Skip to content

GitLab

Commit d6ba9d4a authored by fedora Cloud User's avatar fedora Cloud User
Browse files

use apache_digicert_renew to force download of new certificates if they are set

parent 0f3cbd71
Hide whitespace changes
Inline Side-by-side
tasks/uib_ssl.yml
View file @ d6ba9d4a
...@@ -10,10 +10,6 @@ ...@@ -10,10 +10,6 @@
set_fact: set_fact:
ssl_alias: "{{ [ apache_vhosts[0].serveralias | default('deleteme'), apache_vhosts[0].certalias | default('deleteme') ] | reject('equalto','deleteme') | list }}" ssl_alias: "{{ [ apache_vhosts[0].serveralias | default('deleteme'), apache_vhosts[0].certalias | default('deleteme') ] | reject('equalto','deleteme') | list }}"
- name: "debug"
debug:
msg: "{{ ssl_alias }}"
- name: "install package for mod_ssl" - name: "install package for mod_ssl"
package: package:
name: "mod_ssl" name: "mod_ssl"
...@@ -78,7 +74,7 @@ ...@@ -78,7 +74,7 @@
to: "{{ apache_cert_vhost.serveradmin }}" to: "{{ apache_cert_vhost.serveradmin }}"
host: "{{ apache_mail_host | default(omit) }}" host: "{{ apache_mail_host | default(omit) }}"
attach: attach:
- "{{ apache_digicert_uib_csr}}/{{ apache_cert_vhost.servername }}.csr" - "{{ apache_digicert_uib_csr }}/{{ apache_cert_vhost.servername }}.csr"
body: | body: |
Ønsker å bestille SSL sertifikat. Ønsker å bestille SSL sertifikat.
...@@ -96,40 +92,32 @@ ...@@ -96,40 +92,32 @@
file: file:
state: "link" state: "link"
src: "{{ apache_digicert_uib_archive }}/{{ apache_cert_vhost.servername }}/priv_key.pem" src: "{{ apache_digicert_uib_archive }}/{{ apache_cert_vhost.servername }}/priv_key.pem"
dest: "/etc/pki/tls/private/{{apache_cert_vhost.servername }}.pem" dest: "/etc/pki/tls/private/{{ apache_cert_vhost.servername }}.pem"
when: "apache_cert_vhost.ssl_type | default('certbot')== 'uib'" when: "apache_cert_vhost.ssl_type | default('certbot')== 'uib'"
- name: "set fact for uib renewal"
set_fact:
uib_renew_ssl: "{{ apache_digicert_renew | default(false) }}"
- name: "Get certificate with certificate only" - name: "Get certificate with certificate only"
get_url: get_url:
url: "{{ apache_cert_vhost.certificate_only_url }}" url: "{{ apache_cert_vhost.certificate_only_url }}"
force: "{{ uib_renew_ssl }}"
setype: "cert_t" setype: "cert_t"
dest: "{{ apache_digicert_uib_archive }}//{{ apache_cert_vhost.servername }}/cert.cer" dest: "{{ apache_digicert_uib_archive }}//{{ apache_cert_vhost.servername }}/cert.cer"
backup: "yes" backup: "{{ uib_renew_ssl }}"
mode: "0444" mode: "0444"
when: "apache_cert_vhost.ssl_type | default('certbot')== 'uib' and apache_cert_vhost.certificate_only_url is defined" when: "apache_cert_vhost.ssl_type | default('certbot')== 'uib' and apache_cert_vhost.certificate_only_url is defined"
- name: "Get intermediate certs only" - name: "Get intermediate certs only"
get_url: get_url:
force: "{{ uib_renew_ssl }}"
url: "{{ apache_cert_vhost.certificate_interm_only_url }}" url: "{{ apache_cert_vhost.certificate_interm_only_url }}"
setype: "cert_t" setype: "cert_t"
dest: "{{ apache_digicert_uib_archive }}//{{ apache_cert_vhost.servername }}/cert_interm.cer" dest: "{{ apache_digicert_uib_archive }}//{{ apache_cert_vhost.servername }}/cert_interm.cer"
backup: "yes" backup: "{{ uib_renew_ssl }}"
mode: "0444" mode: "0444"
when: "apache_cert_vhost.ssl_type | default('certbot')== 'uib' and apache_cert_vhost.certificate_interm_only_url is defined" when: "apache_cert_vhost.ssl_type | default('certbot')== 'uib' and apache_cert_vhost.certificate_interm_only_url is defined"
#- name: "concat cert and intermediate"
# loop: "{{ apache_vhosts }}"
# shell: cat cert.cet cert_interm.cer >> cert.pem
# chdir: "{{ apache_digicert_uib_archive }}//{{ item.servername }}"
# url: "{{ item.certificate_interm_only_url }}"
# setype: "cert_t"
# dest: "{{ apache_digicert_uib_archive }}//{{ item.servername }}/cert_interm.cer"
# backup: "yes"
# mode: "0444"
# when: "item.ssl_type | default('certbot')== 'uib'"
# creates: "{ apache_digicert_uib_archive }}//{{ item.servername }}/cert.pem"
- name: "Create symlinks for certificates to /etc/pki/" - name: "Create symlinks for certificates to /etc/pki/"
file: file:
state: "link" state: "link"
...@@ -152,21 +140,9 @@ ...@@ -152,21 +140,9 @@
group: root group: root
mode: 0644 mode: 0644
backup: true backup: true
# validate: "apachectl configtest"
notify: restart apache notify: restart apache
when: "item.ssl_type | default('certbot')== 'uib'" when: "item.ssl_type | default('certbot')== 'uib'"
loop: "{{ apache_vhosts }}" loop: "{{ apache_vhosts }}"
vars: vars:
current_vhost: "{{ item.servername }}" current_vhost: "{{ item.servername }}"
become: true become: true
#- name: "get certificate url from ITA"
#
# prompt_vars:
# get_url:
#SSLCertificateFile /etc/pki/tls/certs/domene.uib.no.crt
#SSLCertificateKeyFile /etc/pki/tls/private/domene.uib.no.key
# SSLCertificateChainFile /etc/pki/tls/certs/digicertca2.uib.no.crt
# @todo multiple domains
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment