Commit 281a39c1 authored by fedora Cloud User's avatar fedora Cloud User
Browse files

update Readme with instructions for uib-ssl

parent d6ba9d4a
......@@ -43,10 +43,38 @@ The content can be added to hjelp.uib.no to receive a certificate from cert-mana
Two of the urls from one of the emails should be added to (vaulted) variables.
* as Certificate only, PEM encoded
* as Root/Intermediate(s) only, PEM encoded
* `certificate_only_url` as Certificate only, PEM encoded (url ends-with &format=x509CO)
* `certificate_interm_only_url` as Root/Intermediate(s) only, PEM encoded (url ends-with &format=x509IOR)
Ad dto vhost, see the example below.
To renew an existing certificate which has been sent by UiB ITA:
CSR and private key will not be updated, ITA will reuse old CSR to generate a new certificate, which we receive by mail.
* Replace/update `certificate_interm_only_url` (usually vaulted) and certificate_interm_only_url (may not have changed) with the values from the updated
* Run the playbook with the apache role with the the parameter `apache_digicert_renew` with a truthy value added
```
ansible-playbook monitor.yml --vault-id ~/secrets/secret -e deploy_env=prod -i inventory/hostfile -e apache_digicert_renew=true
```
**Example vhosts section with multiple ssl set using one certificate**
```
apache_vhosts:
- servername: "example.com"
ssl: true
ssl_type: "uib" # default letsencrypt if empty
altname: "DNS:example2.com,DNS:example3.com" #adding altnames also for additional vhosts
certificate_interm_only_url: "{{ eksempel_no_interm_only_url }} " # url ends with &format=x509IOR
certificate_only_url: "{{ eksempel_no_cert_only_url }}" # url ends with &format=x509CO
...
- servername: "example2.com" # when additional hosts have ssl set, they will use the same ssl key from the first entry in apache_vhosts
ssl: true
ssl_type: "uib"
...
- servername: "example3.com"
ssl: true
ssl_type: "uib"
```
## Example playbook
......@@ -77,23 +105,8 @@ Ad dto vhost, see the example below.
- httpd
```
If uib is set, an email is sent to serveradmin containing a template for creating a ssl-request in hjelp.uib.no.
You get another email from the certificate provider containing various urls.
Continue by adding to the vhost section after ssl_type:
```
...
ssl_type: "uib"
certificate_interm_only_url: "# url from link to intermediate certificate only"
certificate_only_url: "# url from email to certificate only"
```
The role will fail (var not set) until these are set. When rerunning the playbook, a certificate should be set.
@todo Renewing a certificate.
* End of local changes *
## Begin original docs
Available variables are listed below, along with default values (see `defaults/main.yml`):
apache_enablerepo: ""
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment