Changeset 77d34521 in darkpeak-services


Ignore:
Timestamp:
Nov 7, 2018, 10:52:57 AM (2 years ago)
Author:
Mat Booth <mat.booth@…>
Branches:
keycloak, master
Children:
c310e3b3
Parents:
2e67303e
Message:

tls: Actually hook up the darkpeak_certbot_wrapper script
for generating SAN certs when domains have aliases

Fixes #57

Location:
roles
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed
  • roles/apache2/tasks/configure-apache-site.yml

    r2e67303e r77d34521  
    7171    - not letsencrypt_live.stat.exists
    7272
    73 - name: Request letsencrypt certificate via certbot
    74   command: "certbot certonly --non-interactive -m certificate@darkpeak.org --agree-tos --webroot -w /usr/share/certbot -d \"{{ domain }}\" --cert-name \"{{ domain }}\""
     73- name: Request letsencrypt SAN certificate via certbot for the domain and its aliases
     74  command: "/usr/sbin/darkpeak_certbot_wrapper {{ domain }} {{ domain_alias }}"
    7575  when:
    7676    - development_mode != true
  • roles/tls/files/darkpeak_certbot_wrapper

    r2e67303e r77d34521  
    66for domain in "$@" ; do
    77        if [ -z "$params" ] ; then
    8                 params="--cert-name \"$domain\""
     8                params="--cert-name $domain"
    99        fi
    10         params="$params -d \"$domain\""
     10        if [[ "$domain" =~ ^\*.* ]] ; then
     11                echo "WARNING: Can't have wildcard domains in the SAN cert, excluding $domain" > 2
     12        else
     13                params="$params -d $domain"
     14        fi
    1115done
    1216
  • roles/tls/tasks/configure-tls-cert.yml

    r2e67303e r77d34521  
    22# the service runs as should be a member of the "ssl-cert" group.
    33
    4 - name: Add stretch-backports
    5   apt_repository:
    6     repo: "deb http://mirror.bytemark.co.uk/debian stretch-backports main"
    7 
    8 - name: Install ssl-cert package
    9   apt:
    10     name: ssl-cert
    11     state: present
    12     update_cache: yes
    13     cache_valid_time: 10800   # 3 hours
    14 
    15 - name: Install CertBot from backports
    16   apt:
    17     name: certbot
    18     default_release: stretch-backports
    19     state: present
    20     update_cache: yes
    21     cache_valid_time: 10800   # 3 hours
    22 
    23 - name: Create certbot www directory
     4- name: Create certbot www directory where tokens can be made available
    245  file:
    256    path: /usr/share/certbot
     
    3718    mode: 0710
    3819  with_items:
    39     - "/etc/ssl/private"
    4020    - "/etc/letsencrypt/archive/{{ domain }}"
    4121    - "/etc/letsencrypt/live/{{ domain }}"
Note: See TracChangeset for help on using the changeset viewer.