From e8aaa8ac3f62d476e96ec912f65d92c8155ddf7c Mon Sep 17 00:00:00 2001 From: Josh Matthews Date: Wed, 14 Mar 2018 13:42:37 -0400 Subject: [PATCH 1/4] Use letsencrypt cert for build.servo.org. --- nginx/default | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nginx/default b/nginx/default index 6ea04f95..02bf98e7 100644 --- a/nginx/default +++ b/nginx/default @@ -1,7 +1,10 @@ server { listen 80 default_server; server_name build.servo.org; + ssl_certificate /etc/letsencrypt/live/build.servo.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/build.servo.org/privkey.pem; + listen 443 ssl; location / { proxy_pass http://localhost:8010/; From a4890817b01fe8ca54195b7d8986d687c5d4dea8 Mon Sep 17 00:00:00 2001 From: Josh Matthews Date: Wed, 14 Mar 2018 13:53:21 -0400 Subject: [PATCH 2/4] Add cron job to renew build.servo.org cert. --- nginx/init.sls | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/nginx/init.sls b/nginx/init.sls index 86990817..bc7fabba 100644 --- a/nginx/init.sls +++ b/nginx/init.sls @@ -19,3 +19,20 @@ nginx: file.symlink: - target: /etc/nginx/sites-available/default +certbot: + pkgrepo.managed: + - ppa: certbot/certbot + pkg.installed: + - pkgs: + - certbot + - python-certbot-nginx + +certbot renew: + cron.present: + - identifier: build-cert-renew + - user: root + - minute: 0 + - hour: 0 + - daymonth: 1 + - require: + - pkg: certbot From 970e47f6214f81f6a60a68ffb571e241559689d7 Mon Sep 17 00:00:00 2001 From: Josh Matthews Date: Thu, 15 Mar 2018 12:27:58 -0400 Subject: [PATCH 3/4] Make automated tests for nginx work with a self-signed cert. --- nginx/init.sls | 13 +++++++++++++ tests/sls/nginx/serving.py | 22 +++++++++++++++++++--- 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/nginx/init.sls b/nginx/init.sls index bc7fabba..0c2cbcaf 100644 --- a/nginx/init.sls +++ b/nginx/init.sls @@ -6,6 +6,8 @@ nginx: - watch: - pkg: nginx - file: /etc/nginx/sites-available/default + - require: + - cmd: create-cert {% endif %} /etc/nginx/sites-available/default: @@ -36,3 +38,14 @@ certbot renew: - daymonth: 1 - require: - pkg: certbot + +create-cert: + cmd.run: + - name: | + mkdir -p /etc/letsencrypt/live/build.servo.org && + openssl req -x509 -newkey rsa:4096 -new -nodes -days 365 \ + -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=build.servo.org" \ + -keyout /etc/letsencrypt/live/build.servo.org/privkey.pem \ + -out /etc/letsencrypt/live/build.servo.org/fullchain.pem + - user: root + - creates: /etc/letsencrypt/live/build.servo.org/fullchain.pem \ No newline at end of file diff --git a/tests/sls/nginx/serving.py b/tests/sls/nginx/serving.py index 0334b9bc..286b4973 100644 --- a/tests/sls/nginx/serving.py +++ b/tests/sls/nginx/serving.py @@ -1,12 +1,16 @@ import urllib.request import urllib.error +import ssl from tests.util import Failure, Success -def run(): +def check_url(url): + # We use a self-signed certificate for automated testing. + ssl._create_default_https_context = ssl._create_unverified_context + try: - urllib.request.urlopen('http://localhost/') + urllib.request.urlopen(url) except urllib.error.URLError as e: # Can call e.read() if there was a response but the HTTP status code # indicated error; the method is unavailable if a connection could not @@ -16,8 +20,20 @@ def run(): # Also, we're 'expecting' a string for e.reason (for the connection # refused error case), but it may be another exception instance. if not hasattr(e, 'read'): - return Failure("Nginx is not serving requests:", str(e.reason)) + return False, str(e.reason) # No need to catch HTTPError or ContentTooShortError specially here + return True, None + + +def run(): + result, err = check_url('http://localhost/') + if not result: + return Failure("Nginx is not serving HTTP requests:", err) + + result, err = check_url('https://localhost/') + if not result: + return Failure("Nginx is not serving HTTPS requests:", err) + return Success("Nginx is serving requests") From 9c60f7f7996f6a36c961c31c9da0d526e6511aeb Mon Sep 17 00:00:00 2001 From: Josh Matthews Date: Mon, 19 Mar 2018 15:29:56 -0400 Subject: [PATCH 4/4] Delay cert renew cron job and file a github issue on failure. --- nginx/init.sls | 17 +++++++++++++---- nginx/renew.sh | 9 +++++++++ 2 files changed, 22 insertions(+), 4 deletions(-) create mode 100644 nginx/renew.sh diff --git a/nginx/init.sls b/nginx/init.sls index 0c2cbcaf..c583b003 100644 --- a/nginx/init.sls +++ b/nginx/init.sls @@ -29,15 +29,24 @@ certbot: - certbot - python-certbot-nginx -certbot renew: +/root/renew.sh: + file.managed: + - source: salt://nginx/renew.sh + - template: jinja + - user: root + - group: root + - mode: 644 + +bash /root/renew.sh: cron.present: - identifier: build-cert-renew - user: root - - minute: 0 - - hour: 0 - - daymonth: 1 + - minute: 40 + - hour: 2 + - dayweek: 1 - require: - pkg: certbot + - file: /root/renew.sh create-cert: cmd.run: diff --git a/nginx/renew.sh b/nginx/renew.sh new file mode 100644 index 00000000..67d9aa8b --- /dev/null +++ b/nginx/renew.sh @@ -0,0 +1,9 @@ +sleep ${RANDOM:0:2}m +certbot renew +if [ $? -ne 0 ] ; then + # Create a new issue reporting the failure + curl --user "servo-wpt-sync" \ + --pass '{{ pillar["wpt-sync"]["upstream-wpt-sync-token"] }}' \ + --data '{"title": "Cert renewal cron job failed"}' \ + https://api.github.com/repos/servo/saltfs/issues +fi