thomas
/
sovereign
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Use Let's Encrypt for generating site certificates 

This method uses Subjective Alternative Names (SANs) to get one
certificate for all the subdomains that Sovereign employs, whether or
not the user configured their site with the roles.
Mike Ashley 9 years ago
parent
7f46129a4c
commit
8e1d473027
7 changed files with 71 additions and 1 deletions
Split View Show Diff Stats
  1. 18
    0
      roles/common/files/etc_cron-monthly_letsencrypt-renew
  2. 39
    0
      roles/common/tasks/letsencrypt.yml
  3. 1
    0
      roles/common/tasks/main.yml
  4. 1
    1
      roles/common/tasks/ssl.yml
  5. 4
    0
      roles/common/templates/etc_apache2_conf-available_ssl.conf.j2
  6. 6
    0
      roles/common/templates/etc_letsencrypt_cli.conf.j2
  7. 2
    0
      vars/defaults.yml

+ 18
- 0
roles/common/files/etc_cron-monthly_letsencrypt-renew View File 

@@ -0,0 +1,18 @@
1 
+#!/bin/bash
2 
+# Renew all live certificates with LetsEncrypt.  This needs to run at least
3 
+# once every three months.
4 
+
5 
+# Given a certificate file returns "domain1,domain2"
6 
+# https://community.letsencrypt.org/t/help-me-understand-renewal-config/7115
7 
+function getDomains() {
8 
+        openssl x509 -text -in "$1" |
9 
+        grep -A1 "Subject Alternative Name:" | tail -n1 |
10 
+        tr -d ' ' | tr -d 'DNS:'
11 
+}
12 
+
13 
+service apache2 stop
14 
+for c in `ls /etc/letsencrypt/live`; do
15 
+  domains=$(getDomains /etc/letsencrypt/live/$c/cert.pem)
16 
+  /root/letsencrypt/letsencrypt-auto --renew certonly -c /etc/letsencrypt/cli.conf --domains=$domains
17 
+done
18 
+service apache2 start

+ 39
- 0
roles/common/tasks/letsencrypt.yml View File 

@@ -0,0 +1,39 @@
1 
+- name: Download LetsEncrypt release
2 
+  git: repo=https://github.com/letsencrypt/letsencrypt
3 
+       dest=/root/letsencrypt
4 
+       version=master
5 
+
6 
+- name: Create directory for LetsEncrypt configuration and certificates
7 
+  file: state=directory path=/etc/letsencrypt group=root owner=root
8 
+
9 
+- name: Configure LetsEncrypt
10 
+  template:
11 
+    src=etc_letsencrypt_cli.conf.j2
12 
+    dest=/etc/letsencrypt/cli.conf
13 
+    owner=root
14 
+    group=root
15 
+
16 
+- name: Install LetsEncrypt package dependencies
17 
+  command: /root/letsencrypt/letsencrypt-auto --help
18 
+
19 
+- name: Install crontab entry for LetsEncrypt
20 
+  copy:
21 
+    src=etc_cron-monthly_letsencrypt-renew
22 
+    dest=/etc/cron.monthly/letsencrypt-renew
23 
+    owner=root
24 
+    group=root
25 
+    mode=755
26 
+
27 
+- name: Create live directory for LetsEncrypt cron job
28 
+  file: state=directory path=/etc/letsencrypt/live group=root owner=root
29 
+
30 
+- name: Stop Apache
31 
+  service: name=apache2 state=stopped
32 
+
33 
+- name: Get an SSL certificate for {{ domain }}
34 
+  command: /root/letsencrypt/letsencrypt-auto certonly -c /etc/letsencrypt/cli.conf --domains {{ domain }},{{ subdomains }}
35 
+  args:
36 
+    creates: /etc/letsencrypt/live/{{ domain }}/privkey.pem
37 
+
38 
+- name: Start Apache
39 
+  service: name=apache2 state=started

+ 1
- 0
roles/common/tasks/main.yml View File 

@@ -63,6 +63,7 @@
63 63 
 - include: users.yml tags=users
64 64 
 - include: apache.yml tags=apache
65 65 
 - include: ssl.yml tags=ssl
66 
+- include: letsencrypt.yml tags=letsencrypt
66 67 
 - include: ufw.yml tags=ufw
67 68 
 - include: security.yml tags=security
68 69 
 - include: ntp.yml tags=ntp

+ 1
- 1
roles/common/tasks/ssl.yml View File 

@@ -19,7 +19,7 @@
19 19 
   notify: restart apache
20 20
21 21 
 - name: Add common Apache SSL config
22 
-  copy: src=etc_apache2_conf-available_ssl.conf
22 
+  template: src=etc_apache2_conf-available_ssl.conf.j2
23 23 
     dest=/etc/apache2/conf-available/ssl.conf
24 24 
     owner=root
25 25 
     group=root

roles/common/files/etc_apache2_conf-available_ssl.conf → roles/common/templates/etc_apache2_conf-available_ssl.conf.j2 View File 

@@ -6,6 +6,10 @@ SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(128000)
6 6 
 SSLStaplingResponderTimeout 5
7 7 
 SSLStaplingReturnResponderErrors off
8 8
9 
+SSLCertificateKeyFile	/etc/letsencrypt/live/{{ domain }}/privkey.pem
10 
+SSLCertificateFile	/etc/letsencrypt/live/{{ domain }}/cert.pem
11 
+SSLCertificateChainFile	/etc/letsencrypt/live/{{ domain }}/chain.pem
12 
+
9 13 
 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
10 14
11 15 
 Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"

+ 6
- 0
roles/common/templates/etc_letsencrypt_cli.conf.j2 View File 

@@ -0,0 +1,6 @@
1 
+rsa-key-size = 4096
2 
+server = {{ letsencrypt_server }}
3 
+authenticator = standalone
4 
+register-unsafely-without-email = True
5 
+keep = True
6 
+agree-tos = True

+ 2
- 0
vars/defaults.yml View File 

@@ -13,6 +13,8 @@ main_user_shell: "/bin/bash"
13 13 
 # encfs_password: (required)
14 14 
 friendly_networks:
15 15 
   - ""
16 
+letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"
17 
+subdomains: "www.{{ domain }},mail.{{ domain }},autoconfig.{{ domain }},read.{{ domain }},news.{{ domain }},cloud.{{ domain }},git.{{ domain }}"
16 18
17 19 
 # ssh
18 20 
 kex_algorithms: "diffie-hellman-group-exchange-sha256"

Write Preview
Loading…
Cancel
Save