First go at letsencrypt automation

Signed-off-by: Ricky Elrod <relrod@redhat.com>
2018-05-17 05:06:23 +00:00 · 2018-05-17 05:06:23 +00:00 · 5900f6e6c2
commit 5900f6e6c2
parent b5d3987560
5 changed files with 73 additions and 14 deletions
--- a/playbooks/include/proxies-certificates.yml
+++ b/playbooks/include/proxies-certificates.yml
@ -80,12 +80,6 @@
    certname: secondary.koji.fedoraproject.org.letsencrypt
    SSLCertificateChainFile: secondary.koji.fedoraproject.org.letsencrypt.intermediate.crt

-  - role: httpd/certificate
-    certname: whatcanidoforfedora.org
-    SSLCertificateChainFile: whatcanidoforfedora.org.intermediate.crt
-    tags:
-    - whatcanidoforfedora.org
-
  - role: httpd/certificate
    certname: fedoracommunity.org
    SSLCertificateChainFile: fedoracommunity.org.intermediate.cert
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@ -411,8 +411,6 @@
    - www.whatcanidoforfedora.org
    ssl: true
    sslonly: true
-    cert_name: whatcanidoforfedora.org
-    SSLCertificateChainFile: whatcanidoforfedora.org.intermediate.crt
    certbot: true
    tags:
    - whatcanidoforfedora.org
@ -492,8 +490,6 @@
    certbot: true
    server_aliases:
    - www.fpaste.org
-    cert_name: fpaste.org
-    SSLCertificateChainFile: fpaste.org.intermediate.cert
    tags:
    - fpaste.org

@ -512,8 +508,6 @@
    certbot: true
    server_aliases:
    - s390pkgs.fedoraproject.org
-    cert_name: secondary.koji.fedoraproject.org.letsencrypt
-    SSLCertificateChainFile: secondary.koji.fedoraproject.org.letsencrypt.intermediate.crt
    tags:
    - s390.koji.fedoraproject.org

@ -736,7 +730,6 @@
  - role: httpd/website
    site_name: jenkins.fedorainfracloud.org
    cert_name: jenkins.fedorainfracloud.org
-    SSLCertificateChainFile: jenkins.fedorainfracloud.org.intermediate.cert
    certbot: true

  - role: httpd/website
--- a/roles/httpd/website/tasks/main.yml
+++ b/roles/httpd/website/tasks/main.yml
@ -21,7 +21,9 @@
  - httpd
  - httpd/website

-# TODO - copy in Httpd::Certificate
+- name: Letsencrypt certificate stuff
+  include_role: name=letsencrypt
+  when: certbot == True

 - name: Copy over primary template for {{site_name}}
  template: >
--- a/roles/httpd/website/templates/website.conf
+++ b/roles/httpd/website/templates/website.conf
@ -41,11 +41,18 @@
 {% endif %}

  SSLEngine on
+{% if certbot %}
+  SSLCertificateFile /etc/pki/tls/certs/{{ site_name }}.cert
+  SSLCertificateKeyFile /etc/pki/tls/private/{{ site_name }}.key
+  SSLCertificateChainFile /etc/pki/tls/certs/{{ site_name }}.intermediate.cert
+{% else %}
  SSLCertificateFile /etc/pki/tls/certs/{{ cert_name }}.cert
  SSLCertificateKeyFile /etc/pki/tls/private/{{ cert_name }}.key
 {% if SSLCertificateChainFile %}
  SSLCertificateChainFile /etc/pki/tls/certs/{{ SSLCertificateChainFile }}
 {% endif %}
+{% endif %}
+
  SSLHonorCipherOrder On

  # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
--- a/roles/letsencrypt/tasks/main.yml
+++ b/roles/letsencrypt/tasks/main.yml
@ -0,0 +1,63 @@
+- name: Generate (or renew) the certificate
+  delegate_to: certgetter01.phx2.fedoraproject.org
+  command: certbot certonly -n --webroot --webroot-path /var/www/html/ -d {{','.join([site_name] + server_aliases)}}
+  tags:
+  - letsencrypt
+
+# And once we do that, we need to copy some things.
+- name: Obtain the certificate
+  delegate_to: certgetter01.phx2.fedoraproject.org
+  command: cat /etc/letsencrypt/live/{{site_name}}/cert.pem
+  register: certbot_certificate
+  tags:
+  - letsencrypt
+
+- name: Obtain the intermediate certificate
+  delegate_to: certgetter01.phx2.fedoraproject.org
+  command: cat /etc/letsencrypt/live/{{site_name}}/chain.pem
+  register: certbot_chain
+  tags:
+  - letsencrypt
+
+- name: Obtain the key
+  delegate_to: certgetter01.phx2.fedoraproject.org
+  command: cat /etc/letsencrypt/live/{{site_name}}/privkey.pem
+  register: certbot_key
+  tags:
+  - letsencrypt
+
+- name: Install the certificate
+  copy: >
+    dest=/etc/pki/tls/certs/{{site_name}}.cert
+    contents={{certbot_certificate.stdout}}
+    owner=root
+    group=root
+    mode=0644
+  notify:
+  - reload proxyhttpd
+  tags:
+  - letsencrypt
+
+- name: Install the intermediate/chain certificate
+  copy: >
+    dest=/etc/pki/tls/certs/{{site_name}}.intermediate.cert
+    contents={{certbot_chain.stdout}}
+    owner=root
+    group=root
+    mode=0644
+  notify:
+  - reload proxyhttpd
+  tags:
+  - letsencrypt
+
+- name: Install the key
+  copy: >
+    dest=/etc/pki/tls/private/{{site_name}}.key
+    contents={{certbot_key.stdout}}
+    owner=root
+    group=root
+    mode=0600
+  notify:
+  - reload proxyhttpd
+  tags:
+  - letsencrypt