From 08577a263651f154abb19081f0dc8b18e0f535a5 Mon Sep 17 00:00:00 2001 From: Stefan Haun Date: Sun, 7 Mar 2021 16:31:39 +0100 Subject: [PATCH 1/3] Add a role that sets up an Apache site for Dehydrated validation --- roles/setup-http-dehydrated/handlers/main.yml | 5 ++++ roles/setup-http-dehydrated/meta/main.yml | 3 ++ roles/setup-http-dehydrated/tasks/main.yml | 12 ++++++++ .../templates/apache-dehydrated.j2 | 30 +++++++++++++++++++ 4 files changed, 50 insertions(+) create mode 100644 roles/setup-http-dehydrated/handlers/main.yml create mode 100644 roles/setup-http-dehydrated/meta/main.yml create mode 100644 roles/setup-http-dehydrated/tasks/main.yml create mode 100644 roles/setup-http-dehydrated/templates/apache-dehydrated.j2 diff --git a/roles/setup-http-dehydrated/handlers/main.yml b/roles/setup-http-dehydrated/handlers/main.yml new file mode 100644 index 0000000..670471f --- /dev/null +++ b/roles/setup-http-dehydrated/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart apache2 + service: + name: apache2 + state: restarted diff --git a/roles/setup-http-dehydrated/meta/main.yml b/roles/setup-http-dehydrated/meta/main.yml new file mode 100644 index 0000000..5eff279 --- /dev/null +++ b/roles/setup-http-dehydrated/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: +- role: ansible-role-dehydrated diff --git a/roles/setup-http-dehydrated/tasks/main.yml b/roles/setup-http-dehydrated/tasks/main.yml new file mode 100644 index 0000000..a6f1650 --- /dev/null +++ b/roles/setup-http-dehydrated/tasks/main.yml @@ -0,0 +1,12 @@ +--- +- name: Add or update Apache2 site + template: + src: templates/apache-dehydrated.j2 + dest: /etc/apache2/sites-available/{{ site_name }}.conf + notify: restart apache2 + +- name: Activate Apache2 site + command: a2ensite {{ site_name }} + args: + creates: /etc/apache2/sites-enabled/{{ site_name }}.conf + notify: restart apache2 diff --git a/roles/setup-http-dehydrated/templates/apache-dehydrated.j2 b/roles/setup-http-dehydrated/templates/apache-dehydrated.j2 new file mode 100644 index 0000000..fe5faad --- /dev/null +++ b/roles/setup-http-dehydrated/templates/apache-dehydrated.j2 @@ -0,0 +1,30 @@ + + ServerAdmin {{ server_admin }} + ServerName {{ site_name }} + ServerAlias {{ site_name }} + ErrorLog /var/log/apache2/{{ site_name }}-error.log + CustomLog /var/log/apache2/{{ site_name }}-access.log common + + Alias /.well-known/acme-challenge /usr/local/etc/dehydrated/challenge + + + + + ServerAdmin {{ server_admin }} + ServerName {{ site_name }} + ServerAlias {{ site_name }} + + ErrorLog /var/log/apache2/{{ site_name }}-error.log + CustomLog /var/log/apache2/{{ site_name }}-access.log common + + SSLEngine on + SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown + SSLCertificateFile /usr/local/etc/dehydrated/certs/{{ site_name }}/cert.pem + SSLCertificateKeyFile /usr/local/etc/dehydrated/certs/{{ site_name }}/privkey.pem + SSLCertificateChainFile /usr/local/etc/dehydrated/certs/{{ site_name }}/chain.pem + + Alias /.well-known/acme-challenge /usr/local/etc/dehydrated/challenge + + Redirect 404 / + + From 9fe4d808c21b57cff18f2523e9e0907cb8ca4f7d Mon Sep 17 00:00:00 2001 From: Stefan Haun Date: Thu, 11 Mar 2021 22:20:31 +0100 Subject: [PATCH 2/3] Use well-known dir from dehydrated role --- roles/setup-http-dehydrated/templates/apache-dehydrated.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/setup-http-dehydrated/templates/apache-dehydrated.j2 b/roles/setup-http-dehydrated/templates/apache-dehydrated.j2 index fe5faad..f641bfb 100644 --- a/roles/setup-http-dehydrated/templates/apache-dehydrated.j2 +++ b/roles/setup-http-dehydrated/templates/apache-dehydrated.j2 @@ -5,7 +5,7 @@ ErrorLog /var/log/apache2/{{ site_name }}-error.log CustomLog /var/log/apache2/{{ site_name }}-access.log common - Alias /.well-known/acme-challenge /usr/local/etc/dehydrated/challenge + Alias /.well-known/acme-challenge {{ dehydrated_wellknown_dir }} @@ -23,7 +23,7 @@ SSLCertificateKeyFile /usr/local/etc/dehydrated/certs/{{ site_name }}/privkey.pem SSLCertificateChainFile /usr/local/etc/dehydrated/certs/{{ site_name }}/chain.pem - Alias /.well-known/acme-challenge /usr/local/etc/dehydrated/challenge + Alias /.well-known/acme-challenge {{ dehydrated_wellknown_dir }} Redirect 404 / From f8f5981a8dce6227a3edf6e36e3b845789805274 Mon Sep 17 00:00:00 2001 From: Stefan Haun Date: Thu, 11 Mar 2021 22:24:35 +0100 Subject: [PATCH 3/3] Use certs dir from dehydrated role --- .../setup-http-dehydrated/templates/apache-dehydrated.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/setup-http-dehydrated/templates/apache-dehydrated.j2 b/roles/setup-http-dehydrated/templates/apache-dehydrated.j2 index f641bfb..8fe69d3 100644 --- a/roles/setup-http-dehydrated/templates/apache-dehydrated.j2 +++ b/roles/setup-http-dehydrated/templates/apache-dehydrated.j2 @@ -8,7 +8,7 @@ Alias /.well-known/acme-challenge {{ dehydrated_wellknown_dir }} - + ServerAdmin {{ server_admin }} ServerName {{ site_name }} @@ -19,9 +19,9 @@ SSLEngine on SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown - SSLCertificateFile /usr/local/etc/dehydrated/certs/{{ site_name }}/cert.pem - SSLCertificateKeyFile /usr/local/etc/dehydrated/certs/{{ site_name }}/privkey.pem - SSLCertificateChainFile /usr/local/etc/dehydrated/certs/{{ site_name }}/chain.pem + SSLCertificateFile {{dehydrated_certs_dir}}/{{ site_name }}/cert.pem + SSLCertificateKeyFile {{dehydrated_certs_dir}}/{{ site_name }}/privkey.pem + SSLCertificateChainFile {{dehydrated_certs_dir}}/{{ site_name }}/chain.pem Alias /.well-known/acme-challenge {{ dehydrated_wellknown_dir }}