Commit 281a39c1 authored by fedora Cloud User's avatar fedora Cloud User
Browse files

update Readme with instructions for uib-ssl

parent d6ba9d4a
......@@ -43,10 +43,38 @@ The content can be added to to receive a certificate from cert-mana
Two of the urls from one of the emails should be added to (vaulted) variables.
* as Certificate only, PEM encoded
* as Root/Intermediate(s) only, PEM encoded
* `certificate_only_url` as Certificate only, PEM encoded (url ends-with &format=x509CO)
* `certificate_interm_only_url` as Root/Intermediate(s) only, PEM encoded (url ends-with &format=x509IOR)
Ad dto vhost, see the example below.
To renew an existing certificate which has been sent by UiB ITA:
CSR and private key will not be updated, ITA will reuse old CSR to generate a new certificate, which we receive by mail.
* Replace/update `certificate_interm_only_url` (usually vaulted) and certificate_interm_only_url (may not have changed) with the values from the updated
* Run the playbook with the apache role with the the parameter `apache_digicert_renew` with a truthy value added
ansible-playbook monitor.yml --vault-id ~/secrets/secret -e deploy_env=prod -i inventory/hostfile -e apache_digicert_renew=true
**Example vhosts section with multiple ssl set using one certificate**
- servername: ""
ssl: true
ssl_type: "uib" # default letsencrypt if empty
altname: "," #adding altnames also for additional vhosts
certificate_interm_only_url: "{{ eksempel_no_interm_only_url }} " # url ends with &format=x509IOR
certificate_only_url: "{{ eksempel_no_cert_only_url }}" # url ends with &format=x509CO
- servername: "" # when additional hosts have ssl set, they will use the same ssl key from the first entry in apache_vhosts
ssl: true
ssl_type: "uib"
- servername: ""
ssl: true
ssl_type: "uib"
## Example playbook
......@@ -77,23 +105,8 @@ Ad dto vhost, see the example below.
- httpd
If uib is set, an email is sent to serveradmin containing a template for creating a ssl-request in
You get another email from the certificate provider containing various urls.
Continue by adding to the vhost section after ssl_type:
ssl_type: "uib"
certificate_interm_only_url: "# url from link to intermediate certificate only"
certificate_only_url: "# url from email to certificate only"
The role will fail (var not set) until these are set. When rerunning the playbook, a certificate should be set.
@todo Renewing a certificate.
* End of local changes *
## Begin original docs
Available variables are listed below, along with default values (see `defaults/main.yml`):
apache_enablerepo: ""
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment