diff options
author | Kelley Spoon <kelley.spoon@linaro.org> | 2018-09-07 15:56:37 -0500 |
---|---|---|
committer | Benjamin Copeland <ben.copeland@linaro.org> | 2018-09-11 11:24:39 +0000 |
commit | 677599d3ce9c176f740ae78d54ce34a845692dfe (patch) | |
tree | c8cbfaf377618340a762bfbea2755c0e5cc73739 | |
parent | 81a0e7233f0f2331abe03652bea2fae1cce79a27 (diff) |
Certbot: simplify use of snakeoil, support one cert per site
This change drops the "linaro_environment" var in favor
of "snakeoil" as a simple boolean. Instead of trying
to set the "ssl_*" vars it simply creates the path to
LE cert and symlinks to snakeoil.
Also updated to create independent certs for each
domain listed in "certbot_domains" instead of one for
all domains.
Change-Id: I29ceefe0b9ae790d29548cc41f90a9757638def2
Reviewed-on: https://review.linaro.org/28420
Reviewed-by: Riku Voipio <riku.voipio@linaro.org>
-rw-r--r-- | docs/README.ssl.md | 101 | ||||
-rw-r--r-- | roles/certbot/handlers/main.yml | 3 | ||||
-rw-r--r-- | roles/certbot/tasks/main.yml | 4 | ||||
-rw-r--r-- | roles/certbot/tasks/snakeoil.yml | 22 |
4 files changed, 97 insertions, 33 deletions
diff --git a/docs/README.ssl.md b/docs/README.ssl.md index 7f4f069a..ffd452ce 100644 --- a/docs/README.ssl.md +++ b/docs/README.ssl.md @@ -1,12 +1,49 @@ -Overview -======== +Quickstart for Bootstrapping Certbot +===================================== + +1. Edit the apache config file and make sure the acme-challenge + code has been added to the port 80 vhost (see "Apache Config" below) + +2. Edit the host_vars for the server and set "certbot_domains" to a list of all hostnames that should have a certificate on the server + +3. Ensure that the 'certbot' role is called before the 'apache-site' role in + the playbook and has the "ssl" tag associated with it + +4. Install the apache configs (use --skip-tags ssl) to allow the acme-challenge + configs + +5. Ensure the acme-challenge exemption is working: + +cat hello > /srv/certbot/.well-known/acme-challenge/foo.txt +curl http://{{hostname}}/.well-known/acme-challenge/foo.txt + +6. Install 'certbot' role by itself (use --tags ssl to create the certs) + +Once the playbook has been successfully bootstrapped on the server, it will +no longer require any special action. + + +Certbot Renewal +=============== + +Part of the certbot install includes a cron job that runs every 12 hours +that calls "certbot renew". If a cert is within 30 days of expiring, it +will automatically renew. If you a see a 20 day or less warning that means +the cron job is failing for some reason. + +After fixing whatever the problem is, you can either run "certbot renew" as +root on the server, or you can simply run the playbook again with "--tags ssl". + + +Overview of all SSL Playbooks +============================= Our playbooks currently have five roles dedicated to setting up SSL certificates on a server. Most of these are obsolete and will be removed from our roles in the future, so please do not use them in any new development work. -- ssl +- certbot This is the currently preferred role for creating and maintaining ssl certs on a server. It installs the 'certbot' program from the PPA. @@ -15,7 +52,7 @@ in any new development work. - letsencrypt - Obsoleted by 'ssl'. Do not use. + Obsoleted by 'certbot'. Do not use. This role sets up and maintains a LetsEncrypt certificate for the server using the obsoleted 'letsencrypt' script provided by the EFF. 'letsencrypt' @@ -45,26 +82,21 @@ in any new development work. There should be nothing left dependent upon this role. -Details for the 'ssl' role - certbot support +Details for the 'certbot' role - certbot support ============================================ -The 'ssl' role will behave differently based on the setting of the -"linaro_environment" variable. If the variable is absent or set -to anything other than "testing", the role will: +The 'certbot' role will ensure that a cert/key pair for each FQDN +listed in the "certbot_domains" variable for the host is created on +the server. If the extra arg "snakeoil" is set to True, the certs will +be created and symlinked to the snakeoil cert. If it's not defined or +not set to True, the certbot program will be run and will either request +or renew LE certificates for each item in "certbot_domains". - - install the PPA for certbot - - run `certbot certificates` to examine the current settings - - if a domain is missing from the cert or the cert is not present, - it will run `certbot --apache certonly -d <domains> -e <email>` - to either create a new cert or renew an existing one - - finally it will set the following vars based on the information - gained from the output of `certbot certificates`: +The command that is run for each domain is: +certbot --apache certonly -d <domain> -e <email> - ssl_cert - ssl_key - ssl_ca (usually same as ssl_cert as it is a fullchain certificate) -The behavior of certbot may be influenced by setting the following vars: +The following host_vars may be set: certbot_domains: A list of domains that the cert will be valid for certbot_email: The email address to use when registering for a cert @@ -74,10 +106,29 @@ you need to add more hostnames, override the list in the host_vars for the server. -Details for the 'ssl' role - snakeoil support -============================================= +Apache Config +============= + +Ensure that the following directives exist in the port 80 vhost on the server: + + Alias "/.well-known/acme-challenge/" "/srv/certbot/.well-known/acme-challenge/" + <Directory "/srv/certbot/.well-known/acme-challenge/"> + Require all granted + </Directory> + +Next, make sure that an exemption is made for any redirect or rewrite rules for the /.well-known/acme-challenge/ URL + + * For mod_rewrite, use: + + RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/.*$ + + * For a redirect, use: + + RedirectMatch permanent \ + "^/(?!\.well-known/acme-challenge)(.*)" \ + "https://{{hostname}}/$1" + + * For a config with mod_proxy, use: + + ProxyPass /.well-known/acme-challenge/ ! -In order to ease testing and allow for setting up services in a dev environment -you may instruct this role to use the native snakeoil certs on the system -by setting the "linaro_environment" variable to "testing" through either -the ansible command line or temporarily inside of a hosts file. diff --git a/roles/certbot/handlers/main.yml b/roles/certbot/handlers/main.yml index 639ac6eb..e7acde15 100644 --- a/roles/certbot/handlers/main.yml +++ b/roles/certbot/handlers/main.yml @@ -1,4 +1,5 @@ --- #note: won't make a request if the cert isn't due for renewal or no new domains - name: run-certbot - command: certbot --expand --agree-tos -n certonly -m "{{certbot_email}}" -d "{{certbot_domains|join(',')}}" --webroot -w /srv/certbot + command: certbot --expand --agree-tos -n certonly -m "{{certbot_email}}" -d "{{item}}" --webroot -w /srv/certbot + with_items: "{{certbot_domains}}" diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index 0a86e873..aea52159 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -1,8 +1,8 @@ --- - name: Include snakeoil cert settings include_tasks: snakeoil.yml - when: (linaro_environment is defined) and (linaro_environment == 'testing') + when: (snakeoil is defined) and (snakeoil == True) - name: Include certbot tasks include_tasks: certbot.yml - when: (linaro_environment is undefined) or (linaro_environment != 'testing') + when: (snakeoil is undefined) or (snakeoil != True) diff --git a/roles/certbot/tasks/snakeoil.yml b/roles/certbot/tasks/snakeoil.yml index 56f04ef5..ae638d80 100644 --- a/roles/certbot/tasks/snakeoil.yml +++ b/roles/certbot/tasks/snakeoil.yml @@ -1,6 +1,18 @@ --- -- name: Set ssl vars to point to self signed cert - set_fact: - ssl_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem - ssl_key: /etc/ssl/private/ssl-cert-snakeoil.key - ssl_ca: /etc/ssl/certs/ssl-cert-snakeoil.pem +- name: Ensure certbot directory exists + file: + path: /etc/letsencrypt/live/{{item}} + state: directory + with_items: "{{certbot_domains}}" + +- name: Link LE cert to snakeoil cert + file: + src: /etc/ssl/certs/ssl-cert-snakeoil.pem + dest: /etc/letsencrypt/live/{{item}}/fullchain.pem + with_items: "{{certbot_domains}}" + +- name: Link LE key to snakeoil key + file: + src: /etc/ssl/certs/ssl-cert-snakeoil.key + dest: /etc/letsencrypt/live/{{item}}/privkey.pem + with_items: "{{certbot_domains}}" |