Merge branch '10-fornyelse-av-ssl-sertifikater' into 'master'

Resolve "fornyelse av ssl sertifikater"

Closes #10

See merge request uib-ub/roller-ansible/apache!7

README.md

@@ -43,10 +43,39 @@ The content can be added to hjelp.uib.no to receive a certificate from cert-mana
 
 Two of the urls from one of the emails should be added to (vaulted) variables.
 
-* as Certificate only, PEM encoded
-* as Root/Intermediate(s) only, PEM encoded
+* `certificate_only_url` as Certificate only, PEM encoded (url ends-with &format=x509CO)
+* `certificate_interm_only_url` as Root/Intermediate(s) only, PEM encoded (url ends-with &format=x509IOR)
 
-Ad dto vhost, see the example below.
+To renew an existing certificate which has been sent by UiB ITA:
+
+CSR and private key will not be updated, ITA will reuse old CSR to generate a new certificate, which we receive by mail.
+
+* Replace/update `certificate_interm_only_url` (usually vaulted) and `certificate_interm_only_url` (may not have changed) with the values from the new mail with certificates.
+* Run the playbook with the apache role with the the parameter `apache_digicert_renew` with a truthy value added.
+
+Example play for updating varsel.ub.uib.no
+```
+ ansible-playbook monitor.yml --vault-id ~/secrets/secret -e deploy_env=prod -i inventory/hostfile  -e apache_digicert_renew=true
+```
+
+**Example vhosts section with multiple ssl set using one certificate** 
+```
+      apache_vhosts:
+        - servername: "example.com"
+          ssl: true
+          ssl_type: "uib" # default letsencrypt if empty
+          altname: "DNS:example2.com,DNS:example3.com" #adding altnames also for additional vhosts
+          certificate_interm_only_url: "{{ eksempel_no_interm_only_url }} " # url ends with &format=x509IOR
+          certificate_only_url: "{{ eksempel_no_cert_only_url }}" #  url ends with &format=x509CO
+          ...
+        - servername: "example2.com" # when additional hosts have ssl set, they will use the same ssl key from the first entry in apache_vhosts
+          ssl: true
+          ssl_type: "uib"
+          ...
+        - servername: "example3.com"
+          ssl: true
+          ssl_type: "uib"
+```
 
 ## Example playbook
 
@@ -77,23 +106,8 @@ Ad dto vhost, see the example below.
       - httpd
 ```
 
-If uib is set, an email is sent to serveradmin containing a template for creating a ssl-request in hjelp.uib.no.
-You get another email from the certificate provider containing various urls.
-
-Continue by adding to the vhost section after ssl_type:
-
-```
-...
-ssl_type: "uib"
-certificate_interm_only_url: "# url from link to intermediate certificate only"
-certificate_only_url: "# url from email to certificate only"
-```
-The role will fail (var not set) until these are set. When rerunning the playbook, a certificate should be set.
-
-@todo Renewing a certificate.
-
-* End of local changes * 
 
+## Begin original docs
 Available variables are listed below, along with default values (see `defaults/main.yml`):
 
     apache_enablerepo: ""

tasks/uib_ssl.yml

@@ -10,10 +10,6 @@
   set_fact:
     ssl_alias: "{{ [ apache_vhosts[0].serveralias | default('deleteme'),  apache_vhosts[0].certalias | default('deleteme') ] | reject('equalto','deleteme') | list }}"
     
-- name: "debug"
-  debug:
-    msg: "{{ ssl_alias }}"
-
 - name: "install package for mod_ssl"
   package:
     name: "mod_ssl"
@@ -78,7 +74,7 @@
     to: "{{ apache_cert_vhost.serveradmin }}"
     host: "{{ apache_mail_host | default(omit) }}"
     attach:
-      - "{{ apache_digicert_uib_csr}}/{{ apache_cert_vhost.servername }}.csr"
+      - "{{ apache_digicert_uib_csr }}/{{ apache_cert_vhost.servername }}.csr"
     body: |
       Ønsker å bestille SSL sertifikat.
 
@@ -96,40 +92,32 @@
   file:
     state: "link"
     src: "{{ apache_digicert_uib_archive }}/{{ apache_cert_vhost.servername }}/priv_key.pem"
-    dest: "/etc/pki/tls/private/{{apache_cert_vhost.servername }}.pem"
+    dest: "/etc/pki/tls/private/{{ apache_cert_vhost.servername }}.pem"
   when: "apache_cert_vhost.ssl_type  | default('certbot')== 'uib'"
 
+- name: "set fact for uib renewal"
+  set_fact:
+    uib_renew_ssl: "{{  apache_digicert_renew | default(false) }}"
 - name: "Get certificate with certificate only"
   get_url: 
     url: "{{ apache_cert_vhost.certificate_only_url }}"
+    force: "{{ uib_renew_ssl }}"
     setype: "cert_t"
     dest: "{{ apache_digicert_uib_archive }}//{{ apache_cert_vhost.servername }}/cert.cer"
-    backup: "yes"
+    backup: "{{ uib_renew_ssl }}"
     mode: "0444"
   when: "apache_cert_vhost.ssl_type  | default('certbot')== 'uib' and apache_cert_vhost.certificate_only_url is defined"
 
 - name: "Get intermediate certs only"
   get_url:
+    force: "{{ uib_renew_ssl }}"
     url: "{{ apache_cert_vhost.certificate_interm_only_url }}"
     setype: "cert_t"
     dest: "{{ apache_digicert_uib_archive }}//{{ apache_cert_vhost.servername }}/cert_interm.cer"
-    backup: "yes"
+    backup: "{{ uib_renew_ssl }}"
     mode: "0444"
   when: "apache_cert_vhost.ssl_type  | default('certbot')== 'uib' and  apache_cert_vhost.certificate_interm_only_url is defined"
  
-
-#- name: "concat cert and intermediate"
-#  loop: "{{ apache_vhosts }}"
-#  shell: cat cert.cet cert_interm.cer >> cert.pem
-#    chdir: "{{ apache_digicert_uib_archive }}//{{ item.servername }}"
-#    url: "{{ item.certificate_interm_only_url }}"
-#    setype: "cert_t"
-#    dest: "{{ apache_digicert_uib_archive }}//{{ item.servername }}/cert_interm.cer"
-#    backup: "yes"
-#    mode: "0444"
-#  when: "item.ssl_type  | default('certbot')== 'uib'"
-#  creates: "{ apache_digicert_uib_archive }}//{{ item.servername }}/cert.pem"
-
 - name: "Create symlinks for certificates to /etc/pki/"
   file:
     state: "link"
@@ -152,21 +140,9 @@
     group: root
     mode: 0644
     backup: true
-      #    validate: "apachectl configtest"
   notify: restart apache
   when: "item.ssl_type  | default('certbot')== 'uib'"
   loop: "{{ apache_vhosts }}"
   vars:
     current_vhost: "{{ item.servername }}"
   become: true
-
-  #- name: "get certificate url from ITA"
-  #
-#  prompt_vars: 
-  #  get_url:
-
-#SSLCertificateFile /etc/pki/tls/certs/domene.uib.no.crt
-#SSLCertificateKeyFile /etc/pki/tls/private/domene.uib.no.key
-# SSLCertificateChainFile /etc/pki/tls/certs/digicertca2.uib.no.crt
-
-# @todo multiple domains