source: darkpeak-services/roles/tls/tasks/configure-tls-cert.yml @ 04d89726

keycloak
Last change on this file since 04d89726 was 04d89726, checked in by Mat Booth <mat.booth@…>, 2 years ago

Workaround certificate requisition problem when domain is null

  • Property mode set to 100644
File size: 2.3 KB
Line 
1# If a service requires read access to a cert, the system user that
2# the service runs as should be a member of the "ssl-cert" group.
3
4- name: Add stretch-backports
5  apt_repository:
6    repo: "deb http://mirror.bytemark.co.uk/debian stretch-backports main"
7
8- name: Install ssl-cert package
9  apt:
10    name: ssl-cert
11    state: present
12    update_cache: yes
13    cache_valid_time: 10800   # 3 hours
14
15- name: Install CertBot from backports
16  apt:
17    name: certbot
18    default_release: stretch-backports
19    state: present
20    update_cache: yes
21    cache_valid_time: 10800   # 3 hours
22
23- name: Create certbot www directory
24  file:
25    path: /usr/share/certbot
26    owner: root
27    group: www-data
28    state: directory
29    mode: 0755
30
31- name: Ensure private directories for TLS certs have correct permissions
32  file:
33    path: "{{ item }}"
34    state: directory
35    owner: root
36    group: ssl-cert
37    mode: 0710
38  with_items:
39    - "/etc/ssl/private"
40    - "/etc/letsencrypt/archive/{{ domain }}"
41    - "/etc/letsencrypt/live/{{ domain }}"
42  when: domain != ""
43
44- name: Check for already installed certificate
45  stat:
46    path: "/etc/letsencrypt/live/{{ domain }}/fullchain.pem"
47  register: tls_cert
48  when: domain != ""
49
50- name: Install self-signed TLS certificate
51  copy:
52    src: "../../tls/files/ssl/{{ domain_name }}.pem"
53    dest: "/etc/letsencrypt/live/{{ domain }}/fullchain.pem"
54    owner: root
55    group: ssl-cert
56    mode: 0640
57  when:
58    - not tls_cert.stat.exists
59    - domain != ""
60
61- name: Check for already installed key
62  stat:
63    path: "/etc/letsencrypt/live/{{ domain }}/privkey.pem"
64  register: tls_key
65  when: domain != ""
66
67- name: Install self-signed TLS certificate key
68  copy:
69    src: "../../tls/files/ssl/{{ domain_name }}.key"
70    dest: "/etc/letsencrypt/live/{{ domain }}/privkey.pem"
71    owner: root
72    group: ssl-cert
73    mode: 0640
74  when:
75    - not tls_key.stat.exists
76    - domain != ""
77
78- name: Install symlinks to TLS certificate and key
79  file:
80    src: "/etc/letsencrypt/live/{{ item.src }}"
81    dest: "/etc/ssl/private/{{ item.dest }}"
82    owner: root
83    group: ssl-cert
84    state: link
85    force: yes
86  with_items:
87    - { src: "{{ domain }}/fullchain.pem", dest: "{{ domain }}.pem" }
88    - { src: "{{ domain }}/privkey.pem",   dest: "{{ domain }}.key" }
89  when: domain != ""
90
Note: See TracBrowser for help on using the repository browser.