Skip to content
Snippets Groups Projects
Commit fc872c9b authored by nimrod's avatar nimrod
Browse files

Renew certs on ns4. 

- Renew the certs for the hosts on ns4.
- Silence a few warnings from Ansible.
- Rely on debian_server for bootstrapping.
- Tag tasks for specific hosts.
parent 6186e30b
Branches
No related tags found
No related merge requests found
Pipeline #490 passed
Stage: test
Show whitespace changes
Inline Side-by-side
Showing
with 204 additions and 41 deletions
renew-certs.yml renew-certs.yaml
+ 204
41
View file @ fc872c9b
......@@ -6,44 +6,41 @@
become: false
gather_facts: false
vars:
email: nimrod@shore.co.il
email: hostmaster@shore.co.il
acme_directory: https://acme-v02.api.letsencrypt.org/directory
# acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
acme_version: 2
handlers:
- name: Restart Nginx
delegate_to: host01.shore.co.il
- name: Restart Nginx on host01
delegate_to: host01
command: docker restart web-proxy_proxy_1
- name: Restart Nginx on ns4
delegate_to: ns4
command: docker restart web-proxy_proxy_1
- name: Reload Exim
delegate_to: host01.shore.co.il
delegate_to: host01
command: docker kill --signal SIGHUP mail_smtp_1
- name: Reload Dovecot
delegate_to: host01.shore.co.il
delegate_to: host01
command: docker kill --signal SIGHUP mail_imap_1
tasks:
- name: Create SSL directory on the server
delegate_to: host01.shore.co.il
file:
group: root
mode: 0o0755
owner: root
path: /var/ssl
state: directory
- name: Generate account key
openssl_privatekey:
community.crypto.openssl_privatekey:
mode: 0o0600
path: &account_key_src account.key
size: 4096
state: present
type: RSA
tags:
- always
- name: Register account
acme_account:
community.crypto.acme_account:
account_key_src: *account_key_src
acme_directory: |-
{{ acme_directory }}
......@@ -54,34 +51,40 @@
select_crypto_backend: &crypto_backend cryptography
state: present
terms_agreed: true
tags:
- always
- name: Generate site key
openssl_privatekey:
community.crypto.openssl_privatekey:
mode: &mode 0o0600
path: &site_key_src |-
{{ playbook_dir }}/site.key
size: &size 4096
state: present
type: &type RSA
tags:
- ns4
- name: Generate site certificate signing request
openssl_csr:
common_name: &common_name shore.co.il
community.crypto.openssl_csr:
common_name: ns4.shore.co.il
country_name: &country_name IL
digest: &digest sha256
email_address: |-
{{ email }}
locality_name: &locality_name Haifa
locality_name: &locality_name Israel
organization_name: &organization_name Shore technologies
path: &site_csr_src site.csr
privatekey_path: *site_key_src
state: present
subject_alt_name: |-
DNS:shore.co.il,DNS:www.shore.co.il,DNS:autoconfig.shore.co.il,DNS:nextcloud.shore.co.il,DNS:git.shore.co.il,DNS:registry.shore.co.il
DNS:autoconfig.shore.co.il,DNS:registry.shore.co.il
register: acme_site_csr
tags:
- ns4
- name: Create site challenge
acme_certificate:
community.crypto.acme_certificate:
account_email: |-
{{ email }}
account_key_src: *account_key_src
......@@ -96,25 +99,31 @@
remaining_days: 35
select_crypto_backend: *crypto_backend
register: acme_site_challenge
tags:
- ns4
- name: Debug site challenge
debug:
var: acme_site_challenge
verbosity: 1
tags:
- ns4
- name: Renew site cert
when: acme_site_challenge is changed or acme_site_csr is changed
when: acme_site_challenge is changed
tags:
- ns4
block:
- name: Create ACME challenge directory
delegate_to: host01.shore.co.il
delegate_to: ns4
become: true
file:
path: /var/www/www.shore.co.il/.well-known/acme-challenge
state: directory
- name: Copy http-01 site challenge
delegate_to: host01.shore.co.il
delegate_to: ns4
become: true
with_dict: |
{{ acme_site_challenge['challenge_data'] }}
......@@ -128,7 +137,7 @@
owner: root
- name: Validate site challenge
acme_certificate:
community.crypto.acme_certificate:
account_email: |-
{{ email }}
account_key_src: *account_key_src
......@@ -145,7 +154,7 @@
select_crypto_backend: *crypto_backend
- name: Copy site key, certificate to server
delegate_to: host01.shore.co.il
delegate_to: ns4
become: true
with_items:
- src: *site_key_src
......@@ -164,19 +173,146 @@
owner: root
group: root
notify:
- Restart Nginx
- Restart Nginx on ns4
tags:
- ns4
- name: Generate host key
community.crypto.openssl_privatekey:
mode: *mode
path: &host_key_src |-
{{ playbook_dir }}/host.key
size: *size
state: present
type: *type
tags:
- host01
- name: Generate host certificate signing request
community.crypto.openssl_csr:
common_name: ns1.shore.co.il
country_name: *country_name
digest: *digest
email_address: |-
{{ email }}
locality_name: *locality_name
organization_name: *organization_name
path: &host_csr_src host.csr
privatekey_path: *host_key_src
state: present
subject_alt_name: |-
DNS:shore.co.il,DNS:www.shore.co.il,DNS:nextcloud.shore.co.il,DNS:git.shore.co.il
register: acme_host_csr
tags:
- host01
- name: Create host challenge
community.crypto.acme_certificate:
account_email: |-
{{ email }}
account_key_src: *account_key_src
acme_directory: |-
{{ acme_directory }}
acme_version: |
{{ acme_version }}
csr: *host_csr_src
fullchain_dest: &host_cert_src |-
{{ playbook_dir }}/host.crt
modify_account: false
remaining_days: 35
select_crypto_backend: *crypto_backend
register: acme_host_challenge
tags:
- host01
- name: Debug host challenge
debug:
var: acme_host_challenge
verbosity: 1
tags:
- host01
- name: Renew host cert
when: acme_host_challenge is changed
tags:
- host01
block:
- name: Create ACME challenge directory
delegate_to: host01
become: true
file:
path: /var/www/www.shore.co.il/.well-known/acme-challenge
state: directory
- name: Copy http-01 host challenge
delegate_to: host01
become: true
with_dict: |
{{ acme_host_challenge['challenge_data'] }}
copy:
content: |-
{{ item.value['http-01']['resource_value'] }}
# yamllint disable-line rule:line-length
dest: /var/www/www.shore.co.il/{{ item.value['http-01']['resource'] }}
group: www-data
mode: 0o0644
owner: root
- name: Validate host challenge
community.crypto.acme_certificate:
account_email: |-
{{ email }}
account_key_src: *account_key_src
acme_directory: |-
{{ acme_directory }}
acme_version: |
{{ acme_version }}
challenge: http-01
csr: *host_csr_src
data: "{{ acme_host_challenge }}"
fullchain_dest: *host_cert_src
modify_account: false
remaining_days: 35
select_crypto_backend: *crypto_backend
- name: Copy host key, certificate to server
delegate_to: host01
become: true
with_items:
- src: *host_key_src
dest: /var/ssl/site.key
mode: 0o0444
- src: *host_cert_src
dest: /var/ssl/site.crt
mode: 0o0444
copy:
src: |-
{{ item.src }}
dest: |-
{{ item.dest }}
mode: |-
{{ item.mode }}
owner: root
group: root
notify:
- Restart Nginx on host01
tags:
- mail
- name: Generate mail key
openssl_privatekey:
community.crypto.openssl_privatekey:
mode: *mode
path: &mail_key_src |-
{{ playbook_dir }}/mail.key
size: *size
state: present
type: *type
tags:
- mail
- name: Generate mail certificate signing request
openssl_csr:
community.crypto.openssl_csr:
common_name: smtp.shore.co.il
country_name: *country_name
digest: *digest
......@@ -190,9 +326,11 @@
subject_alt_name: |-
DNS:smtp.shore.co.il,DNS:imap.shore.co.il,DNS:mta-sts.shore.co.il
register: acme_mail_csr
tags:
- mail
- name: Create mail challenge
acme_certificate:
community.crypto.acme_certificate:
account_email: |-
{{ email }}
account_key_src: *account_key_src
......@@ -207,25 +345,31 @@
remaining_days: 35
select_crypto_backend: *crypto_backend
register: acme_mail_challenge
tags:
- mail
- name: Debug mail challenge
debug:
var: acme_mail_challenge
verbosity: 1
tags:
- mail
- name: Renew mail cert
when: acme_mail_challenge is changed or acme_mail_csr is changed
when: acme_mail_challenge is changed
tags:
- mail
block:
- name: Create ACME challenge directory
delegate_to: host01.shore.co.il
delegate_to: host01
become: true
file:
path: /var/www/mail.shore.co.il/.well-known/acme-challenge
state: directory
- name: Copy http-01 mail challenge
delegate_to: host01.shore.co.il
delegate_to: host01
become: true
with_dict: |
{{ acme_mail_challenge['challenge_data'] }}
......@@ -239,7 +383,7 @@
owner: root
- name: Validate mail challenge
acme_certificate:
community.crypto.acme_certificate:
account_email: |-
{{ email }}
account_key_src: *account_key_src
......@@ -256,7 +400,7 @@
select_crypto_backend: *crypto_backend
- name: Copy mail key, certificate to server
delegate_to: host01.shore.co.il
delegate_to: host01
become: true
with_items:
- src: *mail_key_src
......@@ -277,12 +421,14 @@
notify:
- Reload Dovecot
- Reload Exim
- Restart Nginx
- Restart Nginx on host01
tags:
- mail
- name: Generate Diffie-Hellman parameters
- name: Generate Diffie-Hellman parameters on host01
become: true
delegate_to: host01.shore.co.il
openssl_dhparam:
delegate_to: host01
community.crypto.openssl_dhparam:
force: true
mode: 0o0644
path: /var/ssl/dhparams
......@@ -290,4 +436,21 @@
state: present
notify:
- Reload Dovecot
- Restart Nginx
- Restart Nginx on host01
tags:
- mail
- host01
- name: Generate Diffie-Hellman parameters on ns4
become: true
delegate_to: host01
community.crypto.openssl_dhparam:
force: true
mode: 0o0644
path: /var/ssl/dhparams
size: 4096
state: present
notify:
- Restart Nginx on ns4
tags:
- ns4
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment