From ff15912f4ac493134dee50172e8842828f4f368d Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Fri, 8 Jan 2021 20:12:01 +0200
Subject: [PATCH] Self-signed key and certificate for bootstrapping.
There's a chicken and egg issue with new servers, Nginx and Let's
Encrypt. The Nginx setup expects an SSL key and certificate and DH
params file. But the Let's Encrypt challenge has to have Nginx running.
So as a bootstrap step, create an SSL key and self-signed certificate.
Nginx will start (although clients over HTTPS will complain, the Let's
Encrypt challenge requires just HTTP) and then I'll be able to pass the
Let's Encrypt challenge.
---
roles/debian_server/tasks/main.yml | 32 ++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/roles/debian_server/tasks/main.yml b/roles/debian_server/tasks/main.yml
index f9d4656..ef8bce5 100644
--- a/roles/debian_server/tasks/main.yml
+++ b/roles/debian_server/tasks/main.yml
@@ -37,6 +37,7 @@
- fwupd
- intel-microcode
- libpam-mount-bin
+ - python3-cryptography
- rsync
- tmux
- ufw
@@ -115,6 +116,37 @@
path: /var/ssl
state: directory
+# I know that I can use Ansible modules instead of calling OpenSSL directly, but
+# with the command module I can easily skip the task if the private key or the
+# certificate already exist. The point is to create an SSL and self-signed
+# certificate only as a bootstrap step. Once there is an existing (and assumed
+# valid) certificate, don't overwrite it.
+
+- name: Create private SSL key
+ command:
+ cmd: openssl genrsa -out /var/ssl/site.key 4096
+ creates: /var/ssl/site.key
+
+- name: Create SSL certificate
+ command:
+ cmd: >-
+ openssl
+ req
+ -x509
+ -out /var/ssl/site.crt
+ -nodes
+ -key /var/ssl/site.key
+ -batch
+ creates: /var/ssl/site.crt
+
+- name: Create Diffie-Hellman Parameters file
+ community.crypto.openssl_dhparam:
+ force: false
+ mode: 0o0644
+ path: /var/ssl/dhparams
+ size: 4096
+ state: present
+
- name: Copy btrfs copy script
copy:
dest: /usr/local/sbin/btrfs-backup
--
GitLab