5 years ago · c41cd737fd
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,2 +1,3 @@
 
				
				 ansible>=2.2.2.0
			
 
				
				 passlib
			
 
				
				+jmespath>=0.9.4
			
--- a/roles/common/DESIGN.md
+++ b/roles/common/DESIGN.md
@@ -14,14 +14,13 @@ Several packages need access to the private key. Not all are run as root. An exa
 
				
				 
			
 
				
				 Certificate renewal is done automatically using cron. The cron script must be aware of private key copies and update them as well. Services that depend on new keys must also be bounced. It is up to roles that rely on keys to modify the cron script (preferably using `lineinfile` or something similar) to accomplish this.
			
 
				
				 
			
 
				
				-### Testing support
			
 
				
				+If you changed something that requires new domains or subdomains to be considered when generating the certificates, do not just delete the files in /etc/letsencrypt/live!
			
 
				
				+Instead, use /root/letsencrypt/letsencrypt-auto delete to remove the old certificates and then re-run the common role in this playbook.
			
 
				
				 
			
 
				
				-An isolated VM deployed with Vagrant is used for testing. The Let's Encrypt service cannot be used to get keys for it, since it is not bound with DNS. A self-signed wildcard key is therefore used for testing. The wildcard key, certificate, and chain are installed in the same way that Let's Encrypt keys are installed.
			
 
				
				+## Firewall
			
 
				
				 
			
 
				
				-### Alternative approaches
			
 
				
				+ufw is used to provide a simpler iptables interface.
			
 
				
				 
			
 
				
				-Another way to generate certificates is to generate one certificate per domain and expect each module that uses a subdomain to generate its own certificate for the subdomain.
			
 
				
				-
			
 
				
				-This was prototyped. The common role included a parameterized task list that could be invoked by modules that needed to generate a key. The certificate renewal script run by cron could be modified to update all the certificates in the `live` directory.
			
 
				
				-
			
 
				
				-This approach was rejected due to complexity. This would have been the first time modules needed to invoke a task list from another module. Managing multiple certificates is also more complicated.
			
 
				
				+You may run into some issues with enabling ufw. In my case, this was caused by installing
			
 
				
				+updates, including a new kernel, but not rebooting before attempting to install ufw.
			
 
				
				+A simple reboot fixed the problems.
			
--- a/roles/common/files/etc_cron-daily_letsencrypt-renew
+++ b/roles/common/files/etc_cron-daily_letsencrypt-renew
@@ -1,8 +1,10 @@
 
				
				 #!/bin/bash
			
 
				
				+
			
 
				
				+# abort script on failed command
			
 
				
				 set -o errexit
			
 
				
				+
			
 
				
				 # Renew all live certificates with LetsEncrypt.  This needs to run at least
			
 
				
				 # once every three months, but recommended frequency is once a day.
			
 
				
				-
			
 
				
				 /root/letsencrypt/letsencrypt-auto renew -q -c /etc/letsencrypt/cli.conf \
			
 
				
				 --pre-hook="find /etc/letsencrypt/prerenew/ -maxdepth 1 -type f -executable -exec {} \;" \
			
 
				
				 --post-hook="find /etc/letsencrypt/postrenew/ -maxdepth 1 -type f -executable -exec {} \;"
			
--- a/roles/common/files/letsencrypt-gencert
+++ b/roles/common/files/letsencrypt-gencert
@@ -1,10 +1,34 @@
 
				
				 #!/bin/bash
			
 
				
				-d="$1"
			
 
				
				-for i in www mail autoconfig read news cloud; do
			
 
				
				-  if (getent hosts $i.$1 > /dev/null); then
			
 
				
				-    d="$d,$i.$1";
			
 
				
				+
			
 
				
				+# Call script like this:
			
 
				
				+# letsencrypt-gencert foo.com bar.com baz.com
			
 
				
				+
			
 
				
				+# Build list of domains and subdomains we need a certificate for
			
 
				
				+d=""
			
 
				
				+for domain in "$@"; do
			
 
				
				+  # domain itself - foo.com
			
 
				
				+  # only add if the DNS entry for the domain does actually exist
			
 
				
				+  if (getent hosts $domain > /dev/null); then
			
 
				
				+    if [ -z "$d" ]; then
			
 
				
				+      d="$domain";
			
 
				
				+    else
			
 
				
				+      d="$d,$domain";
			
 
				
				+    fi
			
 
				
				   fi
			
 
				
				+
			
 
				
				+  # subdomains - www.foo.com mail.foo.com ...
			
 
				
				+  for sub in www mail autoconfig news cloud git; do
			
 
				
				+    # only add if the DNS entry for the subdomain does actually exist
			
 
				
				+    if (getent hosts $sub.$domain > /dev/null); then
			
 
				
				+      if [ -z "$d" ]; then
			
 
				
				+        d="$sub.$domain";
			
 
				
				+      else
			
 
				
				+        d="$d,$sub.$domain";
			
 
				
				+      fi
			
 
				
				+    fi
			
 
				
				+  done
			
 
				
				 done
			
 
				
				+
			
 
				
				 # We are using the "standalone" letsencrypt plugin, which runs its own
			
 
				
				 # webserver, so we need to temporarily free up the HTTP(S) ports by stopping
			
 
				
				 # our own Apache.
			
--- a/roles/common/tasks/letsencrypt.yml
+++ b/roles/common/tasks/letsencrypt.yml
@@ -57,8 +57,8 @@
 
				
				 - name: Create live directory for LetsEncrypt cron job
			
 
				
				   file: state=directory path=/etc/letsencrypt/live group=root owner=root
			
 
				
				 
			
 
				
				-- name: Get an SSL certificate for {{ domain }} from Let's Encrypt
			
 
				
				-  script: letsencrypt-gencert {{ domain }} creates=/etc/letsencrypt/live/{{ domain }}/privkey.pem
			
 
				
				+- name: Get an SSL certificate for {{ virtual_domains | json_query('[*].name') | join(' ') }} from Let's Encrypt
			
 
				
				+  script: letsencrypt-gencert {{ virtual_domains | json_query('[*].name') | join(' ') }} creates=/etc/letsencrypt/live/{{ domain }}/privkey.pem
			
 
				
				 
			
 
				
				 - name: Modify permissions to allow ssl-cert group access
			
 
				
				   file: path=/etc/letsencrypt/archive owner=root group=ssl-cert mode=0750