Allow using archived LetsEncrypt certificates (sysadmin#17791) (!41) · Merge requests · tails / puppet-tails

Zen Fu requested to merge sysadmin/17791/allow_archived_certs into master Jan 15, 2021

This change allows for using archived certificates.

Logic to use it and revert changes afterwards (maybe automatically after a certain date) should go in our private Puppet Master repository. The simplest way to use it (which is not automatically reversible) would be:

diff --git a/manifests/nodes.pp b/manifests/nodes.pp
index decbb2e0..3bd7f587 100644
--- a/manifests/nodes.pp
+++ b/manifests/nodes.pp
@@ -1456,7 +1456,14 @@ node 'www.lizard' {
   include ::tails::redmine::redirector
   include ::tails::weblate::reverse_proxy
   include ::tails::weblate::staging_reverse_proxy
-  include ::tails::website
+
+  # TODO: Remove LetsEncrypt overrides after Feb 28 2021.
+  #       See: https://gitlab.tails.boum.org/tails/sysadmin/-/issues/17791
+  class { '::tails::website':
+    letsencrypt_subdir    => 'archive',
+    letsencrypt_fullchain => 'fullchain14.pem',
+    letsencrypt_privkey   => 'privkey14.pem',
+  }
 
   @@::tails::monitoring::service::http { 'translate.tails.boum.org':
     ip        => '198.252.153.59',

Edited Jan 15, 2021 by Zen Fu

Allow using archived LetsEncrypt certificates (sysadmin#17791)

Merge request reports