SSL with existing keys

pull/14/head
Emilien Mantel 2016-01-12 17:26:30 +01:00
parent ef5a7bf756
commit 11c98ab145
6 changed files with 84 additions and 6 deletions

View File

@ -18,11 +18,26 @@ Cert/Key pairs
This list have 3 mandatory keys: This list have 3 mandatory keys:
- `name`: MUST be unique - `name`: MUST be unique
- `key`: content of the private key - `key`: content of the private key
- `cert`: content of the public key - `cert`: content of the public key
OR
- `dest_cert`: remote path where certificate is located
- `dest_key`: remote path where key is located
Note: `name` is used to deploy key/cert. With defaults values dans `name` = "foo", key is -> /etc/nginx/ssl/foo/foo.key Note: `name` is used to deploy key/cert. With defaults values dans `name` = "foo", key is -> /etc/nginx/ssl/foo/foo.key
Tips
----
Deploying key/cert is not mandatory with this role. You can manage it in other place ([letsencrypt](https://letsencrypt.org/)? :)). You just need to set `dest_cert` and `dest_key`!
If you set all, you can deploy your key everywhere with wanted data!
Diffie-Hellman Diffie-Hellman
-------------- --------------

View File

@ -19,18 +19,21 @@
path="{{ nginx_ssl_dir + '/' + item.name }}" path="{{ nginx_ssl_dir + '/' + item.name }}"
state=directory state=directory
with_items: nginx_ssl_pairs with_items: nginx_ssl_pairs
when: item.dest_key is not defined or item.dest_cert is not defined
- name: COPY | Deploy SSL keys - name: COPY | Deploy SSL keys
copy: > copy: >
content="{{ item.key }}" content="{{ item.key }}"
dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.key' }}" dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.key' if item.dest_key is not defined else item.dest_key }}"
with_items: nginx_ssl_pairs with_items: nginx_ssl_pairs
when: item.key is defined
notify: reload nginx notify: reload nginx
- name: COPY | Deploy SSL certs - name: COPY | Deploy SSL certs
copy: > copy: >
content="{{ item.cert }}" content="{{ item.cert }}"
dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.crt' }}" dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.crt' if item.dest_cert is not defined else item.dest_cert }}"
with_items: nginx_ssl_pairs with_items: nginx_ssl_pairs
when: item.cert is defined
notify: reload nginx notify: reload nginx

View File

@ -11,8 +11,8 @@
{%- endmacro %} {%- endmacro %}
{% macro ssl(ssl_name) %} {% macro ssl(ssl_name) %}
{% for sn in nginx_ssl_pairs if sn.name == ssl_name %} {% for sn in nginx_ssl_pairs if sn.name == ssl_name %}
ssl_certificate {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.crt' }}; ssl_certificate {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.crt' if sn.dest_cert is not defined else sn.dest_cert }};
ssl_certificate_key {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.key' }}; ssl_certificate_key {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.key' if sn.dest_key is not defined else sn.dest_key }};
{% endfor %} {% endfor %}
{%- endmacro %} {%- endmacro %}
# #

View File

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDHTCCAgWgAwIBAgIJAJzUwbFlhyxIMA0GCSqGSIb3DQEBCwUAMCUxIzAhBgNV
BAMMGnRlc3Qtc3NsLXByZWRlcGxveWVkLmxvY2FsMB4XDTE2MDExMjE2MDUxNVoX
DTI2MDEwOTE2MDUxNVowJTEjMCEGA1UEAwwadGVzdC1zc2wtcHJlZGVwbG95ZWQu
bG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDm4q94vffiU89G
GO7rjDfr3C32tH9sM5sXqJT+7N5BLYLF0iSRIvy33MtwFu//TV3f+8nLlQuHYVVk
L6NEvaL8lh+nRexCQ/y+aXMh7lMhuwPXGgPR1LXsTqyDXbmV9c7k/Kwx5qHAcOb9
d9YzmcOSO4M9v3WMl/4Zw2J7zNYruypxNBgFEwFx3NJ3AztACMYoVOIR5mS8ARX6
xea4ddii1F41Vch+eiCGP9VZwDhEujhjy9PXvdBtYNwggM6d82Df9wwaFyIW5DU4
PhpgAngvE2keY0GLy/LaXa6LAW+TCfPMRT2RtDuvqWr+useWF+O3n81TZqM/G7LV
9iPxkkRNAgMBAAGjUDBOMB0GA1UdDgQWBBSzXW5UY02/S0xrrobZCVOhas6VeDAf
BgNVHSMEGDAWgBSzXW5UY02/S0xrrobZCVOhas6VeDAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4IBAQC0+Tr0w9aG4f3LG3+WRGKfMopKICNEkA7JrPrvVUq8
7UgtdrpOUZAL5AKxVVo1rHDdoL/VpjdqHdhyPzaSUl8hppCFsWmdQh4wLKGoyvcN
AqSGpXTeLSoFJ357F2OIQpXm2lfT2fVGebwyCNFkwpp7klFnmOusSl2/v5Y5cz+A
WvWrDg3jsNglx3mNLVcjbOSnen2PsZSmcVo27D0el6oDju8jjstyJ+Dvu0WP+CDL
s/VolFdbei7d4r2dj86OZ/BCZurltyc0wI3NMOdUuA7q4f1MPTRu7qr/ua5ItK92
Avc+Gjn/Y/aIhzKpPicJQDK6FzxjfhCc8xtk0EjB4IpP
-----END CERTIFICATE-----

View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDm4q94vffiU89G
GO7rjDfr3C32tH9sM5sXqJT+7N5BLYLF0iSRIvy33MtwFu//TV3f+8nLlQuHYVVk
L6NEvaL8lh+nRexCQ/y+aXMh7lMhuwPXGgPR1LXsTqyDXbmV9c7k/Kwx5qHAcOb9
d9YzmcOSO4M9v3WMl/4Zw2J7zNYruypxNBgFEwFx3NJ3AztACMYoVOIR5mS8ARX6
xea4ddii1F41Vch+eiCGP9VZwDhEujhjy9PXvdBtYNwggM6d82Df9wwaFyIW5DU4
PhpgAngvE2keY0GLy/LaXa6LAW+TCfPMRT2RtDuvqWr+useWF+O3n81TZqM/G7LV
9iPxkkRNAgMBAAECggEAEEeZkczrRpUcP1gQuKEZbFMJFqUhevKkk+V6JAN1pGje
GK65j1ZFNX2nBo9Hetvsq5doYidvOat+RuMpAvbQIDlBoBzJDN8YWiC7UoAocm9q
VOdrr4btEO13MogQRuefH/xE8/vMGfKcBvFFNDw6UvxJQ7hVRIWPECf7sLj/vPOC
OpMKghxcabQqidMPKyyHVPhQjuIvqW/SqBFpD+Ul0Ja1QGdx+p+/EwVmXnei6Kr8
/ypULreHqIlBLD6McfFehxDV0m5U7qXb5xK3zdUurIhZixKLjbdRrorNInfEvlOh
vDy+hsF5GSzvn9dRrMAy/QcRPpXU47VNYZ5BfdCBTQKBgQD8VCbdpG5siXSlIjZd
xypgK1ttp8udTPWC1trnAc+Ku9O+cGmvABxYJA1iR/GDpSfMxglB7OhSecywKrr+
S7Yjs9e/dyBmvF7U15JJaGp+db2Ct64z7MvqkwSJ5a0qrrZJRFetDdqdH9FPvURs
B147jbKsPiGcljjXbZlOBHJH9wKBgQDqPqoA3VqYOmvR7Ei8/skY2EOpFpOhSNko
ARFwUsDNHRk677URH97TCHq5UrwubfCeIcIptXHrMfaTsfq8vPLPykReIMRaknxf
DULJPHSoeBLrCAZmaWF1JVyYhrLhHNAzQ3u7a/kYIJm87FEZy3Ml6FSZmIGbRBqx
zqZYKoHs2wKBgQD469tbk7cLg556uYGAidYYAS20w29uwlkAtgxFD9g6OIjuud7I
MQfFO+uoJOjwwaC9ti+zxY56roVq1PybmP0Zw3T3AQIJ15KFzhQWLte/4U8PATzt
JJEV2+sCTn3COZDCPpVvttcPYjAOxdwV5j7j6Sl2GeT2oIt6mjg+asyCiQKBgQDk
LPxu8TBRfv8OMqs8Jrf/EpL9/7b48bxOwpOZJZMXelPcXCm1r6TfTrA1HAmg9Ijh
kKLQ/CUm5Ll7b3B+L1Qa4r2sLyD11SF/eaxn2BMPFD/hYCTT160ObsF+9h8DN4z7
kq3RiMDRJth69nuds9fLwj++ipcdhr62G0VgNq/u5wKBgCz/I5J3tPNjrU9YampR
0gNnUkUfJWbiVMsG9uwL9l0L/ZzQHvELJ523QXQ0v/e/szHCyoX319u8HEQlC0Jw
Twlj81HDZzruDUB/mcH6Ee3zHKOmmF6ma+CgoYJJElKW89MUttPdmkH2J1QqLz+7
EGREwqjr8/wm22DzKNiyDXJ0
-----END PRIVATE KEY-----

View File

@ -12,6 +12,9 @@
register: sf register: sf
- pause: seconds=5 - pause: seconds=5
when: sf.changed when: sf.changed
- file: path=/etc/ansible-ssl state=directory
- copy: src=file/test.crt dest=/etc/ansible-ssl/test.crt
- copy: src=file/test.key dest=/etc/ansible-ssl/test.key
vars: vars:
nginx_backports: true nginx_backports: true
nginx_php: true nginx_php: true
@ -36,6 +39,9 @@
users: [] users: []
state: 'absent' state: 'absent'
nginx_ssl_pairs: nginx_ssl_pairs:
- name: 'test-ssl-predeployed.local'
dest_key: /etc/ansible-ssl/test.key
dest_cert: /etc/ansible-ssl/test.crt
- name: 'test-ssl.local' - name: 'test-ssl.local'
key: | key: |
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
@ -141,6 +147,10 @@
proto: ['http', 'https'] proto: ['http', 'https']
template: '_base' template: '_base'
ssl_name: 'test-ssl.local' ssl_name: 'test-ssl.local'
- name: 'test-ssl-predeployed.local'
proto: ['http', 'https']
template: '_base'
ssl_name: 'test-ssl-predeployed.local'
roles: roles:
- ../../ - ../../
post_tasks: post_tasks:
@ -151,7 +161,7 @@
with_items: ['test-php.local', 'test-php-index.local'] with_items: ['test-php.local', 'test-php-index.local']
- name: -- Add HTML file -- - name: -- Add HTML file --
copy: dest="{{ item }}/index.html" content="Index HTML test OK\n" copy: dest="{{ item }}/index.html" content="Index HTML test OK\n"
with_items: ['{{ nginx_root }}/test.local/public', '/var/tmp', '{{ nginx_root }}/test-htpasswd-all.local/public', '{{ nginx_root }}/test-ssl.local/public'] with_items: ['{{ nginx_root }}/test.local/public', '/var/tmp', '{{ nginx_root }}/test-htpasswd-all.local/public', '{{ nginx_root }}/test-ssl.local/public', '{{ nginx_root }}/test-ssl-predeployed.local/public']
- name: -- VERIFY VHOSTS -- - name: -- VERIFY VHOSTS --
command: "curl -H 'Host: {{ item.name if item.name is string else item.name[0] }}' http://127.0.0.1{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/" command: "curl -H 'Host: {{ item.name if item.name is string else item.name[0] }}' http://127.0.0.1{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/"
with_items: nginx_vhosts with_items: nginx_vhosts
@ -200,7 +210,10 @@
register: authbpc register: authbpc
failed_when: authbpc.stdout.find('BackupPC Server Status') == -1 failed_when: authbpc.stdout.find('BackupPC Server Status') == -1
- name: -- VERIFY SSL -- - name: -- VERIFY SSL --
command: "curl --insecure -H 'Host: test-ssl.local' https://127.0.0.1/" command: "curl --insecure -H 'Host: {{ item }}' https://127.0.0.1/"
changed_when: false changed_when: false
failed_when: authok.stdout.find('Index HTML test OK') != -1 failed_when: authok.stdout.find('Index HTML test OK') != -1
with_items:
- 'test-ssl-predeployed.local'
- 'test-ssl.local'