Commit ad31e32e authored by Oyvind.Gjesdal's avatar Oyvind.Gjesdal
Browse files

Merge branch '5-legg-inn-stotte-for-uib-sertifikater-i-rolle' into 'master'

Resolve "Legg inn støtte for uib-sertifikater i rolle"

Closes #5

See merge request uib-ub/roller-ansible/apache!5
parents 4090c57e 047bcbf4
......@@ -14,12 +14,14 @@ A local rewrite of geerlingguy/ansible-role-apache with some local modifications
* Using default ssl settings from certbot installation.
* apache certbot
* apache certbot (letsencrypt)
* uib ssl
## Requirements
Local modifications requires a centos-7 host.
If cronjob for ssl renewal is set, chronic (more-utils) is required.
Local modifications requires a centos-7/centos8 host.
If cronjob for ssl renewal is set, chronic (more-utils) is required. If on centos8 more-utils requires powertools to be enabled.
## Local changes
......@@ -28,11 +30,23 @@ apache_vhosts_template_ssl: Defaults to template using letsencrypt with certbot.
certbot_ssl_debug: Default false (if set, uses --test-cert flag for letsencrypt (self-signed))
apache_deny_git: Default true, adds deny rule for .git b
apache_certbot: Default false (enables and installs certbot and certificates)
apache_certbot: Default false (enables and installs certbot and certificates) replaced by apache_ssl_service
apache_selinux: Default true (option to turn off selinux tasks if selinux is disabled)"
vhost.ssl_type: "certbot|uib" #default certbot
vhost.http_only_extra_parameters ()
vhost.ssl (undef, true if ssl to be used)
## UiB SSL
When you run a playbook with `ssl_type: uib`, the server forwards a tempate to `serveradmin` by mail (if mail is available on the server).
The content can be added to hjelp.uib.no to receive a certificate from cert-manager.com (in 2020-11).
Two of the urls from one of the emails should be added to (vaulted) variables.
* as Certificate only, PEM encoded
* as Root/Intermediate(s) only, PEM encoded
Ad dto vhost, see the example below.
## Example playbook
```
......@@ -54,11 +68,29 @@ vhost.ssl (undef, true if ssl to be used)
http_only_extra_parameters: |
ProxyPass /example.dtd http://localhost:8080/service/example.dtd
ssl: true
ssl_type: "uib|letsencrypt" # default letsencrypt if empty
certificate_interm_only_url: "{{ eksempel_no_interm_only_url }}" # only when ssl_type uib
certificate_only_url: "{{ eksempel_no_cert_only_url }}" # oly when ssl_type uib
become: true
tags:
- httpd
```
If uib is set, an email is sent to serveradmin containing a template for creating a ssl-request in hjelp.uib.no.
You get another email from the certificate provider containing various urls.
Continue by adding to the vhost section after ssl_type:
```
...
ssl_type: "uib"
certificate_interm_only_url: "# url from link to intermediate certificate only"
certificate_only_url: "# url from email to certificate only"
```
The role will fail (var not set) until these are set. When rerunning the playbook, a certificate should be set.
@todo Renewing a certificate.
* End of local changes *
Available variables are listed below, along with default values (see `defaults/main.yml`):
......
......@@ -65,3 +65,5 @@ apache_deny_git: true
apache_certbot: false
apache_sefcontext_httpd_sys_content_t: []
apache_sefcontext_httpd_sys_rw_content_t: []
apache_disabled_modules:
......@@ -8,6 +8,7 @@
with_items: "{{ apache_ports_configuration_items }}"
notify: "restart apache"
register: apache_config_result
- name: "delete centos autoindex, welcome, userdir conf"
file:
path: "/etc/httpd/conf.d/{{ item }}"
......@@ -23,9 +24,34 @@
register: apache_ssl_certificates
with_items: "{{ apache_vhosts_ssl }}"
- name: "Register if any hosts has ssl for letsencrypt (ssl_type undefined or 'certbot')"
debug:
msg: "set variable if some vhost has ssl defined"
with_items: "{{ apache_vhosts }}"
register: "apache_vhost_has_ssl_certbot"
when: "item.ssl | default (false) | bool and (item.ssl_type is undefined or item.ssl_type =='letsencrypt')"
- name: "Register if any hosts has ssl for digicert / uib"
debug:
msg: "set variable if some vhost has ssl defined"
with_items: "{{ apache_vhosts }}"
register: "apache_vhost_has_ssl_digicert"
when: "item.ssl | default (false) | bool and item.ssl_type is defined and item.ssl_type =='uib'"
- name: "debug apache_vhost_has_ssl.digicert"
debug:
msg: "{{ apache_vhost_has_ssl_digicert }}"
- name: "include digicert-uib"
include_tasks: "uib_ssl.yml"
# don't include if debug task was skipped (no items with uib type)
when: "not apache_vhost_has_ssl_digicert.results[0].skipped | default(false) | bool"
#check if some vhost has certbot set for ssl
- name: Include local tasks for ssl template and certbot
include_tasks: "certbot_ssl.yml"
when: "not apache_vhost_has_ssl_certbot.results[0].skipped | default(false) | bool"
# check if some vhost as uib set for ssl
- name: Add apache vhosts configuration.
template:
src: "{{ apache_vhosts_template }}"
......
# single domain
- name: "set fact for folder for digicert"
set_fact:
apache_digicert_uib_home: "/etc/digicert-uib"
apache_digicert_uib_archive: "/etc/digicert-uib/archive"
apache_digicert_uib_csr: "/etc/digicert-uib/csr"
- name: "install package for mod_ssl"
package:
name: "mod_ssl"
- name: "create digicert-uib-folder"
file:
path: "{{ item }}"
state: "directory"
owner: root
group: "root"
mode: "0550"
loop:
- "{{ apache_digicert_uib_home }}"
- "{{ apache_digicert_uib_archive }}"
- "{{ apache_digicert_uib_csr }}"
- name: "create directory for vhosts"
file:
path: "{{ apache_digicert_uib_archive }}/{{ item.servername }}"
state: "directory"
owner: "root"
group: "root"
mode: "0550"
setype: "cert_t"
loop: "{{ apache_vhosts }}"
when: "item.ssl_type == 'uib'"
- name: "stat archive"
stat:
path: "{{ apache_digicert_uib_archive }}"
register: apace_digicert_archive
- name: "prompt for renew"
pause:
prompt: "Confirm that you want to renew your digicert certificate (y/n)"
register: "apache_digicert_confirm_renew"
when: "apache_digicert_renew | default(false) | bool"
- name: "generate ssl private key"
openssl_privatekey:
path: "{{ apache_digicert_uib_archive }}/{{ item.servername }}/priv_key.pem"
backup: "yes"
size: "2048"
setype: "cert_t"
loop: "{{ apache_vhosts }}"
when: "item.ssl_type | default('certbot')== 'uib'"
- name: "generate an OpenSSL Certificate Signin request"
openssl_csr:
backup: "yes"
path: "{{ apache_digicert_uib_csr }}/{{ item.servername }}.csr"
privatekey_path: "{{ apache_digicert_uib_home }}/archive/{{ item.servername }}/priv_key.pem"
country_name: "NO"
organization_name: "Universitetet_i_Bergen"
common_name: "{{ item.servername }}"
subject_altname: "{{ item.altname | default(omit) }}"
loop: "{{ apache_vhosts }}"
when: "item.ssl_type | default('certbot')== 'uib'"
register: "apache_csr_result"
- name: "send csr file by mail"
mail:
subject: "csr certificate request for {{ item.servername }}"
to: "{{ item.serveradmin }}"
attach:
- "{{ apache_digicert_uib_csr}}/{{ item.servername }}.csr"
body: |
Ønsker å bestille SSL sertifikat.
common_name "{{ item.servername }}"
altname: "{{ item.altname | default ('ingen') }}"
wildcard: "{{ item.wildcard | default ('nei') }}"
Kan du også oppdatere sertifikatdatasen (CMDB) for {{ item.serveradmin }}?
Takk!
loop: "{{ apache_vhosts }}"
when: "item.ssl_type | default('certbot')== 'uib' and apache_csr_result.changed | bool"
- name: "create symlinks for private keys"
file:
state: "link"
src: "{{ apache_digicert_uib_archive }}/{{ item.servername }}/priv_key.pem"
dest: "/etc/pki/tls/private/{{item.servername }}.pem"
loop: "{{ apache_vhosts }}"
when: "item.ssl_type | default('certbot')== 'uib'"
- name: "Get certificate with certificate only"
loop: "{{ apache_vhosts }}"
get_url:
url: "{{ item.certificate_only_url }}"
setype: "cert_t"
dest: "{{ apache_digicert_uib_archive }}//{{ item.servername }}/cert.cer"
backup: "yes"
mode: "0444"
when: "item.ssl_type | default('certbot')== 'uib' and item.certificate_only_url is defined"
- name: "Get intermediate certs only"
loop: "{{ apache_vhosts }}"
get_url:
url: "{{ item.certificate_interm_only_url }}"
setype: "cert_t"
dest: "{{ apache_digicert_uib_archive }}//{{ item.servername }}/cert_interm.cer"
backup: "yes"
mode: "0444"
when: "item.ssl_type | default('certbot')== 'uib' and item.certificate_interm_only_url is defined"
#- name: "concat cert and intermediate"
# loop: "{{ apache_vhosts }}"
# shell: cat cert.cet cert_interm.cer >> cert.pem
# chdir: "{{ apache_digicert_uib_archive }}//{{ item.servername }}"
# url: "{{ item.certificate_interm_only_url }}"
# setype: "cert_t"
# dest: "{{ apache_digicert_uib_archive }}//{{ item.servername }}/cert_interm.cer"
# backup: "yes"
# mode: "0444"
# when: "item.ssl_type | default('certbot')== 'uib'"
# creates: "{ apache_digicert_uib_archive }}//{{ item.servername }}/cert.pem"
- name: "Create symlinks for certificates to /etc/pki/"
loop: "{{ apache_vhosts }}"
file:
state: "link"
src: "{{ apache_digicert_uib_archive }}/{{ item.servername }}/cert.cer"
dest: "/etc/pki/tls/certs/{{ item.servername }}.pem"
when: "item.ssl_type | default('certbot')== 'uib' and item.certificate_only_url is defined"
- name: "Create symlinks for chains to /etc/pki/"
loop: "{{ apache_vhosts }}"
file:
state: "link"
src: "{{ apache_digicert_uib_archive }}/{{ item.servername }}/cert_interm.cer"
dest: "/etc/pki/tls/certs/{{ item.servername }}.chain.pem"
when: "item.ssl_type | default('certbot')== 'uib' and item.certificate_interm_only_url is defined"
- name: "Add apache vhosts ssl template"
template:
src: "{{ apache_vhosts_template_ssl }}"
dest: "{{ apache_conf_path }}/00_{{ item.servername }}_ssl.conf"
owner: root
group: root
mode: 0644
backup: true
# validate: "apachectl configtest"
notify: restart apache
when: "item.ssl_type | default('certbot')== 'uib'"
loop: "{{ apache_vhosts }}"
vars:
current_vhost: "{{ item.servername }}"
become: true
#- name: "get certificate url from ITA"
#
# prompt_vars:
# get_url:
#SSLCertificateFile /etc/pki/tls/certs/domene.uib.no.crt
#SSLCertificateKeyFile /etc/pki/tls/private/domene.uib.no.key
# SSLCertificateChainFile /etc/pki/tls/certs/digicertca2.uib.no.crt
# @todo multiple domains
......@@ -15,9 +15,8 @@
{% if vhost.serveradmin is defined %}
ServerAdmin {{ vhost.serveradmin }}
{% endif %}
{%if vhost.ssl is undefined or vhost.ssl != true %}
{% endif %}
{%if vhost.ssl is undefined or vhost.ssl != true or (vhost.ssl | bool and digicert_certificate is undefined ) %}
{% if vhost.documentroot is defined %}
<Directory "{{ vhost.documentroot }}">
AllowOverride {{ vhost.allow_override | default(apache_allow_override) }}
......
# Ansible managed
{# Set up SSL VirtualHosts #}
{# for only selects one vhost per template call, when servername equals current_vhost (passed from task loop) #}
{% for vhost in apache_vhosts if vhost.servername == current_vhost and vhost.ssl %}
<VirtualHost {{ vhost.servername }}:{{ apache_listen_port_ssl }}>
ServerName {{ vhost.servername }}
......@@ -8,20 +9,40 @@
{% endif %}
{% if vhost.documentroot is defined %}
DocumentRoot "{{ vhost.documentroot }}"
{% endif %}
Include /etc/letsencrypt/options-ssl-apache.conf
{% if apache_vhosts_version == "2.4" %}
SSLCompression off
{% endif %}
{% set letsencrypt_vhost_path = '/etc/letsencrypt/live/' + vhost.servername + '/' %}
{% set default_cert_file = letsencrypt_vhost_path + 'cert.pem' %}
{% set default_cert_key = letsencrypt_vhost_path + 'privkey.pem' %}
{% set default_chain_file = letsencrypt_vhost_path + 'chain.pem' %}
{#block for setting sertificate for letsencrypt #}
{% if vhost.ssl_type is undefined or vhost.ssl_type == 'letsencrypt' %}
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCompression off
SSLCertificateFile {{ vhost.certificate_file | default(default_cert_file) }}
SSLCertificateKeyFile {{ vhost.certificate_key_file | default(default_cert_key) }}
SSLCertificateChainFile {{vhost.certificate_chain_file | default(default_chain_file) }}
{% endif %}
{# block for setting sertificate for uib host #}
{% if vhost.ssl_type | default('') == 'uib' %}
{# ssl config copied from letsencrypt options #}
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLOptions +StrictRequire
SSLCompression off
SSLCertificateFile {{ vhost.certificate_file | default('/etc/pki/tls/certs/'+ vhost.servername + '.pem') }}
SSLCertificateKeyFile {{ vhost.certificate_key_file | default('/etc/pki/tls/private/' + vhost.servername + '.pem') }}
SSLCertificateChainFile {{vhost.certificate_chain_file | default('/etc/pki/tls/certs/' + vhost.servername + '.chain.pem') }}
{% endif %}
{% if vhost.serveradmin is defined %}
ServerAdmin {{ vhost.serveradmin }}
{% endif %}
......
......@@ -16,7 +16,5 @@ apache_ports_configuration_items:
- regexp: "^#?NameVirtualHost "
line: "NameVirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}"
certbot_packages:
- python2-certbot-apache
- certbot
- moreutils
certbot_packages: '{% if ansible_distribution_major_version == "7" %}["python2-certbot-apache", "certbot","moreutils"]{% elif ansible_distribution_major_version == "8" %}["moreutils","certbot", "python3-certbot-apache" ,"mod_ssl"]{% else %}{% endif %}'
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment