radityo
/
ansible-nginx
mirror of https://github.com/HanXHX/ansible-nginx.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add self-signed cert feature

pull/35/head
Emilien Mantel 2018-04-20 09:32:46 +02:00
parent 678dff9a1a
commit 817929beca
3 changed files with 48 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
doc/ssl.md
View File

@ -15,24 +15,41 @@ Variables
Cert/Key pairs Cert/Key pairs
-------------- --------------
This list have 3 mandatory keys: Each pair must have a `name`.
Note: `name` is used to deploy key/cert. With defaults values dans `name` = "foo", key is -> /etc/nginx/ssl/foo/foo.key
- `name`: MUST be unique ### Content mode
Key/Cert content is stored in variable. Usefull with vault.
- `key`: content of the private key - `key`: content of the private key
- `cert`: content of the public key - `cert`: content of the public key
OR ### Remote file
You can use these variables if you use another task/role to manages your certificates.
- `dest_cert`: remote path where certificate is located - `dest_cert`: remote path where certificate is located
- `dest_key`: remote path where key is located - `dest_key`: remote path where key is located
Note: `name` is used to deploy key/cert. With defaults values dans `name` = "foo", key is -> /etc/nginx/ssl/foo/foo.key ### Self signed
Create a self-signed pair and deploy it. Do not use this feature in production.
- `self_signed`: set true to use this featrure
- `force`: optional feature (default: false), force regen pair (not idempotent)
### Acme
Uses acme.sh to create free certificates. It uses HTTP-01 challenge. Use this feature for standalone servers.
- `acme`: set true to use this feature. It uses `name` (can be a string or string list).
Have a look to [acme configuratuion](acme.md configuration).
Tips Tips
---- ----
- Deploying key/cert is not mandatory with this role. You can manage it in other place ([letsencrypt](https://letsencrypt.org/)? :)). You just need to set `dest_cert` and `dest_key`!
- In `nginx_sites`, `ssl_name` is mandatory. This role will search in `nginx_ssl_pairs` with site `name` (first in list if it's a list). - In `nginx_sites`, `ssl_name` is mandatory. This role will search in `nginx_ssl_pairs` with site `name` (first in list if it's a list).
Diffie-Hellman Diffie-Hellman
@ -55,6 +72,10 @@ nginx_sites;
- name: 'test-ssl3.local' - name: 'test-ssl3.local'
proto: ['http', 'https'] proto: ['http', 'https']
template: '_base' template: '_base'
- name: 'test-self-signed.local'
proto: ['http', 'https']
template: '_base'
ssl_name: 'this.is.self.signed'
nginx_ssl_pairs: nginx_ssl_pairs:
- name: mysuperkey - name: mysuperkey
@ -68,5 +89,8 @@ nginx_ssl_pairs:
-----END CERTIFICATE----- -----END CERTIFICATE-----
- name: test-ssl2.local - name: test-ssl2.local
acme: true acme: true
- name: this.is.self.signed
self_signed: true
force: false
``` ```

10
tasks/ssl/standard.yml
View File

@ -44,6 +44,16 @@
notify: restart nginx notify: restart nginx
no_log: not nginx_debug_role no_log: not nginx_debug_role
- name: COMMAND | Create self-signed certificates
command: "openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -subj '/CN={{ item | nginx_site_name }}' -keyout {{ item | nginx_site_name + '.key' }} -out {{ item | nginx_site_name + '.crt' }}"
args:
chdir: "{{ nginx_ssl_dir + '/' + item | nginx_site_name }}"
creates: "{% if item.force is defined and item.force %}/tmp/dummy{% else %}{{ nginx_ssl_dir + '/' + item | nginx_site_name + '/' + item | nginx_site_name + '.crt' }}{% endif %}"
with_items: "{{ nginx_ssl_pairs }}"
when: item.self_signed is defined
notify: restart nginx
no_log: not nginx_debug_role
- name: Check DH command status - name: Check DH command status
async_status: async_status:
jid: "{{ dh.ansible_job_id }}" jid: "{{ dh.ansible_job_id }}"

8
tests/test.yml
View File

@ -76,6 +76,9 @@
- '{{ ngrok.stdout }}' - '{{ ngrok.stdout }}'
acme: true acme: true
acme_port: 8888 acme_port: 8888
- name: 'test-ssl-selfsigned.local'
self_signed: true
force: false
- name: 'test-ssl-predeployed.local' - name: 'test-ssl-predeployed.local'
dest_key: "{{ int_ansible_ssl_dir }}/test.key" dest_key: "{{ int_ansible_ssl_dir }}/test.key"
dest_cert: "{{ int_ansible_ssl_dir }}/test.crt" dest_cert: "{{ int_ansible_ssl_dir }}/test.crt"
@ -224,6 +227,9 @@
- name: 'test-ssl.local' - name: 'test-ssl.local'
proto: ['http', 'https'] proto: ['http', 'https']
template: '_base' template: '_base'
- name: 'test-ssl-selfsigned.local'
proto: ['http', 'https']
template: '_base'
- name: 'test-ssl-predeployed.local' - name: 'test-ssl-predeployed.local'
proto: ['http', 'https'] proto: ['http', 'https']
template: '_base' template: '_base'
@ -292,6 +298,7 @@
- '/var/tmp' - '/var/tmp'
- '{{ nginx_root }}/test-htpasswd-all.local/public' - '{{ nginx_root }}/test-htpasswd-all.local/public'
- '{{ nginx_root }}/test-ssl.local/public' - '{{ nginx_root }}/test-ssl.local/public'
- '{{ nginx_root }}/test-ssl-selfsigned.local/public'
- '{{ nginx_root }}/test-ssl-predeployed.local/public' - '{{ nginx_root }}/test-ssl-predeployed.local/public'
- '{{ nginx_root }}/test-ssl-proxy-protocol.local/public' - '{{ nginx_root }}/test-ssl-proxy-protocol.local/public'
- '{{ nginx_root }}/{{ ngrok.stdout }}/public' - '{{ nginx_root }}/{{ ngrok.stdout }}/public'
@ -460,6 +467,7 @@
failed_when: sslok.content.find('Index HTML test OK') == -1 failed_when: sslok.content.find('Index HTML test OK') == -1
with_items: with_items:
- 'test-ssl-predeployed.local' - 'test-ssl-predeployed.local'
- 'test-ssl-selfsigned.local'
- 'test-ssl.local' - 'test-ssl.local'
- '{{ ngrok.stdout }}' - '{{ ngrok.stdout }}'