From ffb78229aa818d2d5de849f87f5756cf529c3faf Mon Sep 17 00:00:00 2001
From: Theo Chatzimichos <tampakrap@opensuse.org>
Date: Jan 21 2018 15:32:01 +0000
Subject: Merge branch 'fix_gitlab_certs' into 'production'


fix the key's extension at the gitlab's nginx vhost

See merge request infra/salt!163
---

diff --git a/bin/test_nginx.sh b/bin/test_nginx.sh
index bbda54c..c848b74 100755
--- a/bin/test_nginx.sh
+++ b/bin/test_nginx.sh
@@ -24,12 +24,22 @@ create_fake_certs() {
 
     PRIVATE_KEYS=( $(grep ssl_certificate_key pillar/role/$role.sls | cut -d':' -f2) )
     for key in ${PRIVATE_KEYS[@]}; do
-        $SUDO cp test/fixtures/domain.key $key
+        if [[ ${key##*.} != 'key' ]]; then
+            echo "pillar/role/$role.sls \"ssl_certificate_key: $key\" should have extension .key"
+            STATUS=1
+        else
+            $SUDO cp test/fixtures/domain.key $key
+        fi
     done
 
     PUBLIC_CERTS=( $(grep "ssl_certificate:" pillar/role/$role.sls | cut -d':' -f2) )
     for cert in ${PUBLIC_CERTS[@]}; do
-        $SUDO cp test/fixtures/domain.crt $cert
+        if [[ ${cert##*.} != 'crt' ]]; then
+            echo "pillar/role/$role.sls \"ssl_certificate: $cert\" should have extension .crt"
+            STATUS=1
+        else
+            $SUDO cp test/fixtures/domain.crt $cert
+        fi
     done
 }
 
diff --git a/pillar/role/web_gitlab.sls b/pillar/role/web_gitlab.sls
index 827a63f..36f64ca 100644
--- a/pillar/role/web_gitlab.sls
+++ b/pillar/role/web_gitlab.sls
@@ -115,7 +115,7 @@ nginx:
                 ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
                 - ssl: 'on'
                 - ssl_certificate: /etc/nginx/ssl/gitlab.infra.opensuse.org.crt
-                - ssl_certificate_key: /etc/nginx/ssl/gitlab.infra.opensuse.org.pem
+                - ssl_certificate_key: /etc/nginx/ssl/gitlab.infra.opensuse.org.key
                 # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
                 - ssl_ciphers: '"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"'
                 - ssl_protocols: