First go at letsencrypt automation
Signed-off-by: Ricky Elrod <relrod@redhat.com>
This commit is contained in:
parent
b5d3987560
commit
5900f6e6c2
5 changed files with 73 additions and 14 deletions
|
@ -80,12 +80,6 @@
|
|||
certname: secondary.koji.fedoraproject.org.letsencrypt
|
||||
SSLCertificateChainFile: secondary.koji.fedoraproject.org.letsencrypt.intermediate.crt
|
||||
|
||||
- role: httpd/certificate
|
||||
certname: whatcanidoforfedora.org
|
||||
SSLCertificateChainFile: whatcanidoforfedora.org.intermediate.crt
|
||||
tags:
|
||||
- whatcanidoforfedora.org
|
||||
|
||||
- role: httpd/certificate
|
||||
certname: fedoracommunity.org
|
||||
SSLCertificateChainFile: fedoracommunity.org.intermediate.cert
|
||||
|
|
|
@ -411,8 +411,6 @@
|
|||
- www.whatcanidoforfedora.org
|
||||
ssl: true
|
||||
sslonly: true
|
||||
cert_name: whatcanidoforfedora.org
|
||||
SSLCertificateChainFile: whatcanidoforfedora.org.intermediate.crt
|
||||
certbot: true
|
||||
tags:
|
||||
- whatcanidoforfedora.org
|
||||
|
@ -492,8 +490,6 @@
|
|||
certbot: true
|
||||
server_aliases:
|
||||
- www.fpaste.org
|
||||
cert_name: fpaste.org
|
||||
SSLCertificateChainFile: fpaste.org.intermediate.cert
|
||||
tags:
|
||||
- fpaste.org
|
||||
|
||||
|
@ -512,8 +508,6 @@
|
|||
certbot: true
|
||||
server_aliases:
|
||||
- s390pkgs.fedoraproject.org
|
||||
cert_name: secondary.koji.fedoraproject.org.letsencrypt
|
||||
SSLCertificateChainFile: secondary.koji.fedoraproject.org.letsencrypt.intermediate.crt
|
||||
tags:
|
||||
- s390.koji.fedoraproject.org
|
||||
|
||||
|
@ -736,7 +730,6 @@
|
|||
- role: httpd/website
|
||||
site_name: jenkins.fedorainfracloud.org
|
||||
cert_name: jenkins.fedorainfracloud.org
|
||||
SSLCertificateChainFile: jenkins.fedorainfracloud.org.intermediate.cert
|
||||
certbot: true
|
||||
|
||||
- role: httpd/website
|
||||
|
|
|
@ -21,7 +21,9 @@
|
|||
- httpd
|
||||
- httpd/website
|
||||
|
||||
# TODO - copy in Httpd::Certificate
|
||||
- name: Letsencrypt certificate stuff
|
||||
include_role: name=letsencrypt
|
||||
when: certbot == True
|
||||
|
||||
- name: Copy over primary template for {{site_name}}
|
||||
template: >
|
||||
|
|
|
@ -41,11 +41,18 @@
|
|||
{% endif %}
|
||||
|
||||
SSLEngine on
|
||||
{% if certbot %}
|
||||
SSLCertificateFile /etc/pki/tls/certs/{{ site_name }}.cert
|
||||
SSLCertificateKeyFile /etc/pki/tls/private/{{ site_name }}.key
|
||||
SSLCertificateChainFile /etc/pki/tls/certs/{{ site_name }}.intermediate.cert
|
||||
{% else %}
|
||||
SSLCertificateFile /etc/pki/tls/certs/{{ cert_name }}.cert
|
||||
SSLCertificateKeyFile /etc/pki/tls/private/{{ cert_name }}.key
|
||||
{% if SSLCertificateChainFile %}
|
||||
SSLCertificateChainFile /etc/pki/tls/certs/{{ SSLCertificateChainFile }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
SSLHonorCipherOrder On
|
||||
|
||||
# https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
|
||||
|
|
63
roles/letsencrypt/tasks/main.yml
Normal file
63
roles/letsencrypt/tasks/main.yml
Normal file
|
@ -0,0 +1,63 @@
|
|||
- name: Generate (or renew) the certificate
|
||||
delegate_to: certgetter01.phx2.fedoraproject.org
|
||||
command: certbot certonly -n --webroot --webroot-path /var/www/html/ -d {{','.join([site_name] + server_aliases)}}
|
||||
tags:
|
||||
- letsencrypt
|
||||
|
||||
# And once we do that, we need to copy some things.
|
||||
- name: Obtain the certificate
|
||||
delegate_to: certgetter01.phx2.fedoraproject.org
|
||||
command: cat /etc/letsencrypt/live/{{site_name}}/cert.pem
|
||||
register: certbot_certificate
|
||||
tags:
|
||||
- letsencrypt
|
||||
|
||||
- name: Obtain the intermediate certificate
|
||||
delegate_to: certgetter01.phx2.fedoraproject.org
|
||||
command: cat /etc/letsencrypt/live/{{site_name}}/chain.pem
|
||||
register: certbot_chain
|
||||
tags:
|
||||
- letsencrypt
|
||||
|
||||
- name: Obtain the key
|
||||
delegate_to: certgetter01.phx2.fedoraproject.org
|
||||
command: cat /etc/letsencrypt/live/{{site_name}}/privkey.pem
|
||||
register: certbot_key
|
||||
tags:
|
||||
- letsencrypt
|
||||
|
||||
- name: Install the certificate
|
||||
copy: >
|
||||
dest=/etc/pki/tls/certs/{{site_name}}.cert
|
||||
contents={{certbot_certificate.stdout}}
|
||||
owner=root
|
||||
group=root
|
||||
mode=0644
|
||||
notify:
|
||||
- reload proxyhttpd
|
||||
tags:
|
||||
- letsencrypt
|
||||
|
||||
- name: Install the intermediate/chain certificate
|
||||
copy: >
|
||||
dest=/etc/pki/tls/certs/{{site_name}}.intermediate.cert
|
||||
contents={{certbot_chain.stdout}}
|
||||
owner=root
|
||||
group=root
|
||||
mode=0644
|
||||
notify:
|
||||
- reload proxyhttpd
|
||||
tags:
|
||||
- letsencrypt
|
||||
|
||||
- name: Install the key
|
||||
copy: >
|
||||
dest=/etc/pki/tls/private/{{site_name}}.key
|
||||
contents={{certbot_key.stdout}}
|
||||
owner=root
|
||||
group=root
|
||||
mode=0600
|
||||
notify:
|
||||
- reload proxyhttpd
|
||||
tags:
|
||||
- letsencrypt
|
Loading…
Add table
Add a link
Reference in a new issue