[Qa-jenkins-scm] [Git][qa/jenkins.debian.net][master] 2 commits: add a cronjob to renew the SSL certs

Mattia Rizzolo gitlab at salsa.debian.org
Mon Aug 17 12:58:23 BST 2020



Mattia Rizzolo pushed to branch master at Debian QA / jenkins.debian.net


Commits:
0c6c9c76 by Mattia Rizzolo at 2020-08-17T13:55:29+02:00
add a cronjob to renew the SSL certs

Signed-off-by: Mattia Rizzolo <mattia at debian.org>

- - - - -
65be8512 by Mattia Rizzolo at 2020-08-17T13:56:48+02:00
also deploy a letsencrypt cert for buildinfos.debian.net

Signed-off-by: Mattia Rizzolo <mattia at debian.org>

- - - - -


6 changed files:

- + hosts/jenkins/etc/cron.d/letsencrypt
- + hosts/profitbricks-build7-amd64/etc/cron.d/letsencrypt
- + hosts/profitbricks-build7-amd64/etc/dehydrated/conf.d/local_local.sh
- + hosts/profitbricks-build7-amd64/etc/dehydrated/domains.txt
- + hosts/profitbricks-build7-amd64/etc/dehydrated/hooks.sh
- update_jdn.sh


Changes:

=====================================
hosts/jenkins/etc/cron.d/letsencrypt
=====================================
@@ -0,0 +1,2 @@
+MAILTO=root
+23 2 * * 0 letsencrypt perl -e 'sleep int(rand(3600))' && chronic dehydrated -c


=====================================
hosts/profitbricks-build7-amd64/etc/cron.d/letsencrypt
=====================================
@@ -0,0 +1,2 @@
+MAILTO=root
+23 2 * * 0 letsencrypt perl -e 'sleep int(rand(3600))' && chronic dehydrated -c


=====================================
hosts/profitbricks-build7-amd64/etc/dehydrated/conf.d/local_local.sh
=====================================
@@ -0,0 +1,13 @@
+# shellcheck shell=sh disable=SC2034
+
+CA="https://acme-v02.api.letsencrypt.org/directory"
+#CA="https://acme-staging-v02.api.letsencrypt.org/directory"
+
+RENEW_DAYS="30"
+KEYSIZE="4096"
+PRIVATE_KEY_RENEW="no"
+
+CHALLENGETYPE="http-01"
+HOOK="/etc/dehydrated/hooks.sh"
+
+CONTACT_EMAIL="contact at reproducible-builds.org"


=====================================
hosts/profitbricks-build7-amd64/etc/dehydrated/domains.txt
=====================================
@@ -0,0 +1 @@
+buildinfos.debian.net


=====================================
hosts/profitbricks-build7-amd64/etc/dehydrated/hooks.sh
=====================================
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -eu
+
+OP=$1
+
+_log () {
+    echo " + ($OP) $*"
+}
+
+reload_apache () {
+    _log "Reloading apache..."
+    sudo apache2ctl graceful
+}
+
+email () {
+    # $1: domain name $6: timestamp of cert creation
+    printf "%s\n\n    %s\t%s" \
+            "The following SSL certifcate has just been renewed:" \
+            "$1" "$(date -u -d @"$6")" | \
+        mail -s "R-B SSL certifcate renewed" root
+}
+
+case "$OP" in
+    deploy_cert)
+        shift
+        reload_apache
+        email "$@"
+        ;;
+    *)
+        ;;
+esac
+


=====================================
update_jdn.sh
=====================================
@@ -146,7 +146,7 @@ users=$(for i in ${!user_host_groups[@]}; do echo ${i%,*} ; done | sort -u)
 
 	# create the letsencrypt group and user in jenkins if needed
 	# doing it here instead of using the array above as we have to use --system
-	if [ "$HOSTNAME" = jenkins ]; then
+	if [ "$HOSTNAME" = jenkins ] || [ "$HOSTNAME" = "profitbricks-build7-amd64" ]; then
 		if ! getent group letsencrypt > /dev/null ; then
 			sudo addgroup --system letsencrypt
 		fi
@@ -361,6 +361,8 @@ if [ -f /etc/debian_version ] ; then
 			profitbricks-build1-a*|profitbricks-build10*|codethink-sled16*|osuosl-build*) DEBS="$DEBS
 				squid" ;;
 			profitbricks-build7-a*) DEBS="$DEBS
+				dehydrated
+				dehydrated-apache2
 				apache2" ;;
 			*) ;;
 		esac
@@ -654,7 +656,7 @@ sudo chown root.root /etc/sudoers.d/jenkins ; sudo chmod 700 /etc/sudoers.d/jenk
 sudo chown root.root /etc/sudoers.d/jenkins-adm ; sudo chmod 700 /etc/sudoers.d/jenkins-adm
 [ -f /etc/mailname ] || ( echo $HOSTNAME.debian.net | sudo tee /etc/mailname )
 
-if [ "$HOSTNAME" = "jenkins" ]; then
+if [ "$HOSTNAME" = "jenkins" ] || [ "$HOSTNAME" = "profitbricks-build7-amd64" ]; then
 	for path in /var/lib/dehydrated /var/lib/dehydrated/acme-challenges; do
 		if ! dpkg-statoverride --list "$path" > /dev/null; then
 			sudo dpkg-statoverride --update --add letsencrypt letsencrypt 755 "$path"



View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/compare/c06304af89878e674ca8a1d4ff58476530063fda...65be85123d87d967ed78b99ba31eb581648cae4d

-- 
View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/compare/c06304af89878e674ca8a1d4ff58476530063fda...65be85123d87d967ed78b99ba31eb581648cae4d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/qa-jenkins-scm/attachments/20200817/95e91f79/attachment-0001.html>


More information about the Qa-jenkins-scm mailing list