Self-signed key and certificate for bootstrapping.

There's a chicken and egg issue with new servers, Nginx and Let's Encrypt. The Nginx setup expects an SSL key and certificate and DH params file. But the Let's Encrypt challenge has to have Nginx running. So as a bootstrap step, create an SSL key and self-signed certificate. Nginx will start (although clients over HTTPS will complain, the Let's Encrypt challenge requires just HTTP) and then I'll be able to pass the Let's Encrypt challenge.

Self-signed key and certificate for bootstrapping.
ff15912f · nimrod · e2f14cef · ff15912f
Commit ff15912f authored 4 years ago by nimrod
--- a/roles/debian_server/tasks/main.yml
+++ b/roles/debian_server/tasks/main.yml
@@ -37,6 +37,7 @@
      - fwupd
      - intel-microcode
      - libpam-mount-bin
+      - python3-cryptography
      - rsync
      - tmux
      - ufw
@@ -115,6 +116,37 @@
    path: /var/ssl
    state: directory
+# I know that I can use Ansible modules instead of calling OpenSSL directly, but
+# with the command module I can easily skip the task if the private key or the
+# certificate already exist. The point is to create an SSL and self-signed
+# certificate only as a bootstrap step. Once there is an existing (and assumed
+# valid) certificate, don't overwrite it.
+- name: Create private SSL key
+  command:
+    cmd: openssl genrsa -out /var/ssl/site.key 4096
+    creates: /var/ssl/site.key
+- name: Create SSL certificate
+  command:
+    cmd: >-
+      openssl
+      req
+      -x509
+      -out /var/ssl/site.crt
+      -nodes
+      -key /var/ssl/site.key
+      -batch
+    creates: /var/ssl/site.crt
+- name: Create Diffie-Hellman Parameters file
+  community.crypto.openssl_dhparam:
+    force: false
+    mode: 0o0644
+    path: /var/ssl/dhparams
+    size: 4096
+    state: present
 - name: Copy btrfs copy script
  copy:
    dest: /usr/local/sbin/btrfs-backup