Commit 0f3cbd71 authored by Oyvind.Gjesdal's avatar Oyvind.Gjesdal
Browse files

Merge branch '7-legg-inn-ssl-sertifikat-pa-tvers-av-vhosts' into 'master'

Resolve "legg inn ssl-sertifikat på tvers av vhosts"

Closes #7

See merge request uib-ub/roller-ansible/apache!6
parents 0a8cf88f f71c0f76
......@@ -11,15 +11,21 @@
stat:
path: "/etc/letsencrypt/live/{{ apache_vhosts[0].servername }}/cert.pem"
register: "letsencrypt_cert"
- name: "register a list of aliases to add to SSL"
set_fact:
ssl_alias: "{{ [ apache_vhosts[0].serveralias | default('deleteme'), apache_vhosts[0].certalias | default('deleteme') ] | reject('equalto','deleteme') | list }}"
- name: "debug"
debug:
msg: "{{ ssl_alias }}"
- name: "copy config used by certbot to server"
template:
backup: true
src: "temp.conf.j2"
dest: "/etc/httpd/conf.d/temp.conf"
when: "not letsencrypt_cert.stat.exists"
when: "not letsencrypt_cert.stat.exists or apache_vhosts[0].ssl_force | default(false) | bool"
vars:
test_servername: "{{ apache_vhosts[0].servername }}"
test_alias: "{{ ssl_alias }}"
become: true
- name: "install {{ certbot_packages }}"
......@@ -31,14 +37,15 @@
- name: "start httpd"
systemd:
name: "httpd"
state: "started"
state: "restarted"
become: true
when: "apache_vhosts[0].ssl_force | default(false) | bool"
- name: "run command to get certificate"
command: "certbot --apache certonly {{ certbot_ssl_dry_run }} --non-interactive --agree-tos --email {{ item.serveradmin }} -d {%if item.serveralias is defined %} {{ [item.servername, item.serveralias ] | join(',') }} {% else %} {{ item.servername }} {% endif %}" # noqa 204
command: "certbot --apache certonly {{ certbot_ssl_dry_run }} --non-interactive --agree-tos --email {{ item.serveradmin }} -d {{ item.servername }}{%if item.serveralias is defined or item.certalias is defined %},{{ ssl_alias | join(',') }} {% if item.ssl_force | default(false) | bool %}--expand{%endif %} {% else %}{% endif %}" # noqa 204
with_items: "{{ apache_vhosts }}"
become: true
when: "apache_certbot and not letsencrypt_cert.stat.exists and item.ssl is defined and item.ssl"
when: "(apache_certbot and not letsencrypt_cert.stat.exists and item.ssl is defined and item.ssl | bool) or (item.ssl_force | default(false) | bool and (item.ssl_type is undefined or item.ssl_type == 'certbot'))"
- name: "delete temp file from server"
file:
......
......@@ -4,6 +4,15 @@
apache_digicert_uib_home: "/etc/digicert-uib"
apache_digicert_uib_archive: "/etc/digicert-uib/archive"
apache_digicert_uib_csr: "/etc/digicert-uib/csr"
apache_cert_vhost: "{{ apache_vhosts[0] }}"
- name: "register a list of aliases to add to SSL (All aliases must be set in certalias or serveralias. certalias is not added to httpd, but just to config.)"
set_fact:
ssl_alias: "{{ [ apache_vhosts[0].serveralias | default('deleteme'), apache_vhosts[0].certalias | default('deleteme') ] | reject('equalto','deleteme') | list }}"
- name: "debug"
debug:
msg: "{{ ssl_alias }}"
- name: "install package for mod_ssl"
package:
......@@ -23,14 +32,13 @@
- name: "create directory for vhosts"
file:
path: "{{ apache_digicert_uib_archive }}/{{ item.servername }}"
path: "{{ apache_digicert_uib_archive }}/{{ apache_cert_vhost.servername }}"
state: "directory"
owner: "root"
group: "root"
mode: "0550"
setype: "cert_t"
loop: "{{ apache_vhosts }}"
when: "item.ssl_type == 'uib'"
when: "apache_cert_vhost.ssl_type == 'uib'"
- name: "stat archive"
stat:
......@@ -45,70 +53,70 @@
- name: "generate ssl private key"
openssl_privatekey:
path: "{{ apache_digicert_uib_archive }}/{{ item.servername }}/priv_key.pem"
path: "{{ apache_digicert_uib_archive }}/{{ apache_cert_vhost.servername }}/priv_key.pem"
backup: "yes"
size: "2048"
setype: "cert_t"
loop: "{{ apache_vhosts }}"
when: "item.ssl_type | default('certbot')== 'uib'"
when: "apache_cert_vhost.ssl_type | default('certbot')== 'uib'"
- name: "generate an OpenSSL Certificate Signin request"
openssl_csr:
backup: "yes"
path: "{{ apache_digicert_uib_csr }}/{{ item.servername }}.csr"
privatekey_path: "{{ apache_digicert_uib_home }}/archive/{{ item.servername }}/priv_key.pem"
path: "{{ apache_digicert_uib_csr }}/{{ apache_cert_vhost.servername }}.csr"
privatekey_path: "{{ apache_digicert_uib_home }}/archive/{{ apache_cert_vhost.servername }}/priv_key.pem"
country_name: "NO"
organization_name: "Universitetet_i_Bergen"
common_name: "{{ item.servername }}"
subject_altname: "{{ item.altname | default(omit) }}"
loop: "{{ apache_vhosts }}"
when: "item.ssl_type | default('certbot')== 'uib'"
common_name: "{{ apache_cert_vhost.servername }}"
subject_alt_name: "{{ apache_cert_vhost.altname | default(omit) }}"
when: "apache_cert_vhost.ssl_type | default('certbot')== 'uib'"
register: "apache_csr_result"
- name: "send csr file by mail"
mail:
subject: "csr certificate request for {{ item.servername }}"
to: "{{ item.serveradmin }}"
sender: "ansible@{{ apache_cert_vhost.servername }}"
subject: "csr certificate request for {{ apache_cert_vhost.servername }}"
to: "{{ apache_cert_vhost.serveradmin }}"
host: "{{ apache_mail_host | default(omit) }}"
attach:
- "{{ apache_digicert_uib_csr }}/{{ item.servername }}.csr"
- "{{ apache_digicert_uib_csr}}/{{ apache_cert_vhost.servername }}.csr"
body: |
Ønsker å bestille SSL sertifikat.
# noqa 201 body content of mail, newline
common_name "{{ item.servername }}"
altname: "{{ item.altname | default ('ingen') }}"
wildcard: "{{ item.wildcard | default ('nei') }}"
Kan du også oppdatere sertifikatdatasen (CMDB) for {{ item.serveradmin }}?
common_name "{{ apache_cert_vhost.servername }}"
altname: "{{ apache_cert_vhost.altname | default ('ingen') }}"
wildcard: "{{ apache_cert_vhost.wildcard | default ('nei') }}"
Kan du også oppdatere sertifikatdatasen (CMDB) for {{ apache_cert_vhost.serveradmin }}?
Takk!
loop: "{{ apache_vhosts }}"
when: "item.ssl_type | default('certbot')== 'uib' and apache_csr_result.changed | bool"
when: "apache_cert_vhost.ssl_type | default('certbot')== 'uib' and apache_csr_result.changed | bool"
become: true
- name: "create symlinks for private keys"
file:
state: "link"
src: "{{ apache_digicert_uib_archive }}/{{ item.servername }}/priv_key.pem"
dest: "/etc/pki/tls/private/{{ item.servername }}.pem"
loop: "{{ apache_vhosts }}"
when: "item.ssl_type | default('certbot')== 'uib'"
src: "{{ apache_digicert_uib_archive }}/{{ apache_cert_vhost.servername }}/priv_key.pem"
dest: "/etc/pki/tls/private/{{apache_cert_vhost.servername }}.pem"
when: "apache_cert_vhost.ssl_type | default('certbot')== 'uib'"
- name: "Get certificate with certificate only"
loop: "{{ apache_vhosts }}"
get_url:
url: "{{ item.certificate_only_url }}"
get_url:
url: "{{ apache_cert_vhost.certificate_only_url }}"
setype: "cert_t"
dest: "{{ apache_digicert_uib_archive }}//{{ item.servername }}/cert.cer"
dest: "{{ apache_digicert_uib_archive }}//{{ apache_cert_vhost.servername }}/cert.cer"
backup: "yes"
mode: "0444"
when: "item.ssl_type | default('certbot')== 'uib' and item.certificate_only_url is defined"
when: "apache_cert_vhost.ssl_type | default('certbot')== 'uib' and apache_cert_vhost.certificate_only_url is defined"
- name: "Get intermediate certs only"
loop: "{{ apache_vhosts }}"
get_url:
url: "{{ item.certificate_interm_only_url }}"
url: "{{ apache_cert_vhost.certificate_interm_only_url }}"
setype: "cert_t"
dest: "{{ apache_digicert_uib_archive }}//{{ item.servername }}/cert_interm.cer"
dest: "{{ apache_digicert_uib_archive }}//{{ apache_cert_vhost.servername }}/cert_interm.cer"
backup: "yes"
mode: "0444"
when: "item.ssl_type | default('certbot')== 'uib' and item.certificate_interm_only_url is defined"
when: "apache_cert_vhost.ssl_type | default('certbot')== 'uib' and apache_cert_vhost.certificate_interm_only_url is defined"
#- name: "concat cert and intermediate"
# loop: "{{ apache_vhosts }}"
......@@ -123,20 +131,18 @@
# creates: "{ apache_digicert_uib_archive }}//{{ item.servername }}/cert.pem"
- name: "Create symlinks for certificates to /etc/pki/"
loop: "{{ apache_vhosts }}"
file:
state: "link"
src: "{{ apache_digicert_uib_archive }}/{{ item.servername }}/cert.cer"
dest: "/etc/pki/tls/certs/{{ item.servername }}.pem"
when: "item.ssl_type | default('certbot')== 'uib' and item.certificate_only_url is defined"
src: "{{ apache_digicert_uib_archive }}/{{ apache_cert_vhost.servername }}/cert.cer"
dest: "/etc/pki/tls/certs/{{ apache_cert_vhost.servername }}.pem"
when: "apache_cert_vhost.ssl_type | default('certbot')== 'uib' and apache_cert_vhost.certificate_only_url is defined"
- name: "Create symlinks for chains to /etc/pki/"
loop: "{{ apache_vhosts }}"
file:
state: "link"
src: "{{ apache_digicert_uib_archive }}/{{ item.servername }}/cert_interm.cer"
dest: "/etc/pki/tls/certs/{{ item.servername }}.chain.pem"
when: "item.ssl_type | default('certbot')== 'uib' and item.certificate_interm_only_url is defined"
src: "{{ apache_digicert_uib_archive }}/{{ apache_cert_vhost.servername }}/cert_interm.cer"
dest: "/etc/pki/tls/certs/{{ apache_cert_vhost.servername }}.chain.pem"
when: "apache_cert_vhost.ssl_type | default('certbot')== 'uib' and apache_cert_vhost.certificate_interm_only_url is defined"
- name: "Add apache vhosts ssl template"
template:
......
<VirtualHost *:80>
ServerName {{ test_servername }}
{% for alias in test_alias %}
ServerAlias {{ alias }}
{% endfor %}
</VirtualHost>
......@@ -16,7 +16,7 @@
{% if vhost.serveradmin is defined %}
ServerAdmin {{ vhost.serveradmin }}
{% endif %}
{%if vhost.ssl is undefined or not vhost.ssl | bool %}
{%if (vhost.ssl is undefined or not vhost.ssl | bool) or (vhost.force_ssl is defined and vhost.force_ssl == false) %}
{% if vhost.documentroot is defined %}
<Directory "{{ vhost.documentroot }}">
AllowOverride {{ vhost.allow_override | default(apache_allow_override) }}
......@@ -42,11 +42,12 @@ Require all denied
{% endif %}
{%endif %}
{% if vhost.ssl is defined and vhost.ssl == true %}
{% if vhost.ssl is defined and vhost.ssl == true and vhost.force_ssl | default(true) | bool %}
{{ vhost.http_only_extra_parameters | default('') }}
Redirect Permanent / https://{{ vhost.servername }}/
{% endif %}
</VirtualHost>
{% endfor %}
......@@ -10,7 +10,13 @@
{% if vhost.documentroot is defined %}
DocumentRoot "{{ vhost.documentroot }}"
{% endif %}
{% set letsencrypt_vhost_path = '/etc/letsencrypt/live/' + vhost.servername + '/' %}
{% if vhost.servername != apache_vhosts[0].servername %}
{% set key_servername = apache_vhosts[0].servername %}
{% else %}
{% set key_servername = vhost.servername %}
{% endif %}
{% set letsencrypt_vhost_path = '/etc/letsencrypt/live/' + key_servername + '/' %}
{% set default_cert_file = letsencrypt_vhost_path + 'cert.pem' %}
{% set default_cert_key = letsencrypt_vhost_path + 'privkey.pem' %}
{% set default_chain_file = letsencrypt_vhost_path + 'chain.pem' %}
......@@ -38,9 +44,9 @@
SSLOptions +StrictRequire
SSLCompression off
SSLCertificateFile {{ vhost.certificate_file | default('/etc/pki/tls/certs/'+ vhost.servername + '.pem') }}
SSLCertificateKeyFile {{ vhost.certificate_key_file | default('/etc/pki/tls/private/' + vhost.servername + '.pem') }}
SSLCertificateChainFile {{vhost.certificate_chain_file | default('/etc/pki/tls/certs/' + vhost.servername + '.chain.pem') }}
SSLCertificateFile {{ vhost.certificate_file | default('/etc/pki/tls/certs/'+ key_servername + '.pem') }}
SSLCertificateKeyFile {{ vhost.certificate_key_file | default('/etc/pki/tls/private/' + key_servername + '.pem') }}
SSLCertificateChainFile {{vhost.certificate_chain_file | default('/etc/pki/tls/certs/' + key_servername + '.chain.pem') }}
{% endif %}
{% if vhost.serveradmin is defined %}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment