2016-01-12 18:14:36 +07:00
|
|
|
SSL/TLS Management
|
|
|
|
==================
|
|
|
|
|
|
|
|
You can put all this variables in a separated vault file.
|
|
|
|
|
|
|
|
Variables
|
|
|
|
---------
|
|
|
|
|
|
|
|
- `nginx_dh`: DH content
|
|
|
|
- `nginx_dh_length`: DH key length (default is 2048)
|
|
|
|
- `nginx_dh_path`: file localation
|
|
|
|
- `nginx_ssl_dir`: directory where you install your SSL/TLS keys
|
|
|
|
- `nginx_ssl_pairs`
|
|
|
|
|
|
|
|
Cert/Key pairs
|
|
|
|
--------------
|
|
|
|
|
2018-04-20 14:32:46 +07:00
|
|
|
Each pair must have a `name`.
|
|
|
|
Note: `name` is used to deploy key/cert. With defaults values dans `name` = "foo", key is -> /etc/nginx/ssl/foo/foo.key
|
|
|
|
|
|
|
|
### Content mode
|
2016-01-12 18:14:36 +07:00
|
|
|
|
2018-04-20 14:32:46 +07:00
|
|
|
Key/Cert content is stored in variable. Usefull with vault.
|
2016-01-12 23:26:30 +07:00
|
|
|
|
2016-01-12 18:14:36 +07:00
|
|
|
- `key`: content of the private key
|
|
|
|
- `cert`: content of the public key
|
|
|
|
|
2018-04-20 14:32:46 +07:00
|
|
|
### Remote file
|
|
|
|
|
|
|
|
You can use these variables if you use another task/role to manages your certificates.
|
2016-01-12 23:26:30 +07:00
|
|
|
|
|
|
|
- `dest_cert`: remote path where certificate is located
|
|
|
|
- `dest_key`: remote path where key is located
|
|
|
|
|
2018-04-20 14:32:46 +07:00
|
|
|
### Self signed
|
|
|
|
|
|
|
|
Create a self-signed pair and deploy it. Do not use this feature in production.
|
|
|
|
|
|
|
|
- `self_signed`: set true to use this featrure
|
|
|
|
- `force`: optional feature (default: false), force regen pair (not idempotent)
|
|
|
|
|
|
|
|
### Acme
|
|
|
|
|
|
|
|
Uses acme.sh to create free certificates. It uses HTTP-01 challenge. Use this feature for standalone servers.
|
|
|
|
|
|
|
|
- `acme`: set true to use this feature. It uses `name` (can be a string or string list).
|
|
|
|
|
|
|
|
Have a look to [acme configuratuion](acme.md configuration).
|
2016-01-12 18:14:36 +07:00
|
|
|
|
2016-01-12 23:26:30 +07:00
|
|
|
Tips
|
|
|
|
----
|
|
|
|
|
2018-04-20 14:32:46 +07:00
|
|
|
- In `nginx_sites`, `ssl_name` is mandatory. This role will search in `nginx_ssl_pairs` with site `name` (first in list if it's a list).
|
2016-01-12 23:26:30 +07:00
|
|
|
|
2016-01-12 18:14:36 +07:00
|
|
|
Diffie-Hellman
|
|
|
|
--------------
|
|
|
|
|
|
|
|
If you do not specify any dh param, this role auto generates it.
|
|
|
|
|
|
|
|
Example
|
|
|
|
-------
|
|
|
|
|
2016-03-15 01:27:51 +07:00
|
|
|
```yaml
|
2017-04-25 17:27:08 +07:00
|
|
|
nginx_sites;
|
2016-01-12 18:14:36 +07:00
|
|
|
- name: 'test-ssl.local'
|
|
|
|
proto: ['http', 'https']
|
|
|
|
template: '_base'
|
|
|
|
ssl_name: 'mysuperkey'
|
2016-11-07 23:22:14 +07:00
|
|
|
- name: 'test-ssl2.local'
|
|
|
|
proto: ['http', 'https']
|
|
|
|
template: '_base'
|
2017-12-03 04:22:28 +07:00
|
|
|
- name: 'test-ssl3.local'
|
|
|
|
proto: ['http', 'https']
|
|
|
|
template: '_base'
|
2018-04-20 14:32:46 +07:00
|
|
|
- name: 'test-self-signed.local'
|
|
|
|
proto: ['http', 'https']
|
|
|
|
template: '_base'
|
|
|
|
ssl_name: 'this.is.self.signed'
|
2016-01-12 18:14:36 +07:00
|
|
|
|
|
|
|
nginx_ssl_pairs:
|
|
|
|
- name: mysuperkey
|
|
|
|
key: |
|
|
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
|
|
....(snip)....
|
|
|
|
-----END RSA PRIVATE KEY-----
|
|
|
|
cert: |
|
|
|
|
-----BEGIN CERTIFICATE-----
|
|
|
|
....(snip)....
|
|
|
|
-----END CERTIFICATE-----
|
2016-11-07 23:22:14 +07:00
|
|
|
- name: test-ssl2.local
|
2017-12-03 04:22:28 +07:00
|
|
|
acme: true
|
2018-04-20 14:32:46 +07:00
|
|
|
- name: this.is.self.signed
|
|
|
|
self_signed: true
|
|
|
|
force: false
|
2016-01-12 18:14:36 +07:00
|
|
|
```
|
|
|
|
|