2 years ago · e872371915
--- a/roles/sslselfsigned/DESIGN.md
+++ b/roles/sslselfsigned/DESIGN.md
@@ -0,0 +1,9 @@
 
				
				+# Design Description for SSL Self Signed
			
 
				
				+
			
 
				
				+This generates a Certificate Authority (CA) and then a signing request (CSR), which results in the certificate for this server after signing it with our CA.
			
 
				
				+
			
 
				
				+The CA cert is placed in the secret folder, you can install it eg. in Arch like this:
			
 
				
				+
			
 
				
				+    sudo trust anchor --store secret/DOMAIN/sovereign-self-signed-cert/DOMAIN/etc/letsencrypt/live/DOMAIN/chain.pem
			
 
				
				+
			
 
				
				+It will then automatically be picked up by browsers like Firefox and Chrome.
			
--- a/roles/sslselfsigned/tasks/selfsigned.yml
+++ b/roles/sslselfsigned/tasks/selfsigned.yml
@@ -37,6 +37,6 @@
 
				
				   file: path=/etc/letsencrypt/live owner=root group=ssl-cert mode=0750 recurse=yes
			
 
				
				 
			
 
				
				 - name: Retrieve the self signing CA to remove warning in users browser
			
 
				
				-  fetch: src=/etc/letsencrypt/live/fritz.box/chain.pem
			
 
				
				+  fetch: src=/etc/letsencrypt/live/{{ domain }}/chain.pem
			
 
				
				          dest="{{ secret }}/sovereign-self-signed-cert"
			
 
				
				          fail_on_missing=yes
			
--- a/roles/sslselfsigned/templates/home_deploy_ssl-self-signed.sh.j2
+++ b/roles/sslselfsigned/templates/home_deploy_ssl-self-signed.sh.j2
@@ -6,7 +6,7 @@ openssl genrsa -out /etc/letsencrypt/rootCA.key 4096
 
				
				 echo generating CA certificate
			
 
				
				 openssl req -x509 -new -nodes -sha256 -days 7300 \
			
 
				
				     -key /etc/letsencrypt/rootCA.key \
			
 
				
				-    -subj "/C=DE/ST=BW/O={{ domain }}/CN={{ domain }}" \
			
 
				
				+    -subj "/C=DE/ST=BW/O={{ domain }}/CN={{ server_fqdn }}" \
			
 
				
				     -out /etc/letsencrypt/rootCA.crt
			
 
				
				 
			
 
				
				 echo generating server key
			
@@ -15,11 +15,16 @@ openssl genrsa -out /etc/letsencrypt/{{ domain }}.key 2048
 
				
				 echo generating signing request
			
 
				
				 openssl req -new -sha256 \
			
 
				
				     -key /etc/letsencrypt/{{ domain }}.key \
			
 
				
				-    -subj "/C=DE/ST=BW/O={{ domain }}/CN=*.{{ domain }}" \
			
 
				
				+    -subj "/C=DE/ST=BW/O={{ domain }}/CN={{ server_fqdn }}" \
			
 
				
				+    -reqexts SAN \
			
 
				
				+    -extensions SAN \
			
 
				
				+    -config <(cat /etc/ssl/openssl.cnf \
			
 
				
				+        <(printf "\n[SAN]\nsubjectAltName=DNS:{{ server_fqdn }}")) \
			
 
				
				     -out /etc/letsencrypt/{{ domain }}.csr
			
 
				
				 
			
 
				
				 echo generating server certificate
			
 
				
				 openssl x509 -req -CAcreateserial -days 7300 -sha256 \
			
 
				
				+    -extfile <(printf "subjectAltName=DNS:{{ server_fqdn }}") \
			
 
				
				     -in /etc/letsencrypt/{{ domain }}.csr \
			
 
				
				     -CA /etc/letsencrypt/rootCA.crt \
			
 
				
				     -CAkey /etc/letsencrypt/rootCA.key \