diff --git a/doc/ssl.md b/doc/ssl.md index 04b8614..48636dd 100644 --- a/doc/ssl.md +++ b/doc/ssl.md @@ -18,11 +18,26 @@ Cert/Key pairs This list have 3 mandatory keys: - `name`: MUST be unique + - `key`: content of the private key - `cert`: content of the public key +OR + +- `dest_cert`: remote path where certificate is located +- `dest_key`: remote path where key is located + + Note: `name` is used to deploy key/cert. With defaults values dans `name` = "foo", key is -> /etc/nginx/ssl/foo/foo.key +Tips +---- + +Deploying key/cert is not mandatory with this role. You can manage it in other place ([letsencrypt](https://letsencrypt.org/)? :)). You just need to set `dest_cert` and `dest_key`! + +If you set all, you can deploy your key everywhere with wanted data! + + Diffie-Hellman -------------- diff --git a/tasks/ssl.yml b/tasks/ssl.yml index 6fc1a29..cf409c8 100644 --- a/tasks/ssl.yml +++ b/tasks/ssl.yml @@ -19,18 +19,21 @@ path="{{ nginx_ssl_dir + '/' + item.name }}" state=directory with_items: nginx_ssl_pairs + when: item.dest_key is not defined or item.dest_cert is not defined - name: COPY | Deploy SSL keys copy: > content="{{ item.key }}" - dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.key' }}" + dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.key' if item.dest_key is not defined else item.dest_key }}" with_items: nginx_ssl_pairs + when: item.key is defined notify: reload nginx - name: COPY | Deploy SSL certs copy: > content="{{ item.cert }}" - dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.crt' }}" + dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.crt' if item.dest_cert is not defined else item.dest_cert }}" with_items: nginx_ssl_pairs + when: item.cert is defined notify: reload nginx diff --git a/templates/etc/nginx/sites-available/_base.j2 b/templates/etc/nginx/sites-available/_base.j2 index 0ba5c16..1832667 100644 --- a/templates/etc/nginx/sites-available/_base.j2 +++ b/templates/etc/nginx/sites-available/_base.j2 @@ -11,8 +11,8 @@ {%- endmacro %} {% macro ssl(ssl_name) %} {% for sn in nginx_ssl_pairs if sn.name == ssl_name %} - ssl_certificate {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.crt' }}; - ssl_certificate_key {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.key' }}; + ssl_certificate {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.crt' if sn.dest_cert is not defined else sn.dest_cert }}; + ssl_certificate_key {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.key' if sn.dest_key is not defined else sn.dest_key }}; {% endfor %} {%- endmacro %} # diff --git a/tests/file/test.crt b/tests/file/test.crt new file mode 100644 index 0000000..363d156 --- /dev/null +++ b/tests/file/test.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDHTCCAgWgAwIBAgIJAJzUwbFlhyxIMA0GCSqGSIb3DQEBCwUAMCUxIzAhBgNV +BAMMGnRlc3Qtc3NsLXByZWRlcGxveWVkLmxvY2FsMB4XDTE2MDExMjE2MDUxNVoX +DTI2MDEwOTE2MDUxNVowJTEjMCEGA1UEAwwadGVzdC1zc2wtcHJlZGVwbG95ZWQu +bG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDm4q94vffiU89G +GO7rjDfr3C32tH9sM5sXqJT+7N5BLYLF0iSRIvy33MtwFu//TV3f+8nLlQuHYVVk +L6NEvaL8lh+nRexCQ/y+aXMh7lMhuwPXGgPR1LXsTqyDXbmV9c7k/Kwx5qHAcOb9 +d9YzmcOSO4M9v3WMl/4Zw2J7zNYruypxNBgFEwFx3NJ3AztACMYoVOIR5mS8ARX6 +xea4ddii1F41Vch+eiCGP9VZwDhEujhjy9PXvdBtYNwggM6d82Df9wwaFyIW5DU4 +PhpgAngvE2keY0GLy/LaXa6LAW+TCfPMRT2RtDuvqWr+useWF+O3n81TZqM/G7LV +9iPxkkRNAgMBAAGjUDBOMB0GA1UdDgQWBBSzXW5UY02/S0xrrobZCVOhas6VeDAf +BgNVHSMEGDAWgBSzXW5UY02/S0xrrobZCVOhas6VeDAMBgNVHRMEBTADAQH/MA0G +CSqGSIb3DQEBCwUAA4IBAQC0+Tr0w9aG4f3LG3+WRGKfMopKICNEkA7JrPrvVUq8 +7UgtdrpOUZAL5AKxVVo1rHDdoL/VpjdqHdhyPzaSUl8hppCFsWmdQh4wLKGoyvcN +AqSGpXTeLSoFJ357F2OIQpXm2lfT2fVGebwyCNFkwpp7klFnmOusSl2/v5Y5cz+A +WvWrDg3jsNglx3mNLVcjbOSnen2PsZSmcVo27D0el6oDju8jjstyJ+Dvu0WP+CDL +s/VolFdbei7d4r2dj86OZ/BCZurltyc0wI3NMOdUuA7q4f1MPTRu7qr/ua5ItK92 +Avc+Gjn/Y/aIhzKpPicJQDK6FzxjfhCc8xtk0EjB4IpP +-----END CERTIFICATE----- diff --git a/tests/file/test.key b/tests/file/test.key new file mode 100644 index 0000000..7fbe267 --- /dev/null +++ b/tests/file/test.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDm4q94vffiU89G +GO7rjDfr3C32tH9sM5sXqJT+7N5BLYLF0iSRIvy33MtwFu//TV3f+8nLlQuHYVVk +L6NEvaL8lh+nRexCQ/y+aXMh7lMhuwPXGgPR1LXsTqyDXbmV9c7k/Kwx5qHAcOb9 +d9YzmcOSO4M9v3WMl/4Zw2J7zNYruypxNBgFEwFx3NJ3AztACMYoVOIR5mS8ARX6 +xea4ddii1F41Vch+eiCGP9VZwDhEujhjy9PXvdBtYNwggM6d82Df9wwaFyIW5DU4 +PhpgAngvE2keY0GLy/LaXa6LAW+TCfPMRT2RtDuvqWr+useWF+O3n81TZqM/G7LV +9iPxkkRNAgMBAAECggEAEEeZkczrRpUcP1gQuKEZbFMJFqUhevKkk+V6JAN1pGje +GK65j1ZFNX2nBo9Hetvsq5doYidvOat+RuMpAvbQIDlBoBzJDN8YWiC7UoAocm9q +VOdrr4btEO13MogQRuefH/xE8/vMGfKcBvFFNDw6UvxJQ7hVRIWPECf7sLj/vPOC +OpMKghxcabQqidMPKyyHVPhQjuIvqW/SqBFpD+Ul0Ja1QGdx+p+/EwVmXnei6Kr8 +/ypULreHqIlBLD6McfFehxDV0m5U7qXb5xK3zdUurIhZixKLjbdRrorNInfEvlOh +vDy+hsF5GSzvn9dRrMAy/QcRPpXU47VNYZ5BfdCBTQKBgQD8VCbdpG5siXSlIjZd +xypgK1ttp8udTPWC1trnAc+Ku9O+cGmvABxYJA1iR/GDpSfMxglB7OhSecywKrr+ +S7Yjs9e/dyBmvF7U15JJaGp+db2Ct64z7MvqkwSJ5a0qrrZJRFetDdqdH9FPvURs +B147jbKsPiGcljjXbZlOBHJH9wKBgQDqPqoA3VqYOmvR7Ei8/skY2EOpFpOhSNko +ARFwUsDNHRk677URH97TCHq5UrwubfCeIcIptXHrMfaTsfq8vPLPykReIMRaknxf +DULJPHSoeBLrCAZmaWF1JVyYhrLhHNAzQ3u7a/kYIJm87FEZy3Ml6FSZmIGbRBqx +zqZYKoHs2wKBgQD469tbk7cLg556uYGAidYYAS20w29uwlkAtgxFD9g6OIjuud7I +MQfFO+uoJOjwwaC9ti+zxY56roVq1PybmP0Zw3T3AQIJ15KFzhQWLte/4U8PATzt +JJEV2+sCTn3COZDCPpVvttcPYjAOxdwV5j7j6Sl2GeT2oIt6mjg+asyCiQKBgQDk +LPxu8TBRfv8OMqs8Jrf/EpL9/7b48bxOwpOZJZMXelPcXCm1r6TfTrA1HAmg9Ijh +kKLQ/CUm5Ll7b3B+L1Qa4r2sLyD11SF/eaxn2BMPFD/hYCTT160ObsF+9h8DN4z7 +kq3RiMDRJth69nuds9fLwj++ipcdhr62G0VgNq/u5wKBgCz/I5J3tPNjrU9YampR +0gNnUkUfJWbiVMsG9uwL9l0L/ZzQHvELJ523QXQ0v/e/szHCyoX319u8HEQlC0Jw +Twlj81HDZzruDUB/mcH6Ee3zHKOmmF6ma+CgoYJJElKW89MUttPdmkH2J1QqLz+7 +EGREwqjr8/wm22DzKNiyDXJ0 +-----END PRIVATE KEY----- diff --git a/tests/test.yml b/tests/test.yml index 114c862..8587574 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -12,6 +12,9 @@ register: sf - pause: seconds=5 when: sf.changed + - file: path=/etc/ansible-ssl state=directory + - copy: src=file/test.crt dest=/etc/ansible-ssl/test.crt + - copy: src=file/test.key dest=/etc/ansible-ssl/test.key vars: nginx_backports: true nginx_php: true @@ -36,6 +39,9 @@ users: [] state: 'absent' nginx_ssl_pairs: + - name: 'test-ssl-predeployed.local' + dest_key: /etc/ansible-ssl/test.key + dest_cert: /etc/ansible-ssl/test.crt - name: 'test-ssl.local' key: | -----BEGIN RSA PRIVATE KEY----- @@ -141,6 +147,10 @@ proto: ['http', 'https'] template: '_base' ssl_name: 'test-ssl.local' + - name: 'test-ssl-predeployed.local' + proto: ['http', 'https'] + template: '_base' + ssl_name: 'test-ssl-predeployed.local' roles: - ../../ post_tasks: @@ -151,7 +161,7 @@ with_items: ['test-php.local', 'test-php-index.local'] - name: -- Add HTML file -- copy: dest="{{ item }}/index.html" content="Index HTML test OK\n" - with_items: ['{{ nginx_root }}/test.local/public', '/var/tmp', '{{ nginx_root }}/test-htpasswd-all.local/public', '{{ nginx_root }}/test-ssl.local/public'] + with_items: ['{{ nginx_root }}/test.local/public', '/var/tmp', '{{ nginx_root }}/test-htpasswd-all.local/public', '{{ nginx_root }}/test-ssl.local/public', '{{ nginx_root }}/test-ssl-predeployed.local/public'] - name: -- VERIFY VHOSTS -- command: "curl -H 'Host: {{ item.name if item.name is string else item.name[0] }}' http://127.0.0.1{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/" with_items: nginx_vhosts @@ -200,7 +210,10 @@ register: authbpc failed_when: authbpc.stdout.find('BackupPC Server Status') == -1 - name: -- VERIFY SSL -- - command: "curl --insecure -H 'Host: test-ssl.local' https://127.0.0.1/" + command: "curl --insecure -H 'Host: {{ item }}' https://127.0.0.1/" changed_when: false failed_when: authok.stdout.find('Index HTML test OK') != -1 + with_items: + - 'test-ssl-predeployed.local' + - 'test-ssl.local'