From f9280622925d69a72112e70ce339a1b0d2bc328c Mon Sep 17 00:00:00 2001 From: Adar Nimrod Date: Sun, 6 Dec 2020 22:10:01 +0200 Subject: [PATCH] Renew certificates playbook. Renew Let's Encrypt certificates across the fleet. --- renew-certs.yml | 293 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 293 insertions(+) create mode 100644 renew-certs.yml diff --git a/renew-certs.yml b/renew-certs.yml new file mode 100644 index 0000000..0cc0320 --- /dev/null +++ b/renew-certs.yml @@ -0,0 +1,293 @@ +--- +- name: Generate keys and certificates + hosts: + - localhost + connection: local + become: false + gather_facts: false + vars: + email: nimrod@shore.co.il + acme_directory: https://acme-v02.api.letsencrypt.org/directory + #acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory + acme_version: 2 + + handlers: + - name: Restart Nginx + delegate_to: host01.shore.co.il + command: docker restart web-proxy_proxy_1 + + - name: Reload Exim + delegate_to: host01.shore.co.il + command: docker kill --signal SIGHUP mail_smtp_1 + + - name: Reload Dovecot + delegate_to: host01.shore.co.il + command: docker kill --signal SIGHUP mail_imap_1 + + tasks: + - name: Create SSL directory on the server + delegate_to: host01.shore.co.il + file: + group: root + mode: 0o0755 + owner: root + path: /var/ssl + state: directory + + - name: Generate account key + openssl_privatekey: + mode: 0o0600 + path: &account_key_src account.key + size: 4096 + state: present + type: RSA + + - name: Register account + acme_account: + account_key_src: *account_key_src + acme_directory: |- + {{ acme_directory }} + acme_version: |- + {{ acme_version }} + contact: + - mailto:{{ email }} + select_crypto_backend: &crypto_backend cryptography + state: present + terms_agreed: true + + - name: Generate site key + openssl_privatekey: + mode: &mode 0o0600 + path: &site_key_src |- + {{ playbook_dir }}/site.key + size: &size 4096 + state: present + type: &type RSA + + - name: Generate site certificate signing request + openssl_csr: + common_name: &common_name shore.co.il + country_name: &country_name IL + digest: &digest sha256 + email_address: |- + {{ email }} + locality_name: &locality_name Haifa + organization_name: &organization_name Shore technologies + path: &site_csr_src site.csr + privatekey_path: *site_key_src + state: present + subject_alt_name: |- + DNS:shore.co.il,DNS:www.shore.co.il,DNS:autoconfig.shore.co.il,DNS:nextcloud.shore.co.il,DNS:git.shore.co.il,DNS:registry.shore.co.il + register: acme_site_csr + + - name: Create site challenge + acme_certificate: + account_email: |- + {{ email }} + account_key_src: *account_key_src + acme_directory: |- + {{ acme_directory }} + acme_version: | + {{ acme_version }} + csr: *site_csr_src + fullchain_dest: &site_cert_src |- + {{ playbook_dir }}/site.crt + modify_account: false + remaining_days: 35 + select_crypto_backend: *crypto_backend + register: acme_site_challenge + + - name: Debug site challenge + debug: + var: acme_site_challenge + verbosity: 1 + + - name: Renew site cert + when: acme_site_challenge is changed or acme_site_csr is changed + block: + + - name: Create ACME challenge directory + delegate_to: host01.shore.co.il + become: true + file: + path: /var/www/www.shore.co.il/.well-known/acme-challenge + state: directory + + - name: Copy http-01 site challenge + delegate_to: host01.shore.co.il + become: true + with_dict: | + {{ acme_site_challenge['challenge_data'] }} + copy: + content: |- + {{ item.value['http-01']['resource_value'] }} + # yamllint disable-line rule:line-length + dest: /var/www/www.shore.co.il/{{ item.value['http-01']['resource'] }} + group: www-data + mode: 0o0644 + owner: root + + - name: Validate site challenge + acme_certificate: + account_email: |- + {{ email }} + account_key_src: *account_key_src + acme_directory: |- + {{ acme_directory }} + acme_version: | + {{ acme_version }} + challenge: http-01 + csr: *site_csr_src + data: "{{ acme_site_challenge }}" + fullchain_dest: *site_cert_src + modify_account: false + remaining_days: 35 + select_crypto_backend: *crypto_backend + + - name: Copy site key, certificate to server + delegate_to: host01.shore.co.il + become: true + with_items: + - src: *site_key_src + dest: /var/ssl/site.key + mode: 0o0444 + - src: *site_cert_src + dest: /var/ssl/site.crt + mode: 0o0444 + copy: + src: |- + {{ item.src }} + dest: |- + {{ item.dest }} + mode: |- + {{ item.mode }} + owner: root + group: root + notify: + - Restart Nginx + + - name: Generate mail key + openssl_privatekey: + mode: *mode + path: &mail_key_src |- + {{ playbook_dir }}/mail.key + size: *size + state: present + type: *type + + - name: Generate mail certificate signing request + openssl_csr: + common_name: smtp.shore.co.il + country_name: *country_name + digest: *digest + email_address: |- + {{ email }} + locality_name: *locality_name + organization_name: *organization_name + path: &mail_csr_src mail.csr + privatekey_path: *mail_key_src + state: present + subject_alt_name: |- + DNS:smtp.shore.co.il,DNS:imap.shore.co.il,DNS:mta-sts.shore.co.il + register: acme_mail_csr + + - name: Create mail challenge + acme_certificate: + account_email: |- + {{ email }} + account_key_src: *account_key_src + acme_directory: |- + {{ acme_directory }} + acme_version: | + {{ acme_version }} + csr: *mail_csr_src + fullchain_dest: &mail_cert_src |- + {{ playbook_dir }}/mail.crt + modify_account: false + remaining_days: 35 + select_crypto_backend: *crypto_backend + register: acme_mail_challenge + + - name: Debug mail challenge + debug: + var: acme_mail_challenge + verbosity: 1 + + - name: Renew mail cert + when: acme_mail_challenge is changed or acme_mail_csr is changed + block: + + - name: Create ACME challenge directory + delegate_to: host01.shore.co.il + become: true + file: + path: /var/www/mail.shore.co.il/.well-known/acme-challenge + state: directory + + - name: Copy http-01 mail challenge + delegate_to: host01.shore.co.il + become: true + with_dict: | + {{ acme_mail_challenge['challenge_data'] }} + copy: + content: |- + {{ item.value['http-01']['resource_value'] }} + # yamllint disable-line rule:line-length + dest: /var/www/mail.shore.co.il/{{ item.value['http-01']['resource'] }} + group: www-data + mode: 0o0644 + owner: root + + - name: Validate mail challenge + acme_certificate: + account_email: |- + {{ email }} + account_key_src: *account_key_src + acme_directory: |- + {{ acme_directory }} + acme_version: | + {{ acme_version }} + challenge: http-01 + csr: *mail_csr_src + data: "{{ acme_mail_challenge }}" + fullchain_dest: *mail_cert_src + modify_account: false + remaining_days: 35 + select_crypto_backend: *crypto_backend + + - name: Copy mail key, certificate to server + delegate_to: host01.shore.co.il + become: true + with_items: + - src: *mail_key_src + dest: /var/ssl/mail.key + mode: 0o0444 + - src: *mail_cert_src + dest: /var/ssl/mail.crt + mode: 0o0444 + copy: + src: |- + {{ item.src }} + dest: |- + {{ item.dest }} + mode: |- + {{ item.mode }} + owner: root + group: root + notify: + - Reload Dovecot + - Reload Exim + - Restart Nginx + + - name: Generate Diffie-Hellman parameters + become: true + delegate_to: host01.shore.co.il + openssl_dhparam: + force: true + mode: 0o0644 + path: /var/ssl/dhparams + size: 4096 + state: present + notify: + - Reload Dovecot + - Restart Nginx -- GitLab