Added an Ansible script for updating the SSL certificates.

cluster-setup/README.md

@@ -186,9 +186,7 @@ These must be acquired securely from IT or within the software group, and placed
 
 The files needed are:
 
-* `DigiCertCA.crt`: the DigiCert certificate authority (CA) key, which specifies that DigiCert
-  issued the key.
-* `star_cfe.crt`: the wildcard certificate issued by DigiCert, which certifies that this server
+* `star_cfe_chained.crt`: the chained SSL certificate issued by DigiCert, which certifies that this server
   belongs to the `cfenet.ubc.ca` or `bccfe.ca` domain.
 * `star_cfe.key`: our private signing key, used to issue a public key for HTTPS connections.
 

cluster-setup/deployment/roles/kive_server/files/001-kive-ssl.conf

@@ -14,9 +14,9 @@
 
         SSLEngine on
 
-        SSLCertificateFile      /etc/ssl/certs/star_cfe.crt
+        SSLCertificateFile      /etc/ssl/certs/star_cfe_chained.crt
         SSLCertificateKeyFile /etc/ssl/private/star_cfe.key
-        SSLCertificateChainFile /etc/ssl/certs/DigiCertCA.crt
+        # SSLCertificateChainFile /etc/ssl/certs/DigiCertCA.crt
 
         #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
         <FilesMatch "\.(cgi|shtml|phtml|php)$">

cluster-setup/deployment/roles/kive_server/tasks/main.yml

@@ -156,8 +156,8 @@
 
     - name: install SSL certificate
       copy:
-        src: star_cfe.crt
-        dest: /etc/ssl/certs/star_cfe.crt
+        src: star_cfe_chained.crt
+        dest: /etc/ssl/certs/star_cfe_chained.crt
         owner: root
         group: root
 
@@ -169,12 +169,12 @@
         group: root
         mode: "0600"
 
-    - name: install SSL certificate chain file
-      copy:
-        src: DigiCertCA.crt
-        dest: /etc/ssl/certs/DigiCertCA.crt
-        owner: root
-        group: root
+#    - name: install SSL certificate chain file
+#      copy:
+#        src: DigiCertCA.crt
+#        dest: /etc/ssl/certs/DigiCertCA.crt
+#        owner: root
+#        group: root
 
 
 - name: set up log purging

cluster-setup/deployment/update_apache_ssl_2024_07_08.yaml

@@ -0,0 +1,14 @@
+---
+
+- name: update the Apache SSL configuration file
+  hosts: head
+  tasks:
+    - name: install the httpd site configuration for Kive
+      copy:
+        src: deployment/roles/kive_server/files/001-kive-ssl.conf
+        dest: /etc/apache2/sites-available
+        owner: root
+        group: root
+
+- name: update the SSL certificates and restart Apache
+  ansible.builtin.import_playbook: update_ssl_certs.yaml

cluster-setup/deployment/update_ssl_certs.yaml

@@ -0,0 +1,29 @@
+---
+
+- name: update SSL certificates
+  hosts: head
+  tasks:
+    - name: install SSL certificate
+      copy:
+        src: star_cfe_chained.crt
+        dest: /etc/ssl/certs/star_cfe_chained.crt
+        owner: root
+        group: root
+
+    - name: install SSL key
+      copy:
+        src: star_cfe.key
+        dest: /etc/ssl/private/star_cfe.key
+        owner: root
+        group: root
+        mode: "0600"
+
+- name: reload Apache configuration
+  hosts: head
+  tasks:
+    - name: reload Apache configuration
+      systemd:
+        name: apache2
+        state: reloaded
+        enabled: true
+        daemon_reload: true