move to letsencrypt for our ssl cert

Author: adriaanm

doc/genesis.md

@@ -291,15 +291,6 @@ knife vault create master github-api \
   --admins adriaan
 ```
 
-## For nginx ssl
-
-```
-knife vault create master scala-ci-key \
-  --json scalaci-key.json \
-  --search 'name:jenkins-master' \
-  --admins adriaan
-```
-
 
 ## Workers that need to publish
 ```

doc/maintenance.md

@@ -57,119 +57,32 @@ Tips for addressing a temporary free-space issue on the behemoths:
   community build job is running!)
 * From time to time we can delete `~/.dbuild`, `~/.ivy2`, `~/.m2`
 
-## Updating the scala-jenkins-infra cookbook
-
-Note that the setup instructions don't require you to clone all of the
-cookbooks to your local machine, only the scala-jenkins-infra
-cookbook.  That's because our own cookbook is the one we usually
-update; the rest don't normally need to be touched.
-
-If you change the scala-jenkins-infra cookbook, you don't need
-to push your change anywhere in order to test it in production.
-We often test changes that way, and then after verifying that
-the change is working as desired in production, we push the change
-to scala/scala-jenkins-infra.
-
-To make changes,
-
-### 1. Edit the cookbook
-
-Edit the cookbook.  (For example, a common change is to edit
-one of the `.xml.erb` files for Jenkins.)
-
-### 2. Upload the cookbook
-
-    knife cookbook upload scala-jenkins-infra
-
-This always uploads the cookbook to the Typesafe account on chef.io,
-regardless of whether you made changes.
-
-### 3. Run chef-client
-
-Run `chef-client` on the affected nodes (usually jenkins-master),
-which will cause the node to get the updated cookbook from chef.io.
-You can run it automatically or manually.
-
-Running it automatically just involves waiting.  On a regular schedule
-(every 15 minutes, 30 minutes, something like that? it's configured in
-our cookbook for chef-client itself), an already running chef-client
-process will wake up and check chef.io for updates.  (The log for
-the run presumably goes somewhere, but where? See
-https://github.com/scala/scala-jenkins-infra/issues/110.)
-
-But it's usually better to do it manually because you can watch it
-happen and catch mistakes.  Any cookbook changes found will show up as
-light-gray diffs in the `chef-client` output so you can spot and
-sanity-check them.  If diffs are found, the cookbook specifies what
-should happen as a result -- for example, that service might be
-restarted.
-
-The commands to run chef-client depend on whether the node in question
-is Linux or Windows:
-
-#### Linux node
-
-Here `hostname` might be e.g. `jenkins-master` and username can be omitted
-to accept the default in your `~/.ssh/config`, or can be explicitly supplied
-e.g. `ec2-user@jenkins-master`.
-
-```
-ssh hostname   # or username@hostname to override your ~/.ssh/config default
-sudo su --login # --login needed on ubuntu to set SSL_CERT_FILE (it's done in /etc/profile.d)
-chef-client
-```
-
-#### Windows node
-
-```
-PASS=$(aws ec2 get-password-data --instance-id i-0485455cc766c86ef --priv-launch-key ~/.ssh/typesafe-scala-aws-$AWS_USER.pem | jq .PasswordData | xargs echo)
-knife winrm jenkins-worker-windows-publish chef-client -m -P $PASS
-```
 
 # Misc
 
 The remainder of this document is just rough notes.
 
-## Upload all cookbooks to chef server
-
-```
-knife cookbook upload --all
-```
-
-this has not been done since the initial install!
-
-"Adriaan could also make a tarball" of his all-cookbooks setup
-sometime, maybe.
 
 ## SSL cert
-```
-$ openssl genrsa -out scala-ci.key 2048
-```
-and
+
+We're using letsencrypt certificates, auto-renewing every 90 days.
 
 ```
-$ openssl req -new -out scala-ci.csr -key scala-ci.key -config ssl-certs/scalaci.openssl.cnf
+ sudo apt-get install python-certbot-nginx -t stretch-backports
+ sudo certbot --nginx
 ```
 
-Send CSR to SSL provider, receive scalaci.csr. Store scala-ci.key securely in vault master scala-ci-key (see above).
+The challenge/response happens over http, so I had to open up that port for master.
 
-Incorporate the cert into an ssl chain for nginx:
-```
-(cd ssl-certs && cat 00\ -\ scala-ci.crt 01\ -\ COMODORSAOrganizationValidationSecureServerCA.crt 02\ -\ COMODORSAAddTrustCA.crt 03\ -\ AddTrustExternalCARoot.crt > ../files/default/scala-ci.crt)
-```
 
+### static diffie-hellman param
 For [forward secrecy](http://axiacore.com/blog/enable-perfect-forward-secrecy-nginx/):
 ```
 openssl dhparam -out files/default/dhparam.pem 1024
 ```
 
 Using 1024 bits (instead of 2048) for DH to be Java 6 compatible... Bye-bye A+ on https://www.ssllabs.com/ssltest/analyze.html?d=scala-ci.typesafe.com
 
-Confirm values in the csr using:
-
-```
-$ openssl req -text -noout -in scala-ci.csr
-```
 
 # Give up, bypass Chef?
 

roles/nginx/templates/nginx-jenkins.conf

@@ -36,8 +36,9 @@ server {
   server_name {{ server_name }};
 
   ssl on;
-  ssl_certificate /etc/nginx/ssl/scala-ci.crt;
-  ssl_certificate_key /etc/nginx/ssl/scala-ci.key;
+    ssl_certificate /etc/letsencrypt/live/scala-ci.typesafe.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/scala-ci.typesafe.com/privkey.pem; # managed by Certbot
+
   # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
   ssl_dhparam /etc/nginx/ssl/dhparam.pem;
 

roles/worker/tasks/main.yml

@@ -110,8 +110,13 @@
 
 
 
+# full /etc/apt/sources.list:
+# deb http://cdn-aws.deb.debian.org/debian stretch main
+# deb http://security.debian.org/debian-security stretch/updates main
+# deb http://cdn-aws.deb.debian.org/debian stretch-updates main
+# deb http://cdn-aws.deb.debian.org/debian stretch-backports main
 - name: Add apt repo for Java 9 backports
-  apt_repository: repo='deb http://ftp.debian.org/debian stretch-backports main'
+  apt_repository: repo='deb http://cdn-aws.deb.debian.org/debian stretch-backports main'
 
 - name: Install openjdk
   apt: name={{item}} state=installed