need to tie certs to hostnames
parent
146a1ae4da
commit
1c25cba6f5
|
@ -12,6 +12,9 @@ wsgi_home: "/opt/regluit/venv"
|
||||||
wsgi_python_path: "/opt/regluit/venv/bin/python"
|
wsgi_python_path: "/opt/regluit/venv/bin/python"
|
||||||
git_repo: "https://github.com/Gluejar/regluit.git"
|
git_repo: "https://github.com/Gluejar/regluit.git"
|
||||||
git_branch: "lencrypt"
|
git_branch: "lencrypt"
|
||||||
|
#le_endpoint: https://acme-v02.api.letsencrypt.org/directory
|
||||||
|
le_endpoint: https://acme-staging-v02.api.letsencrypt.org/directory
|
||||||
|
|
||||||
|
|
||||||
### Variables in settings.prod.py ###
|
### Variables in settings.prod.py ###
|
||||||
mysql_db_name: "{{ vault_mysql_db_name }}"
|
mysql_db_name: "{{ vault_mysql_db_name }}"
|
||||||
|
|
|
@ -1,9 +1,18 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
# create account key by hand on ansible host with (for example)
|
||||||
|
# openssl genrsa -out private/letsencrypt_account.key 4096
|
||||||
|
#
|
||||||
|
# create server key by hand on ansible host with (for example)
|
||||||
|
# openssl genrsa -out private/{{ server_name }}.key 4096
|
||||||
|
#
|
||||||
|
# create a code signing request by hand on ansible host with (for example)
|
||||||
|
# openssl req -new -sha256 -key private/{{ server_name }}.key -out {{ server_name }}.csr -subj /CN=m.unglue.it
|
||||||
|
|
||||||
- name: Make sure account exists and has given contacts. We agree to TOS.
|
- name: Make sure account exists and has given contacts. We agree to TOS.
|
||||||
acme_account:
|
acme_account:
|
||||||
account_key_src: private/letsencrypt_account.key
|
account_key_src: private/letsencrypt_account.key
|
||||||
acme_directory: https://acme-v02.api.letsencrypt.org/directory
|
acme_directory: "{{ le_endpoint }}"
|
||||||
acme_version: 2
|
acme_version: 2
|
||||||
state: present
|
state: present
|
||||||
terms_agreed: yes
|
terms_agreed: yes
|
||||||
|
@ -11,15 +20,30 @@
|
||||||
- mailto:support@ebookfoundation.org
|
- mailto:support@ebookfoundation.org
|
||||||
delegate_to: 127.0.0.1
|
delegate_to: 127.0.0.1
|
||||||
|
|
||||||
|
- name: Fetch certs
|
||||||
|
become: yes
|
||||||
|
fetch:
|
||||||
|
src: /etc/ssl/certs/{{ item }}
|
||||||
|
dest: private/certs/{{ item }}
|
||||||
|
flat: yes
|
||||||
|
fail_on_missing: no
|
||||||
|
with_items:
|
||||||
|
- '{{ server_name }}.crt'
|
||||||
|
- '{{ server_name }}.ca-bundle'
|
||||||
|
tags:
|
||||||
|
- certs
|
||||||
|
|
||||||
- name: Create a challenge for server_name using a account key file.
|
- name: Create a challenge for server_name using a account key file.
|
||||||
acme_certificate:
|
acme_certificate:
|
||||||
account_key_src: private/letsencrypt_account.key
|
account_key_src: private/letsencrypt_account.key
|
||||||
acme_directory: https://acme-v02.api.letsencrypt.org/directory
|
acme_directory: "{{ le_endpoint }}"
|
||||||
acme_version: 2
|
acme_version: 2
|
||||||
|
remaining_days: 45
|
||||||
|
force: yes
|
||||||
select_crypto_backend: openssl
|
select_crypto_backend: openssl
|
||||||
csr: "private/{{ server_name }}.csr"
|
csr: "csrs/{{ server_name }}.csr"
|
||||||
dest: tmp/server.crt
|
dest: private/certs/{{ server_name }}.crt
|
||||||
fullchain_dest: /tmp/server.ca-bundle
|
fullchain_dest: private/certs/{{ server_name }}.ca-bundle
|
||||||
delegate_to: 127.0.0.1
|
delegate_to: 127.0.0.1
|
||||||
register: acme_challenge
|
register: acme_challenge
|
||||||
|
|
||||||
|
@ -50,26 +74,28 @@
|
||||||
- name: Create a challenge for server_name using a account key file.
|
- name: Create a challenge for server_name using a account key file.
|
||||||
acme_certificate:
|
acme_certificate:
|
||||||
account_key_src: private/letsencrypt_account.key
|
account_key_src: private/letsencrypt_account.key
|
||||||
acme_directory: https://acme-v02.api.letsencrypt.org/directory
|
acme_directory: "{{ le_endpoint }}"
|
||||||
acme_version: 2
|
acme_version: 2
|
||||||
|
remaining_days: 45
|
||||||
|
force: yes
|
||||||
select_crypto_backend: openssl
|
select_crypto_backend: openssl
|
||||||
csr: "private/{{ server_name }}.csr"
|
csr: "csrs/{{ server_name }}.csr"
|
||||||
dest: /tmp/server.crt
|
dest: private/certs/{{ server_name }}.crt
|
||||||
fullchain_dest: /tmp/server.ca-bundle
|
fullchain_dest: private/certs/{{ server_name }}.ca-bundle
|
||||||
data: "{{ acme_challenge }}"
|
data: "{{ acme_challenge }}"
|
||||||
delegate_to: 127.0.0.1
|
delegate_to: 127.0.0.1
|
||||||
|
|
||||||
- name: Copy certs
|
- name: Copy certs
|
||||||
become: yes
|
become: yes
|
||||||
copy:
|
copy:
|
||||||
src: /tmp/{{ item }}
|
src: private/certs/{{ item }}
|
||||||
dest: /etc/ssl/certs/{{ item }}.key
|
dest: /etc/ssl/certs/{{ item }}
|
||||||
owner: "{{ user_name }}"
|
owner: "{{ user_name }}"
|
||||||
group: "{{ user_name }}"
|
group: "{{ user_name }}"
|
||||||
mode: 0600
|
mode: 0600
|
||||||
with_items:
|
with_items:
|
||||||
- 'server.crt'
|
- '{{ server_name }}.crt'
|
||||||
- 'server.ca-bundle'
|
- '{{ server_name }}.ca-bundle'
|
||||||
notify:
|
notify:
|
||||||
- restart apache
|
- restart apache
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -23,9 +23,9 @@ ServerAdmin info@ebookfoundation.org
|
||||||
SSLEngine on
|
SSLEngine on
|
||||||
SSLProtocol All -SSLv2 -SSLv3
|
SSLProtocol All -SSLv2 -SSLv3
|
||||||
|
|
||||||
SSLCertificateFile /etc/ssl/certs/server.crt
|
SSLCertificateFile /etc/ssl/certs/{{ server_name }}.crt
|
||||||
SSLCertificateKeyFile /etc/ssl/private/server.key
|
SSLCertificateKeyFile /etc/ssl/private/server.key
|
||||||
SSLCertificateChainFile /etc/ssl/certs/server.ca-bundle
|
SSLCertificateChainFile /etc/ssl/certs/{{ server_name }}.ca-bundle
|
||||||
|
|
||||||
#SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt
|
#SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue