Use Let's Encrypt for generating site certificates

This method uses Subjective Alternative Names (SANs) to get one
certificate for all the subdomains that Sovereign employs, whether or
not the user configured their site with the roles.

roles/common/files/etc_cron-monthly_letsencrypt-renew

@@ -0,0 +1,18 @@
+#!/bin/bash
+# Renew all live certificates with LetsEncrypt.  This needs to run at least
+# once every three months.
+
+# Given a certificate file returns "domain1,domain2"
+# https://community.letsencrypt.org/t/help-me-understand-renewal-config/7115
+function getDomains() {
+        openssl x509 -text -in "$1" |
+        grep -A1 "Subject Alternative Name:" | tail -n1 |
+        tr -d ' ' | tr -d 'DNS:'
+}
+
+service apache2 stop
+for c in `ls /etc/letsencrypt/live`; do
+  domains=$(getDomains /etc/letsencrypt/live/$c/cert.pem)
+  /root/letsencrypt/letsencrypt-auto --renew certonly -c /etc/letsencrypt/cli.conf --domains=$domains
+done
+service apache2 start

roles/common/tasks/letsencrypt.yml

@@ -0,0 +1,39 @@
+- name: Download LetsEncrypt release
+  git: repo=https://github.com/letsencrypt/letsencrypt
+       dest=/root/letsencrypt
+       version=master
+
+- name: Create directory for LetsEncrypt configuration and certificates
+  file: state=directory path=/etc/letsencrypt group=root owner=root
+
+- name: Configure LetsEncrypt
+  template:
+    src=etc_letsencrypt_cli.conf.j2
+    dest=/etc/letsencrypt/cli.conf
+    owner=root
+    group=root
+
+- name: Install LetsEncrypt package dependencies
+  command: /root/letsencrypt/letsencrypt-auto --help
+
+- name: Install crontab entry for LetsEncrypt
+  copy:
+    src=etc_cron-monthly_letsencrypt-renew
+    dest=/etc/cron.monthly/letsencrypt-renew
+    owner=root
+    group=root
+    mode=755
+
+- name: Create live directory for LetsEncrypt cron job
+  file: state=directory path=/etc/letsencrypt/live group=root owner=root
+
+- name: Stop Apache
+  service: name=apache2 state=stopped
+
+- name: Get an SSL certificate for {{ domain }}
+  command: /root/letsencrypt/letsencrypt-auto certonly -c /etc/letsencrypt/cli.conf --domains {{ domain }},{{ subdomains }}
+  args:
+    creates: /etc/letsencrypt/live/{{ domain }}/privkey.pem
+
+- name: Start Apache
+  service: name=apache2 state=started

roles/common/tasks/main.yml

@@ -63,6 +63,7 @@
 - include: users.yml tags=users
 - include: apache.yml tags=apache
 - include: ssl.yml tags=ssl
+- include: letsencrypt.yml tags=letsencrypt
 - include: ufw.yml tags=ufw
 - include: security.yml tags=security
 - include: ntp.yml tags=ntp

roles/common/tasks/ssl.yml

@@ -19,7 +19,7 @@
   notify: restart apache
 
 - name: Add common Apache SSL config
-  copy: src=etc_apache2_conf-available_ssl.conf
+  template: src=etc_apache2_conf-available_ssl.conf.j2
     dest=/etc/apache2/conf-available/ssl.conf
     owner=root
     group=root

roles/common/files/etc_apache2_conf-available_ssl.conf → roles/common/templates/etc_apache2_conf-available_ssl.conf.j2

@@ -6,6 +6,10 @@ SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(128000)
 SSLStaplingResponderTimeout 5
 SSLStaplingReturnResponderErrors off
 
+SSLCertificateKeyFile	/etc/letsencrypt/live/{{ domain }}/privkey.pem
+SSLCertificateFile	/etc/letsencrypt/live/{{ domain }}/cert.pem
+SSLCertificateChainFile	/etc/letsencrypt/live/{{ domain }}/chain.pem
+
 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
 
 Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"

roles/common/templates/etc_letsencrypt_cli.conf.j2

@@ -0,0 +1,6 @@
+rsa-key-size = 4096
+server = {{ letsencrypt_server }}
+authenticator = standalone
+register-unsafely-without-email = True
+keep = True
+agree-tos = True

vars/defaults.yml

@@ -13,6 +13,8 @@ main_user_shell: "/bin/bash"
 # encfs_password: (required)
 friendly_networks:
   - ""
+letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"
+subdomains: "www.{{ domain }},mail.{{ domain }},autoconfig.{{ domain }},read.{{ domain }},news.{{ domain }},cloud.{{ domain }},git.{{ domain }}"
 
 # ssh
 kex_algorithms: "diffie-hellman-group-exchange-sha256"