Commit 281a39c1 authored by fedora Cloud User's avatar fedora Cloud User
Browse files

update Readme with instructions for uib-ssl

parent d6ba9d4a
...@@ -43,10 +43,38 @@ The content can be added to hjelp.uib.no to receive a certificate from cert-mana ...@@ -43,10 +43,38 @@ The content can be added to hjelp.uib.no to receive a certificate from cert-mana
Two of the urls from one of the emails should be added to (vaulted) variables. Two of the urls from one of the emails should be added to (vaulted) variables.
* as Certificate only, PEM encoded * `certificate_only_url` as Certificate only, PEM encoded (url ends-with &format=x509CO)
* as Root/Intermediate(s) only, PEM encoded * `certificate_interm_only_url` as Root/Intermediate(s) only, PEM encoded (url ends-with &format=x509IOR)
Ad dto vhost, see the example below. To renew an existing certificate which has been sent by UiB ITA:
CSR and private key will not be updated, ITA will reuse old CSR to generate a new certificate, which we receive by mail.
* Replace/update `certificate_interm_only_url` (usually vaulted) and certificate_interm_only_url (may not have changed) with the values from the updated
* Run the playbook with the apache role with the the parameter `apache_digicert_renew` with a truthy value added
```
ansible-playbook monitor.yml --vault-id ~/secrets/secret -e deploy_env=prod -i inventory/hostfile -e apache_digicert_renew=true
```
**Example vhosts section with multiple ssl set using one certificate**
```
apache_vhosts:
- servername: "example.com"
ssl: true
ssl_type: "uib" # default letsencrypt if empty
altname: "DNS:example2.com,DNS:example3.com" #adding altnames also for additional vhosts
certificate_interm_only_url: "{{ eksempel_no_interm_only_url }} " # url ends with &format=x509IOR
certificate_only_url: "{{ eksempel_no_cert_only_url }}" # url ends with &format=x509CO
...
- servername: "example2.com" # when additional hosts have ssl set, they will use the same ssl key from the first entry in apache_vhosts
ssl: true
ssl_type: "uib"
...
- servername: "example3.com"
ssl: true
ssl_type: "uib"
```
## Example playbook ## Example playbook
...@@ -77,23 +105,8 @@ Ad dto vhost, see the example below. ...@@ -77,23 +105,8 @@ Ad dto vhost, see the example below.
- httpd - httpd
``` ```
If uib is set, an email is sent to serveradmin containing a template for creating a ssl-request in hjelp.uib.no.
You get another email from the certificate provider containing various urls.
Continue by adding to the vhost section after ssl_type:
```
...
ssl_type: "uib"
certificate_interm_only_url: "# url from link to intermediate certificate only"
certificate_only_url: "# url from email to certificate only"
```
The role will fail (var not set) until these are set. When rerunning the playbook, a certificate should be set.
@todo Renewing a certificate.
* End of local changes *
## Begin original docs
Available variables are listed below, along with default values (see `defaults/main.yml`): Available variables are listed below, along with default values (see `defaults/main.yml`):
apache_enablerepo: "" apache_enablerepo: ""
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment