thomas
/
sovereign
보기 1
좋아요 0
포크 0
코드 이슈 0 풀 리퀘스트 0 릴리즈 0 위키 Activity
소스 검색

Use Let's Encrypt for generating site certificates 

This method uses Subjective Alternative Names (SANs) to get one
certificate for all the subdomains that Sovereign employs, whether or
not the user configured their site with the roles.
Mike Ashley 8 년 전
부모
7f46129a4c
커밋
8e1d473027
7개의 변경된 파일71개의 추가작업 그리고 1개의 파일을 삭제
분할 보기 변경상태 보기
  1. 18
    0
      roles/common/files/etc_cron-monthly_letsencrypt-renew
  2. 39
    0
      roles/common/tasks/letsencrypt.yml
  3. 1
    0
      roles/common/tasks/main.yml
  4. 1
    1
      roles/common/tasks/ssl.yml
  5. 4
    0
      roles/common/templates/etc_apache2_conf-available_ssl.conf.j2
  6. 6
    0
      roles/common/templates/etc_letsencrypt_cli.conf.j2
  7. 2
    0
      vars/defaults.yml

+ 18
- 0
roles/common/files/etc_cron-monthly_letsencrypt-renew 파일 보기 

@@ -0,0 +1,18 @@
1 
+#!/bin/bash
2 
+# Renew all live certificates with LetsEncrypt.  This needs to run at least
3 
+# once every three months.
4 
+
5 
+# Given a certificate file returns "domain1,domain2"
6 
+# https://community.letsencrypt.org/t/help-me-understand-renewal-config/7115
7 
+function getDomains() {
8 
+        openssl x509 -text -in "$1" |
9 
+        grep -A1 "Subject Alternative Name:" | tail -n1 |
10 
+        tr -d ' ' | tr -d 'DNS:'
11 
+}
12 
+
13 
+service apache2 stop
14 
+for c in `ls /etc/letsencrypt/live`; do
15 
+  domains=$(getDomains /etc/letsencrypt/live/$c/cert.pem)
16 
+  /root/letsencrypt/letsencrypt-auto --renew certonly -c /etc/letsencrypt/cli.conf --domains=$domains
17 
+done
18 
+service apache2 start

+ 39
- 0
roles/common/tasks/letsencrypt.yml 파일 보기 

@@ -0,0 +1,39 @@
1 
+- name: Download LetsEncrypt release
2 
+  git: repo=https://github.com/letsencrypt/letsencrypt
3 
+       dest=/root/letsencrypt
4 
+       version=master
5 
+
6 
+- name: Create directory for LetsEncrypt configuration and certificates
7 
+  file: state=directory path=/etc/letsencrypt group=root owner=root
8 
+
9 
+- name: Configure LetsEncrypt
10 
+  template:
11 
+    src=etc_letsencrypt_cli.conf.j2
12 
+    dest=/etc/letsencrypt/cli.conf
13 
+    owner=root
14 
+    group=root
15 
+
16 
+- name: Install LetsEncrypt package dependencies
17 
+  command: /root/letsencrypt/letsencrypt-auto --help
18 
+
19 
+- name: Install crontab entry for LetsEncrypt
20 
+  copy:
21 
+    src=etc_cron-monthly_letsencrypt-renew
22 
+    dest=/etc/cron.monthly/letsencrypt-renew
23 
+    owner=root
24 
+    group=root
25 
+    mode=755
26 
+
27 
+- name: Create live directory for LetsEncrypt cron job
28 
+  file: state=directory path=/etc/letsencrypt/live group=root owner=root
29 
+
30 
+- name: Stop Apache
31 
+  service: name=apache2 state=stopped
32 
+
33 
+- name: Get an SSL certificate for {{ domain }}
34 
+  command: /root/letsencrypt/letsencrypt-auto certonly -c /etc/letsencrypt/cli.conf --domains {{ domain }},{{ subdomains }}
35 
+  args:
36 
+    creates: /etc/letsencrypt/live/{{ domain }}/privkey.pem
37 
+
38 
+- name: Start Apache
39 
+  service: name=apache2 state=started

+ 1
- 0
roles/common/tasks/main.yml 파일 보기 

@@ -63,6 +63,7 @@
63 63 
 - include: users.yml tags=users
64 64 
 - include: apache.yml tags=apache
65 65 
 - include: ssl.yml tags=ssl
66 
+- include: letsencrypt.yml tags=letsencrypt
66 67 
 - include: ufw.yml tags=ufw
67 68 
 - include: security.yml tags=security
68 69 
 - include: ntp.yml tags=ntp

+ 1
- 1
roles/common/tasks/ssl.yml 파일 보기 

@@ -19,7 +19,7 @@
19 19 
   notify: restart apache
20 20
21 21 
 - name: Add common Apache SSL config
22 
-  copy: src=etc_apache2_conf-available_ssl.conf
22 
+  template: src=etc_apache2_conf-available_ssl.conf.j2
23 23 
     dest=/etc/apache2/conf-available/ssl.conf
24 24 
     owner=root
25 25 
     group=root

roles/common/files/etc_apache2_conf-available_ssl.conf → roles/common/templates/etc_apache2_conf-available_ssl.conf.j2 파일 보기 

@@ -6,6 +6,10 @@ SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(128000)
6 6 
 SSLStaplingResponderTimeout 5
7 7 
 SSLStaplingReturnResponderErrors off
8 8
9 
+SSLCertificateKeyFile	/etc/letsencrypt/live/{{ domain }}/privkey.pem
10 
+SSLCertificateFile	/etc/letsencrypt/live/{{ domain }}/cert.pem
11 
+SSLCertificateChainFile	/etc/letsencrypt/live/{{ domain }}/chain.pem
12 
+
9 13 
 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
10 14
11 15 
 Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"

+ 6
- 0
roles/common/templates/etc_letsencrypt_cli.conf.j2 파일 보기 

@@ -0,0 +1,6 @@
1 
+rsa-key-size = 4096
2 
+server = {{ letsencrypt_server }}
3 
+authenticator = standalone
4 
+register-unsafely-without-email = True
5 
+keep = True
6 
+agree-tos = True

+ 2
- 0
vars/defaults.yml 파일 보기 

@@ -13,6 +13,8 @@ main_user_shell: "/bin/bash"
13 13 
 # encfs_password: (required)
14 14 
 friendly_networks:
15 15 
   - ""
16 
+letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"
17 
+subdomains: "www.{{ domain }},mail.{{ domain }},autoconfig.{{ domain }},read.{{ domain }},news.{{ domain }},cloud.{{ domain }},git.{{ domain }}"
16 18
17 19 
 # ssh
18 20 
 kex_algorithms: "diffie-hellman-group-exchange-sha256"

Write Preview
Loading…
취소
저장