Commit e5d814a7 authored by Oyvind.Gjesdal's avatar Oyvind.Gjesdal
Browse files

Merge branch '10-fornyelse-av-ssl-sertifikater' into 'master'

Resolve "fornyelse av ssl sertifikater"

Closes #10

See merge request uib-ub/roller-ansible/apache!7
parents 0f3cbd71 c0ac6981
......@@ -43,10 +43,39 @@ The content can be added to hjelp.uib.no to receive a certificate from cert-mana
Two of the urls from one of the emails should be added to (vaulted) variables.
* as Certificate only, PEM encoded
* as Root/Intermediate(s) only, PEM encoded
* `certificate_only_url` as Certificate only, PEM encoded (url ends-with &format=x509CO)
* `certificate_interm_only_url` as Root/Intermediate(s) only, PEM encoded (url ends-with &format=x509IOR)
Ad dto vhost, see the example below.
To renew an existing certificate which has been sent by UiB ITA:
CSR and private key will not be updated, ITA will reuse old CSR to generate a new certificate, which we receive by mail.
* Replace/update `certificate_interm_only_url` (usually vaulted) and `certificate_interm_only_url` (may not have changed) with the values from the new mail with certificates.
* Run the playbook with the apache role with the the parameter `apache_digicert_renew` with a truthy value added.
Example play for updating varsel.ub.uib.no
```
ansible-playbook monitor.yml --vault-id ~/secrets/secret -e deploy_env=prod -i inventory/hostfile -e apache_digicert_renew=true
```
**Example vhosts section with multiple ssl set using one certificate**
```
apache_vhosts:
- servername: "example.com"
ssl: true
ssl_type: "uib" # default letsencrypt if empty
altname: "DNS:example2.com,DNS:example3.com" #adding altnames also for additional vhosts
certificate_interm_only_url: "{{ eksempel_no_interm_only_url }} " # url ends with &format=x509IOR
certificate_only_url: "{{ eksempel_no_cert_only_url }}" # url ends with &format=x509CO
...
- servername: "example2.com" # when additional hosts have ssl set, they will use the same ssl key from the first entry in apache_vhosts
ssl: true
ssl_type: "uib"
...
- servername: "example3.com"
ssl: true
ssl_type: "uib"
```
## Example playbook
......@@ -77,23 +106,8 @@ Ad dto vhost, see the example below.
- httpd
```
If uib is set, an email is sent to serveradmin containing a template for creating a ssl-request in hjelp.uib.no.
You get another email from the certificate provider containing various urls.
Continue by adding to the vhost section after ssl_type:
```
...
ssl_type: "uib"
certificate_interm_only_url: "# url from link to intermediate certificate only"
certificate_only_url: "# url from email to certificate only"
```
The role will fail (var not set) until these are set. When rerunning the playbook, a certificate should be set.
@todo Renewing a certificate.
* End of local changes *
## Begin original docs
Available variables are listed below, along with default values (see `defaults/main.yml`):
apache_enablerepo: ""
......
......@@ -10,10 +10,6 @@
set_fact:
ssl_alias: "{{ [ apache_vhosts[0].serveralias | default('deleteme'), apache_vhosts[0].certalias | default('deleteme') ] | reject('equalto','deleteme') | list }}"
- name: "debug"
debug:
msg: "{{ ssl_alias }}"
- name: "install package for mod_ssl"
package:
name: "mod_ssl"
......@@ -78,7 +74,7 @@
to: "{{ apache_cert_vhost.serveradmin }}"
host: "{{ apache_mail_host | default(omit) }}"
attach:
- "{{ apache_digicert_uib_csr}}/{{ apache_cert_vhost.servername }}.csr"
- "{{ apache_digicert_uib_csr }}/{{ apache_cert_vhost.servername }}.csr"
body: |
Ønsker å bestille SSL sertifikat.
......@@ -96,40 +92,32 @@
file:
state: "link"
src: "{{ apache_digicert_uib_archive }}/{{ apache_cert_vhost.servername }}/priv_key.pem"
dest: "/etc/pki/tls/private/{{apache_cert_vhost.servername }}.pem"
dest: "/etc/pki/tls/private/{{ apache_cert_vhost.servername }}.pem"
when: "apache_cert_vhost.ssl_type | default('certbot')== 'uib'"
- name: "set fact for uib renewal"
set_fact:
uib_renew_ssl: "{{ apache_digicert_renew | default(false) }}"
- name: "Get certificate with certificate only"
get_url:
url: "{{ apache_cert_vhost.certificate_only_url }}"
force: "{{ uib_renew_ssl }}"
setype: "cert_t"
dest: "{{ apache_digicert_uib_archive }}//{{ apache_cert_vhost.servername }}/cert.cer"
backup: "yes"
backup: "{{ uib_renew_ssl }}"
mode: "0444"
when: "apache_cert_vhost.ssl_type | default('certbot')== 'uib' and apache_cert_vhost.certificate_only_url is defined"
- name: "Get intermediate certs only"
get_url:
force: "{{ uib_renew_ssl }}"
url: "{{ apache_cert_vhost.certificate_interm_only_url }}"
setype: "cert_t"
dest: "{{ apache_digicert_uib_archive }}//{{ apache_cert_vhost.servername }}/cert_interm.cer"
backup: "yes"
backup: "{{ uib_renew_ssl }}"
mode: "0444"
when: "apache_cert_vhost.ssl_type | default('certbot')== 'uib' and apache_cert_vhost.certificate_interm_only_url is defined"
#- name: "concat cert and intermediate"
# loop: "{{ apache_vhosts }}"
# shell: cat cert.cet cert_interm.cer >> cert.pem
# chdir: "{{ apache_digicert_uib_archive }}//{{ item.servername }}"
# url: "{{ item.certificate_interm_only_url }}"
# setype: "cert_t"
# dest: "{{ apache_digicert_uib_archive }}//{{ item.servername }}/cert_interm.cer"
# backup: "yes"
# mode: "0444"
# when: "item.ssl_type | default('certbot')== 'uib'"
# creates: "{ apache_digicert_uib_archive }}//{{ item.servername }}/cert.pem"
- name: "Create symlinks for certificates to /etc/pki/"
file:
state: "link"
......@@ -152,21 +140,9 @@
group: root
mode: 0644
backup: true
# validate: "apachectl configtest"
notify: restart apache
when: "item.ssl_type | default('certbot')== 'uib'"
loop: "{{ apache_vhosts }}"
vars:
current_vhost: "{{ item.servername }}"
become: true
#- name: "get certificate url from ITA"
#
# prompt_vars:
# get_url:
#SSLCertificateFile /etc/pki/tls/certs/domene.uib.no.crt
#SSLCertificateKeyFile /etc/pki/tls/private/domene.uib.no.key
# SSLCertificateChainFile /etc/pki/tls/certs/digicertca2.uib.no.crt
# @todo multiple domains
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment