From 78def9edd41eddd9f833a1399eb99f8509b11b08 Mon Sep 17 00:00:00 2001
From: Richard Liang <rliang@cfenet.ubc.ca>
Date: Mon, 8 Jul 2024 10:26:31 -0700
Subject: [PATCH] Added an Ansible script for updating the SSL certificates.

---
 cluster-setup/README.md                       |  4 +--
 .../roles/kive_server/files/001-kive-ssl.conf |  4 +--
 .../roles/kive_server/tasks/main.yml          | 16 +++++-----
 .../update_apache_ssl_2024_07_08.yaml         | 14 +++++++++
 .../deployment/update_ssl_certs.yaml          | 29 +++++++++++++++++++
 5 files changed, 54 insertions(+), 13 deletions(-)
 create mode 100644 cluster-setup/deployment/update_apache_ssl_2024_07_08.yaml
 create mode 100644 cluster-setup/deployment/update_ssl_certs.yaml

diff --git a/cluster-setup/README.md b/cluster-setup/README.md
index 9d206821..80de88f7 100644
--- a/cluster-setup/README.md
+++ b/cluster-setup/README.md
@@ -186,9 +186,7 @@ These must be acquired securely from IT or within the software group, and placed
 
 The files needed are:
 
-* `DigiCertCA.crt`: the DigiCert certificate authority (CA) key, which specifies that DigiCert
-  issued the key.
-* `star_cfe.crt`: the wildcard certificate issued by DigiCert, which certifies that this server
+* `star_cfe_chained.crt`: the chained SSL certificate issued by DigiCert, which certifies that this server
   belongs to the `cfenet.ubc.ca` or `bccfe.ca` domain.
 * `star_cfe.key`: our private signing key, used to issue a public key for HTTPS connections.
 
diff --git a/cluster-setup/deployment/roles/kive_server/files/001-kive-ssl.conf b/cluster-setup/deployment/roles/kive_server/files/001-kive-ssl.conf
index 748a7d1c..5d810968 100644
--- a/cluster-setup/deployment/roles/kive_server/files/001-kive-ssl.conf
+++ b/cluster-setup/deployment/roles/kive_server/files/001-kive-ssl.conf
@@ -14,9 +14,9 @@
 
         SSLEngine on
 
-        SSLCertificateFile      /etc/ssl/certs/star_cfe.crt
+        SSLCertificateFile      /etc/ssl/certs/star_cfe_chained.crt
         SSLCertificateKeyFile /etc/ssl/private/star_cfe.key
-        SSLCertificateChainFile /etc/ssl/certs/DigiCertCA.crt
+        # SSLCertificateChainFile /etc/ssl/certs/DigiCertCA.crt
 
         #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
         <FilesMatch "\.(cgi|shtml|phtml|php)$">
diff --git a/cluster-setup/deployment/roles/kive_server/tasks/main.yml b/cluster-setup/deployment/roles/kive_server/tasks/main.yml
index 35459071..33e07e52 100644
--- a/cluster-setup/deployment/roles/kive_server/tasks/main.yml
+++ b/cluster-setup/deployment/roles/kive_server/tasks/main.yml
@@ -156,8 +156,8 @@
 
     - name: install SSL certificate
       copy:
-        src: star_cfe.crt
-        dest: /etc/ssl/certs/star_cfe.crt
+        src: star_cfe_chained.crt
+        dest: /etc/ssl/certs/star_cfe_chained.crt
         owner: root
         group: root
 
@@ -169,12 +169,12 @@
         group: root
         mode: "0600"
 
-    - name: install SSL certificate chain file
-      copy:
-        src: DigiCertCA.crt
-        dest: /etc/ssl/certs/DigiCertCA.crt
-        owner: root
-        group: root
+#    - name: install SSL certificate chain file
+#      copy:
+#        src: DigiCertCA.crt
+#        dest: /etc/ssl/certs/DigiCertCA.crt
+#        owner: root
+#        group: root
 
 
 - name: set up log purging
diff --git a/cluster-setup/deployment/update_apache_ssl_2024_07_08.yaml b/cluster-setup/deployment/update_apache_ssl_2024_07_08.yaml
new file mode 100644
index 00000000..cf138707
--- /dev/null
+++ b/cluster-setup/deployment/update_apache_ssl_2024_07_08.yaml
@@ -0,0 +1,14 @@
+---
+
+- name: update the Apache SSL configuration file
+  hosts: head
+  tasks:
+    - name: install the httpd site configuration for Kive
+      copy:
+        src: deployment/roles/kive_server/files/001-kive-ssl.conf
+        dest: /etc/apache2/sites-available
+        owner: root
+        group: root
+
+- name: update the SSL certificates and restart Apache
+  ansible.builtin.import_playbook: update_ssl_certs.yaml
diff --git a/cluster-setup/deployment/update_ssl_certs.yaml b/cluster-setup/deployment/update_ssl_certs.yaml
new file mode 100644
index 00000000..70bc15f4
--- /dev/null
+++ b/cluster-setup/deployment/update_ssl_certs.yaml
@@ -0,0 +1,29 @@
+---
+
+- name: update SSL certificates
+  hosts: head
+  tasks:
+    - name: install SSL certificate
+      copy:
+        src: star_cfe_chained.crt
+        dest: /etc/ssl/certs/star_cfe_chained.crt
+        owner: root
+        group: root
+
+    - name: install SSL key
+      copy:
+        src: star_cfe.key
+        dest: /etc/ssl/private/star_cfe.key
+        owner: root
+        group: root
+        mode: "0600"
+
+- name: reload Apache configuration
+  hosts: head
+  tasks:
+    - name: reload Apache configuration
+      systemd:
+        name: apache2
+        state: reloaded
+        enabled: true
+        daemon_reload: true