dogeystamp/homeserver-ansible
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

ssl: Add External Account Binding support

Browse Source
This commit is contained in:
dogeystamp 2022-05-21 18:43:54 -04:00
parent 4a0b2102d7
commit 69b07c32c1
Signed by: dogeystamp
GPG Key ID: 7225FE3592EFFA38
3 changed files with 31 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
group_vars/all/vars.yml
View File

@ -89,6 +89,13 @@ interface: eth0
# Email to send renewal notices to # Email to send renewal notices to
acme_email: "{{ email }}" acme_email: "{{ email }}"
# ACME directory to use
# acme_dir: "https://acme-v02.api.letsencrypt.org/directory"
acme_dir: "https://acme.zerossl.com/v2/DV90"
# Algorithm for ACME External Account Binding
acme_eab_alg: HS256
### Mediawiki farm variables ### Mediawiki farm variables

41
roles/networking/ssl/tasks/main.yml
View File

@ -9,7 +9,7 @@
- name: Create directories for ACME - name: Create directories for ACME
file: file:
path: "/etc/letsencrypt/{{ item }}" path: "/etc/ssl-acme/{{ item }}"
state: directory state: directory
owner: root owner: root
group: root group: root
@ -22,20 +22,20 @@
- name: Generate ACME account key - name: Generate ACME account key
community.crypto.openssl_privatekey: community.crypto.openssl_privatekey:
path: "/etc/letsencrypt/account/account.key" path: "/etc/ssl-acme/account/account.key"
- name: Generate ACME private key - name: Generate ACME private key
community.crypto.openssl_privatekey: community.crypto.openssl_privatekey:
path: "/etc/letsencrypt/keys/{{ domain }}.key" path: "/etc/ssl-acme/keys/{{ domain }}.key"
- name: Check if certificate exists - name: Check if certificate exists
stat: stat:
path: "/etc/letsencrypt/certs/{{ domain }}.crt" path: "/etc/ssl-acme/certs/{{ domain }}.crt"
register: cert_file register: cert_file
- name: Check if certificate is expired - name: Check if certificate is expired
community.crypto.x509_certificate_info: community.crypto.x509_certificate_info:
path: "/etc/letsencrypt/certs/{{ domain }}.crt" path: "/etc/ssl-acme/certs/{{ domain }}.crt"
valid_at: valid_at:
now: "+3w" now: "+3w"
register: result register: result
@ -61,37 +61,38 @@
- name: Create ACME account - name: Create ACME account
community.crypto.acme_account: community.crypto.acme_account:
account_key_src: /etc/letsencrypt/account/account.key account_key_src: /etc/ssl-acme/account/account.key
state: present state: present
allow_creation: yes allow_creation: yes
contact: contact:
- "mailto:{{ acme_email }}" - "mailto:{{ acme_email }}"
acme_directory: "https://acme-v02.api.letsencrypt.org/directory" acme_directory: "{{ acme_dir }}"
terms_agreed: 1 terms_agreed: 1
acme_version: 2 acme_version: 2
external_account_binding: {alg: "{{ acme_eab_alg }}", key: "{{ acme_eab_key }}", kid: "{{ acme_eab_kid }}"}
register: account register: account
when: cert_regen is defined when: cert_regen is defined
- name: Generate ACME CSR - name: Generate ACME CSR
community.crypto.openssl_csr: community.crypto.openssl_csr:
path: "/etc/letsencrypt/csrs/{{ domain }}.csr" path: "/etc/ssl-acme/csrs/{{ domain }}.csr"
common_name: "{{ domain }}" common_name: "{{ domain }}"
subject_alt_name: "DNS:{{ domain }}" subject_alt_name: "DNS:{{ domain }}"
privatekey_path: "/etc/letsencrypt/keys/{{ domain }}.key" privatekey_path: "/etc/ssl-acme/keys/{{ domain }}.key"
when: cert_regen is defined when: cert_regen is defined
- name: Retrieve ACME challenge - name: Retrieve ACME challenge
community.crypto.acme_certificate: community.crypto.acme_certificate:
acme_directory: "https://acme-v02.api.letsencrypt.org/directory" acme_directory: "{{ acme_dir }}"
acme_version: 2 acme_version: 2
account_key_src: /etc/letsencrypt/account/account.key account_key_src: /etc/ssl-acme/account/account.key
account_uri: "{{ account.account_uri }}" account_uri: "{{ account.account_uri }}"
account_email: "{{ acme_email }}" account_email: "{{ acme_email }}"
terms_agreed: 1 terms_agreed: 1
challenge: http-01 challenge: http-01
csr: "/etc/letsencrypt/csrs/{{ domain }}.csr" csr: "/etc/ssl-acme/csrs/{{ domain }}.csr"
dest: "/etc/letsencrypt/certs/{{ domain }}.crt" dest: "/etc/ssl-acme/certs/{{ domain }}.crt"
fullchain_dest: "/etc/letsencrypt/certs/fullchain_{{ domain }}.crt" fullchain_dest: "/etc/ssl-acme/certs/fullchain_{{ domain }}.crt"
remaining_days: 91 remaining_days: 91
register: acme_challenge register: acme_challenge
when: cert_regen is defined when: cert_regen is defined
@ -118,16 +119,16 @@
- name: Complete ACME challenge - name: Complete ACME challenge
community.crypto.acme_certificate: community.crypto.acme_certificate:
acme_directory: "https://acme-v02.api.letsencrypt.org/directory" acme_directory: "{{ acme_dir }}"
acme_version: 2 acme_version: 2
account_key_src: /etc/letsencrypt/account/account.key account_key_src: /etc/ssl-acme/account/account.key
account_email: "{{ acme_email }}" account_email: "{{ acme_email }}"
account_uri: "{{ account.account_uri }}" account_uri: "{{ account.account_uri }}"
challenge: http-01 challenge: http-01
terms_agreed: 1 terms_agreed: 1
csr: "/etc/letsencrypt/csrs/{{ domain }}.csr" csr: "/etc/ssl-acme/csrs/{{ domain }}.csr"
dest: "/etc/letsencrypt/certs/{{ domain }}.crt" dest: "/etc/ssl-acme/certs/{{ domain }}.crt"
fullchain_dest: "/etc/letsencrypt/certs/fullchain_{{ domain }}.crt" fullchain_dest: "/etc/ssl-acme/certs/fullchain_{{ domain }}.crt"
chain_dest: "/etc/letsencrypt/certs/chain_{{ domain }}.crt" chain_dest: "/etc/ssl-acme/certs/chain_{{ domain }}.crt"
data: "{{ acme_challenge }}" data: "{{ acme_challenge }}"
when: cert_regen is defined when: cert_regen is defined

6
roles/services/webserver/templates/nginx.conf.j2
View File

@ -17,13 +17,13 @@ http { include mime.types;
server { server {
if ($host = {{ domain }}) { if ($host = {{ domain }}) {
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} # managed by Certbot }
} }
server { server {
ssl_certificate /etc/letsencrypt/certs/fullchain_{{ domain }}.crt; ssl_certificate /etc/ssl-acme/certs/fullchain_{{ domain }}.crt;
ssl_certificate_key /etc/letsencrypt/keys/{{ domain }}.key; ssl_certificate_key /etc/ssl-acme/keys/{{ domain }}.key;
ssl_session_cache shared:SSL:1m; ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m; ssl_session_timeout 5m;