need to tie certs to hostnames

certbot
eric 2019-01-31 12:25:36 -05:00
parent 146a1ae4da
commit 1c25cba6f5
3 changed files with 44 additions and 15 deletions

View File

@ -12,6 +12,9 @@ wsgi_home: "/opt/regluit/venv"
wsgi_python_path: "/opt/regluit/venv/bin/python" wsgi_python_path: "/opt/regluit/venv/bin/python"
git_repo: "https://github.com/Gluejar/regluit.git" git_repo: "https://github.com/Gluejar/regluit.git"
git_branch: "lencrypt" git_branch: "lencrypt"
#le_endpoint: https://acme-v02.api.letsencrypt.org/directory
le_endpoint: https://acme-staging-v02.api.letsencrypt.org/directory
### Variables in settings.prod.py ### ### Variables in settings.prod.py ###
mysql_db_name: "{{ vault_mysql_db_name }}" mysql_db_name: "{{ vault_mysql_db_name }}"

View File

@ -1,9 +1,18 @@
--- ---
# create account key by hand on ansible host with (for example)
# openssl genrsa -out private/letsencrypt_account.key 4096
#
# create server key by hand on ansible host with (for example)
# openssl genrsa -out private/{{ server_name }}.key 4096
#
# create a code signing request by hand on ansible host with (for example)
# openssl req -new -sha256 -key private/{{ server_name }}.key -out {{ server_name }}.csr -subj /CN=m.unglue.it
- name: Make sure account exists and has given contacts. We agree to TOS. - name: Make sure account exists and has given contacts. We agree to TOS.
acme_account: acme_account:
account_key_src: private/letsencrypt_account.key account_key_src: private/letsencrypt_account.key
acme_directory: https://acme-v02.api.letsencrypt.org/directory acme_directory: "{{ le_endpoint }}"
acme_version: 2 acme_version: 2
state: present state: present
terms_agreed: yes terms_agreed: yes
@ -11,15 +20,30 @@
- mailto:support@ebookfoundation.org - mailto:support@ebookfoundation.org
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
- name: Fetch certs
become: yes
fetch:
src: /etc/ssl/certs/{{ item }}
dest: private/certs/{{ item }}
flat: yes
fail_on_missing: no
with_items:
- '{{ server_name }}.crt'
- '{{ server_name }}.ca-bundle'
tags:
- certs
- name: Create a challenge for server_name using a account key file. - name: Create a challenge for server_name using a account key file.
acme_certificate: acme_certificate:
account_key_src: private/letsencrypt_account.key account_key_src: private/letsencrypt_account.key
acme_directory: https://acme-v02.api.letsencrypt.org/directory acme_directory: "{{ le_endpoint }}"
acme_version: 2 acme_version: 2
remaining_days: 45
force: yes
select_crypto_backend: openssl select_crypto_backend: openssl
csr: "private/{{ server_name }}.csr" csr: "csrs/{{ server_name }}.csr"
dest: tmp/server.crt dest: private/certs/{{ server_name }}.crt
fullchain_dest: /tmp/server.ca-bundle fullchain_dest: private/certs/{{ server_name }}.ca-bundle
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
register: acme_challenge register: acme_challenge
@ -50,26 +74,28 @@
- name: Create a challenge for server_name using a account key file. - name: Create a challenge for server_name using a account key file.
acme_certificate: acme_certificate:
account_key_src: private/letsencrypt_account.key account_key_src: private/letsencrypt_account.key
acme_directory: https://acme-v02.api.letsencrypt.org/directory acme_directory: "{{ le_endpoint }}"
acme_version: 2 acme_version: 2
remaining_days: 45
force: yes
select_crypto_backend: openssl select_crypto_backend: openssl
csr: "private/{{ server_name }}.csr" csr: "csrs/{{ server_name }}.csr"
dest: /tmp/server.crt dest: private/certs/{{ server_name }}.crt
fullchain_dest: /tmp/server.ca-bundle fullchain_dest: private/certs/{{ server_name }}.ca-bundle
data: "{{ acme_challenge }}" data: "{{ acme_challenge }}"
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
- name: Copy certs - name: Copy certs
become: yes become: yes
copy: copy:
src: /tmp/{{ item }} src: private/certs/{{ item }}
dest: /etc/ssl/certs/{{ item }}.key dest: /etc/ssl/certs/{{ item }}
owner: "{{ user_name }}" owner: "{{ user_name }}"
group: "{{ user_name }}" group: "{{ user_name }}"
mode: 0600 mode: 0600
with_items: with_items:
- 'server.crt' - '{{ server_name }}.crt'
- 'server.ca-bundle' - '{{ server_name }}.ca-bundle'
notify: notify:
- restart apache - restart apache
tags: tags:

View File

@ -23,9 +23,9 @@ ServerAdmin info@ebookfoundation.org
SSLEngine on SSLEngine on
SSLProtocol All -SSLv2 -SSLv3 SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateFile /etc/ssl/certs/{{ server_name }}.crt
SSLCertificateKeyFile /etc/ssl/private/server.key SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCertificateChainFile /etc/ssl/certs/server.ca-bundle SSLCertificateChainFile /etc/ssl/certs/{{ server_name }}.ca-bundle
#SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt #SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt