SSL with existing keys
parent
ef5a7bf756
commit
11c98ab145
15
doc/ssl.md
15
doc/ssl.md
|
@ -18,11 +18,26 @@ Cert/Key pairs
|
|||
This list have 3 mandatory keys:
|
||||
|
||||
- `name`: MUST be unique
|
||||
|
||||
- `key`: content of the private key
|
||||
- `cert`: content of the public key
|
||||
|
||||
OR
|
||||
|
||||
- `dest_cert`: remote path where certificate is located
|
||||
- `dest_key`: remote path where key is located
|
||||
|
||||
|
||||
Note: `name` is used to deploy key/cert. With defaults values dans `name` = "foo", key is -> /etc/nginx/ssl/foo/foo.key
|
||||
|
||||
Tips
|
||||
----
|
||||
|
||||
Deploying key/cert is not mandatory with this role. You can manage it in other place ([letsencrypt](https://letsencrypt.org/)? :)). You just need to set `dest_cert` and `dest_key`!
|
||||
|
||||
If you set all, you can deploy your key everywhere with wanted data!
|
||||
|
||||
|
||||
Diffie-Hellman
|
||||
--------------
|
||||
|
||||
|
|
|
@ -19,18 +19,21 @@
|
|||
path="{{ nginx_ssl_dir + '/' + item.name }}"
|
||||
state=directory
|
||||
with_items: nginx_ssl_pairs
|
||||
when: item.dest_key is not defined or item.dest_cert is not defined
|
||||
|
||||
- name: COPY | Deploy SSL keys
|
||||
copy: >
|
||||
content="{{ item.key }}"
|
||||
dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.key' }}"
|
||||
dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.key' if item.dest_key is not defined else item.dest_key }}"
|
||||
with_items: nginx_ssl_pairs
|
||||
when: item.key is defined
|
||||
notify: reload nginx
|
||||
|
||||
- name: COPY | Deploy SSL certs
|
||||
copy: >
|
||||
content="{{ item.cert }}"
|
||||
dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.crt' }}"
|
||||
dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.crt' if item.dest_cert is not defined else item.dest_cert }}"
|
||||
with_items: nginx_ssl_pairs
|
||||
when: item.cert is defined
|
||||
notify: reload nginx
|
||||
|
||||
|
|
|
@ -11,8 +11,8 @@
|
|||
{%- endmacro %}
|
||||
{% macro ssl(ssl_name) %}
|
||||
{% for sn in nginx_ssl_pairs if sn.name == ssl_name %}
|
||||
ssl_certificate {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.crt' }};
|
||||
ssl_certificate_key {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.key' }};
|
||||
ssl_certificate {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.crt' if sn.dest_cert is not defined else sn.dest_cert }};
|
||||
ssl_certificate_key {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.key' if sn.dest_key is not defined else sn.dest_key }};
|
||||
{% endfor %}
|
||||
{%- endmacro %}
|
||||
#
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDHTCCAgWgAwIBAgIJAJzUwbFlhyxIMA0GCSqGSIb3DQEBCwUAMCUxIzAhBgNV
|
||||
BAMMGnRlc3Qtc3NsLXByZWRlcGxveWVkLmxvY2FsMB4XDTE2MDExMjE2MDUxNVoX
|
||||
DTI2MDEwOTE2MDUxNVowJTEjMCEGA1UEAwwadGVzdC1zc2wtcHJlZGVwbG95ZWQu
|
||||
bG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDm4q94vffiU89G
|
||||
GO7rjDfr3C32tH9sM5sXqJT+7N5BLYLF0iSRIvy33MtwFu//TV3f+8nLlQuHYVVk
|
||||
L6NEvaL8lh+nRexCQ/y+aXMh7lMhuwPXGgPR1LXsTqyDXbmV9c7k/Kwx5qHAcOb9
|
||||
d9YzmcOSO4M9v3WMl/4Zw2J7zNYruypxNBgFEwFx3NJ3AztACMYoVOIR5mS8ARX6
|
||||
xea4ddii1F41Vch+eiCGP9VZwDhEujhjy9PXvdBtYNwggM6d82Df9wwaFyIW5DU4
|
||||
PhpgAngvE2keY0GLy/LaXa6LAW+TCfPMRT2RtDuvqWr+useWF+O3n81TZqM/G7LV
|
||||
9iPxkkRNAgMBAAGjUDBOMB0GA1UdDgQWBBSzXW5UY02/S0xrrobZCVOhas6VeDAf
|
||||
BgNVHSMEGDAWgBSzXW5UY02/S0xrrobZCVOhas6VeDAMBgNVHRMEBTADAQH/MA0G
|
||||
CSqGSIb3DQEBCwUAA4IBAQC0+Tr0w9aG4f3LG3+WRGKfMopKICNEkA7JrPrvVUq8
|
||||
7UgtdrpOUZAL5AKxVVo1rHDdoL/VpjdqHdhyPzaSUl8hppCFsWmdQh4wLKGoyvcN
|
||||
AqSGpXTeLSoFJ357F2OIQpXm2lfT2fVGebwyCNFkwpp7klFnmOusSl2/v5Y5cz+A
|
||||
WvWrDg3jsNglx3mNLVcjbOSnen2PsZSmcVo27D0el6oDju8jjstyJ+Dvu0WP+CDL
|
||||
s/VolFdbei7d4r2dj86OZ/BCZurltyc0wI3NMOdUuA7q4f1MPTRu7qr/ua5ItK92
|
||||
Avc+Gjn/Y/aIhzKpPicJQDK6FzxjfhCc8xtk0EjB4IpP
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,28 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDm4q94vffiU89G
|
||||
GO7rjDfr3C32tH9sM5sXqJT+7N5BLYLF0iSRIvy33MtwFu//TV3f+8nLlQuHYVVk
|
||||
L6NEvaL8lh+nRexCQ/y+aXMh7lMhuwPXGgPR1LXsTqyDXbmV9c7k/Kwx5qHAcOb9
|
||||
d9YzmcOSO4M9v3WMl/4Zw2J7zNYruypxNBgFEwFx3NJ3AztACMYoVOIR5mS8ARX6
|
||||
xea4ddii1F41Vch+eiCGP9VZwDhEujhjy9PXvdBtYNwggM6d82Df9wwaFyIW5DU4
|
||||
PhpgAngvE2keY0GLy/LaXa6LAW+TCfPMRT2RtDuvqWr+useWF+O3n81TZqM/G7LV
|
||||
9iPxkkRNAgMBAAECggEAEEeZkczrRpUcP1gQuKEZbFMJFqUhevKkk+V6JAN1pGje
|
||||
GK65j1ZFNX2nBo9Hetvsq5doYidvOat+RuMpAvbQIDlBoBzJDN8YWiC7UoAocm9q
|
||||
VOdrr4btEO13MogQRuefH/xE8/vMGfKcBvFFNDw6UvxJQ7hVRIWPECf7sLj/vPOC
|
||||
OpMKghxcabQqidMPKyyHVPhQjuIvqW/SqBFpD+Ul0Ja1QGdx+p+/EwVmXnei6Kr8
|
||||
/ypULreHqIlBLD6McfFehxDV0m5U7qXb5xK3zdUurIhZixKLjbdRrorNInfEvlOh
|
||||
vDy+hsF5GSzvn9dRrMAy/QcRPpXU47VNYZ5BfdCBTQKBgQD8VCbdpG5siXSlIjZd
|
||||
xypgK1ttp8udTPWC1trnAc+Ku9O+cGmvABxYJA1iR/GDpSfMxglB7OhSecywKrr+
|
||||
S7Yjs9e/dyBmvF7U15JJaGp+db2Ct64z7MvqkwSJ5a0qrrZJRFetDdqdH9FPvURs
|
||||
B147jbKsPiGcljjXbZlOBHJH9wKBgQDqPqoA3VqYOmvR7Ei8/skY2EOpFpOhSNko
|
||||
ARFwUsDNHRk677URH97TCHq5UrwubfCeIcIptXHrMfaTsfq8vPLPykReIMRaknxf
|
||||
DULJPHSoeBLrCAZmaWF1JVyYhrLhHNAzQ3u7a/kYIJm87FEZy3Ml6FSZmIGbRBqx
|
||||
zqZYKoHs2wKBgQD469tbk7cLg556uYGAidYYAS20w29uwlkAtgxFD9g6OIjuud7I
|
||||
MQfFO+uoJOjwwaC9ti+zxY56roVq1PybmP0Zw3T3AQIJ15KFzhQWLte/4U8PATzt
|
||||
JJEV2+sCTn3COZDCPpVvttcPYjAOxdwV5j7j6Sl2GeT2oIt6mjg+asyCiQKBgQDk
|
||||
LPxu8TBRfv8OMqs8Jrf/EpL9/7b48bxOwpOZJZMXelPcXCm1r6TfTrA1HAmg9Ijh
|
||||
kKLQ/CUm5Ll7b3B+L1Qa4r2sLyD11SF/eaxn2BMPFD/hYCTT160ObsF+9h8DN4z7
|
||||
kq3RiMDRJth69nuds9fLwj++ipcdhr62G0VgNq/u5wKBgCz/I5J3tPNjrU9YampR
|
||||
0gNnUkUfJWbiVMsG9uwL9l0L/ZzQHvELJ523QXQ0v/e/szHCyoX319u8HEQlC0Jw
|
||||
Twlj81HDZzruDUB/mcH6Ee3zHKOmmF6ma+CgoYJJElKW89MUttPdmkH2J1QqLz+7
|
||||
EGREwqjr8/wm22DzKNiyDXJ0
|
||||
-----END PRIVATE KEY-----
|
|
@ -12,6 +12,9 @@
|
|||
register: sf
|
||||
- pause: seconds=5
|
||||
when: sf.changed
|
||||
- file: path=/etc/ansible-ssl state=directory
|
||||
- copy: src=file/test.crt dest=/etc/ansible-ssl/test.crt
|
||||
- copy: src=file/test.key dest=/etc/ansible-ssl/test.key
|
||||
vars:
|
||||
nginx_backports: true
|
||||
nginx_php: true
|
||||
|
@ -36,6 +39,9 @@
|
|||
users: []
|
||||
state: 'absent'
|
||||
nginx_ssl_pairs:
|
||||
- name: 'test-ssl-predeployed.local'
|
||||
dest_key: /etc/ansible-ssl/test.key
|
||||
dest_cert: /etc/ansible-ssl/test.crt
|
||||
- name: 'test-ssl.local'
|
||||
key: |
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
|
@ -141,6 +147,10 @@
|
|||
proto: ['http', 'https']
|
||||
template: '_base'
|
||||
ssl_name: 'test-ssl.local'
|
||||
- name: 'test-ssl-predeployed.local'
|
||||
proto: ['http', 'https']
|
||||
template: '_base'
|
||||
ssl_name: 'test-ssl-predeployed.local'
|
||||
roles:
|
||||
- ../../
|
||||
post_tasks:
|
||||
|
@ -151,7 +161,7 @@
|
|||
with_items: ['test-php.local', 'test-php-index.local']
|
||||
- name: -- Add HTML file --
|
||||
copy: dest="{{ item }}/index.html" content="Index HTML test OK\n"
|
||||
with_items: ['{{ nginx_root }}/test.local/public', '/var/tmp', '{{ nginx_root }}/test-htpasswd-all.local/public', '{{ nginx_root }}/test-ssl.local/public']
|
||||
with_items: ['{{ nginx_root }}/test.local/public', '/var/tmp', '{{ nginx_root }}/test-htpasswd-all.local/public', '{{ nginx_root }}/test-ssl.local/public', '{{ nginx_root }}/test-ssl-predeployed.local/public']
|
||||
- name: -- VERIFY VHOSTS --
|
||||
command: "curl -H 'Host: {{ item.name if item.name is string else item.name[0] }}' http://127.0.0.1{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/"
|
||||
with_items: nginx_vhosts
|
||||
|
@ -200,7 +210,10 @@
|
|||
register: authbpc
|
||||
failed_when: authbpc.stdout.find('BackupPC Server Status') == -1
|
||||
- name: -- VERIFY SSL --
|
||||
command: "curl --insecure -H 'Host: test-ssl.local' https://127.0.0.1/"
|
||||
command: "curl --insecure -H 'Host: {{ item }}' https://127.0.0.1/"
|
||||
changed_when: false
|
||||
failed_when: authok.stdout.find('Index HTML test OK') != -1
|
||||
with_items:
|
||||
- 'test-ssl-predeployed.local'
|
||||
- 'test-ssl.local'
|
||||
|
||||
|
|
Loading…
Reference in New Issue