Project

General

Profile

Actions

action #132461

closed

QA - coordination #121720: [saga][epic] Migration to QE setup in PRG2+NUE3 while ensuring availability

QA - coordination #123800: [epic] Provide SUSE QE Tools services running in PRG2 aka. Prg CoLo

manage tls certificates on o3/ariel directly with dehydrated size:M

Added by nicksinger over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
2023-07-07
Due date:
% Done:

0%

Estimated time:
Tags:

Description

Motivation

(We got informed)[[https://app.slack.com/client/T02863RC2AC/C04MDKHQE20/thread/C04MDKHQE20-1688735468.778099]] that ariel/o3 will have no hydra/ha-proxy setup in the new location. Therefore we need to handle our tls certificates for nginx on our own in the future.

Acceptance criteria

  • AC1: openqa.opensuse.org has a valid certificate requested by the webhost itself
  • AC2: the process is fully automated and certificate renewal requires no human interaction
  • AC3: Any generalizable config snippets are in github.com/os-autoinst/openQA/

Suggestions

  • Install an Lets Encrypt compatible client on ariel (see https://wiki.archlinux.org/title/Transport_Layer_Security#ACME_clients for a list) - nsinger recommends (dehydrated)[[https://github.com/dehydrated-io/dehydrated]]
  • Adjust nginx to serve the ACME challenges and reconfigure existing entries to use that new certificate
  • Feel welcome to experiment on o3 as long as you monitor closely that everything still works as expected or is quickly reverted on problems
  • Submit any generalizable config snippets into github.com/os-autoinst/openQA/, e.g. as commented nginx config templates
Actions

Also available in: Atom PDF