First go at a certbot/letsencrypt role for Fedora Infra
To use it:
1) Include the role in your playbook. This will install certbot and put a
tiny bit of Apache config in place, along with a monthly cron to attempt to
renew certificates.
2) Add the following lines to your Apache virthost:
RewriteEngine on
RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
2) ssh to the relevant box
# TODO: Fix selinux stuff - the cron won't work until it's fixed either.
service httpd graceful
setenforce 0
certbot certonly --manual-public-ip-logging-ok --webroot -w \
/srv/web/acme-challenge/ -d YOURINSTANCE.fedorainfracloud.org
setenforce 1
3) Add your SSL VirtualHost. An Ansible template with something like this
should possibly work:
<VirtualHost {{public_ip}}:443 _default_:443>
ServerName YOURINSTANCE.fedorainfracloud.org
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/YOURINSTANCE.fedorainfracloud.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/YOURINSTANCE.fedorainfracloud.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/YOURINSTANCE.fedorainfracloud.org/fullchain.pem
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
SSLProtocol ALL -SSLv2
<!-- Your actual config goes here! -->
</VirtualHost>
