Bonjour,

I’ll upgrade securedrop.club production by running

rm molecule/preprod/.molecule/state.yml
molecule create -s preprod
ansible-playbook --private-key infrastructure_key --user debian -i inventory securedrop-club-playbook.yml

on ansible.securedrop.club. The molecule create is required to create the inventory/group_vars/all/domain.yml file to set domain: securedrop.club. This will include changes from ece578106e885ced4c75c8c43105fc2f05f66014 to 3042122593ee35858d974ddcfc8fb62f5c4a22d9

New indirect reference to the private key in /srv/checkout/private-key.yml

ssh_private_keyfile: “{{ lookup(‘pipe’, ‘git rev-parse --show-toplevel’) }}/infrastructure_key”

New production variables for gitlab mirroring:

• srv/checkout/inventory/host_vars/gitlab-host.yml
  • mirror_from_securedrop: https://github.com/freedomofpress/securedrop
  • mirror_bot_password: XXXXXXX

New production variables for gitlab CI:

• srv/checkout/inventory/host_vars/gitlab-host.yml
  • gitlab_os_auth_url: https://auth.cloud.ovh.net/v2.0/
  • gitlab_os_tenant_name: ABCDEF
  • gitlab_os_username: ABCDEF
  • gitlab_os_password: ABCDEF
  • gitlab_os_region_name: DE1

The with_https and with_fake_LE variables are now global and unset by default:

• inventory/group_vars/all/https.yml is removed
• the new file inventory/group_vars/all/with_https.yml is modified to uncomment with_https: true

The inventory/host_vars/icinga-host/monitoring.yml file does not need modification for vhost_fqdn anymore.

Manual verification checklist:

• A shared running should be registered in lab.securedrop.club. It can be assigned to a project, a .gitlab-ci.yml uploaded to verify it runs ok.
• gitlab is upgrade and the upgrade is hopefully not causing troubles

    image: sameersbn/gitlab:8.13.2
    image: sameersbn/gitlab:10.1.3

• Login ssh -p 2222 debian@lab.securedrop.club and sudo tail -f /var/log/syslog and wait 5 minutes to check if the mirror happens. Also try it manually
• Verify weblate is still able to communicate properly with lab.securedrop.club
  • sudo docker-compose -f docker-compose-securedrop-club.yml exec weblate bash
  • cd /app/data/vcs/securedrop/securedrop
  • git fetch
• Verify weblate site (in admin) is weblate.securedrop.club and not star

Cheers

The upgrade of gitlab seems to be ok but https-portal needs update.

Failed to obtain certs for gitlab.securedrop.club

2017/11/26 13:11:27 [notice] 149#149: signal process started

Generating RSA private key, 2048 bit long modulus

.+++

…+++

e is 65537 (0x10001)

Signing certificates from https://acme-v01.api.letsencrypt.org …

Parsing account key…

Parsing CSR…

Registering account…

Traceback (most recent call last):

File “/bin/acme_tiny”, line 198, in 

main(sys.argv[1:])

File “/bin/acme_tiny”, line 194, in main

signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)

File “/bin/acme_tiny”, line 92, in get_crt

raise ValueError(“Error registering: {0} {1}”.format(code, result))

ValueError: Error registering: 400 {

“type”: “urn:acme:error:malformed”,

“detail”: “Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]”,

“status”: 400

}

Failed to sign lab.securedrop.club, is DNS set up properly?

This was fixed with:

molecule login -s preprod --host gitlab-host
sudo docker pull steveltn/https-portal:1
sudo docker stop https-portal
sudo docker destroy https-portal

And running ansible-playbook --private-key infrastructure_key --user debian -i inventory molecule/gitlab/gitlab-playbook.yml. The better option is to use steveltn/https-portal:latest instead of steveltn/https-portal:1

The update is complete and all is well.