencrypt’ declares ‘::letsencrypt’. Where does this module come from? https://git-tails.immerda.ch/puppet-letsencrypt/ seems empty. Would that be voxpupuli/puppet-letsencrypt or … ?
Thanks :)
#9 Updated by intrigeri 2018-10-17 07:40:30
> ‘tails::letsencrypt’ declares ‘::letsencrypt’. Where does this module come from? https://git-tails.immerda.ch/puppet-letsencrypt/ seems empty. Would that be voxpupuli/puppet-letsencrypt or … ?
Yes, that’s voxpopuli’s (currently v1.1.0).
#10 Updated by intrigeri 2019-02-24 11:13:41
- Target version deleted (
2018)
#11 Updated by intrigeri 2019-03-07 15:27:05
- Parent task deleted (
)Feature #9796
(It makes little sense that this ticket prevents us from closing Feature #9796.)
#12 Updated by intrigeri 2019-03-07 15:27:49
- related to
Feature #9796: HTTPS mirrors added