[Qa-jenkins-scm] [Git][qa/jenkins.debian.net][master] 2 commits: add a cronjob to renew the SSL certs
Mattia Rizzolo
gitlab at salsa.debian.org
Mon Aug 17 12:58:23 BST 2020
Mattia Rizzolo pushed to branch master at Debian QA / jenkins.debian.net
Commits:
0c6c9c76 by Mattia Rizzolo at 2020-08-17T13:55:29+02:00
add a cronjob to renew the SSL certs
Signed-off-by: Mattia Rizzolo <mattia at debian.org>
- - - - -
65be8512 by Mattia Rizzolo at 2020-08-17T13:56:48+02:00
also deploy a letsencrypt cert for buildinfos.debian.net
Signed-off-by: Mattia Rizzolo <mattia at debian.org>
- - - - -
6 changed files:
- + hosts/jenkins/etc/cron.d/letsencrypt
- + hosts/profitbricks-build7-amd64/etc/cron.d/letsencrypt
- + hosts/profitbricks-build7-amd64/etc/dehydrated/conf.d/local_local.sh
- + hosts/profitbricks-build7-amd64/etc/dehydrated/domains.txt
- + hosts/profitbricks-build7-amd64/etc/dehydrated/hooks.sh
- update_jdn.sh
Changes:
=====================================
hosts/jenkins/etc/cron.d/letsencrypt
=====================================
@@ -0,0 +1,2 @@
+MAILTO=root
+23 2 * * 0 letsencrypt perl -e 'sleep int(rand(3600))' && chronic dehydrated -c
=====================================
hosts/profitbricks-build7-amd64/etc/cron.d/letsencrypt
=====================================
@@ -0,0 +1,2 @@
+MAILTO=root
+23 2 * * 0 letsencrypt perl -e 'sleep int(rand(3600))' && chronic dehydrated -c
=====================================
hosts/profitbricks-build7-amd64/etc/dehydrated/conf.d/local_local.sh
=====================================
@@ -0,0 +1,13 @@
+# shellcheck shell=sh disable=SC2034
+
+CA="https://acme-v02.api.letsencrypt.org/directory"
+#CA="https://acme-staging-v02.api.letsencrypt.org/directory"
+
+RENEW_DAYS="30"
+KEYSIZE="4096"
+PRIVATE_KEY_RENEW="no"
+
+CHALLENGETYPE="http-01"
+HOOK="/etc/dehydrated/hooks.sh"
+
+CONTACT_EMAIL="contact at reproducible-builds.org"
=====================================
hosts/profitbricks-build7-amd64/etc/dehydrated/domains.txt
=====================================
@@ -0,0 +1 @@
+buildinfos.debian.net
=====================================
hosts/profitbricks-build7-amd64/etc/dehydrated/hooks.sh
=====================================
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -eu
+
+OP=$1
+
+_log () {
+ echo " + ($OP) $*"
+}
+
+reload_apache () {
+ _log "Reloading apache..."
+ sudo apache2ctl graceful
+}
+
+email () {
+ # $1: domain name $6: timestamp of cert creation
+ printf "%s\n\n %s\t%s" \
+ "The following SSL certifcate has just been renewed:" \
+ "$1" "$(date -u -d @"$6")" | \
+ mail -s "R-B SSL certifcate renewed" root
+}
+
+case "$OP" in
+ deploy_cert)
+ shift
+ reload_apache
+ email "$@"
+ ;;
+ *)
+ ;;
+esac
+
=====================================
update_jdn.sh
=====================================
@@ -146,7 +146,7 @@ users=$(for i in ${!user_host_groups[@]}; do echo ${i%,*} ; done | sort -u)
# create the letsencrypt group and user in jenkins if needed
# doing it here instead of using the array above as we have to use --system
- if [ "$HOSTNAME" = jenkins ]; then
+ if [ "$HOSTNAME" = jenkins ] || [ "$HOSTNAME" = "profitbricks-build7-amd64" ]; then
if ! getent group letsencrypt > /dev/null ; then
sudo addgroup --system letsencrypt
fi
@@ -361,6 +361,8 @@ if [ -f /etc/debian_version ] ; then
profitbricks-build1-a*|profitbricks-build10*|codethink-sled16*|osuosl-build*) DEBS="$DEBS
squid" ;;
profitbricks-build7-a*) DEBS="$DEBS
+ dehydrated
+ dehydrated-apache2
apache2" ;;
*) ;;
esac
@@ -654,7 +656,7 @@ sudo chown root.root /etc/sudoers.d/jenkins ; sudo chmod 700 /etc/sudoers.d/jenk
sudo chown root.root /etc/sudoers.d/jenkins-adm ; sudo chmod 700 /etc/sudoers.d/jenkins-adm
[ -f /etc/mailname ] || ( echo $HOSTNAME.debian.net | sudo tee /etc/mailname )
-if [ "$HOSTNAME" = "jenkins" ]; then
+if [ "$HOSTNAME" = "jenkins" ] || [ "$HOSTNAME" = "profitbricks-build7-amd64" ]; then
for path in /var/lib/dehydrated /var/lib/dehydrated/acme-challenges; do
if ! dpkg-statoverride --list "$path" > /dev/null; then
sudo dpkg-statoverride --update --add letsencrypt letsencrypt 755 "$path"
View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/compare/c06304af89878e674ca8a1d4ff58476530063fda...65be85123d87d967ed78b99ba31eb581648cae4d
--
View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/compare/c06304af89878e674ca8a1d4ff58476530063fda...65be85123d87d967ed78b99ba31eb581648cae4d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/qa-jenkins-scm/attachments/20200817/95e91f79/attachment-0001.html>
More information about the Qa-jenkins-scm
mailing list