thomas
/
sovereign
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Merge pull request #430 from danmilon/ssl-restart-nginx-on-new-cert 

sl: properly install changed certificate and restart apache on changes
Sven Neuhaus 9 years ago
parent
026b2a98ff a419d9403b
commit
e95e3e1bf8
1 changed files with 16 additions and 2 deletions
Unified View Show Diff Stats
  1. 16
    2
      roles/common/tasks/ssl.yml

+ 16
- 2
roles/common/tasks/ssl.yml View File

1 
 - name: Copy SSL private key into place
 1 
 - name: Copy SSL private key into place
2 
   copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=ssl-cert owner=root mode=640
 2 
   copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=ssl-cert owner=root mode=640
3 
+  register: private_key
4 
+  notify: restart apache
3
5
4 
 - name: Copy SSL public certificate into place
 6 
 - name: Copy SSL public certificate into place
5 
   copy: src=wildcard_public_cert.crt dest=/etc/ssl/certs/wildcard_public_cert.crt group=root owner=root mode=644
 7 
   copy: src=wildcard_public_cert.crt dest=/etc/ssl/certs/wildcard_public_cert.crt group=root owner=root mode=644
8 
+  register: certificate
9 
+  notify: restart apache
6
10
7 
 - name: Copy CA combined certificate into place
 11 
 - name: Copy CA combined certificate into place
8 
   copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root mode=644
 12 
   copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root mode=644
13 
+  register: ca_certificate
14 
+  notify: restart apache
9
15
10 
 - name: Create a combined version of the public cert with intermediate and root CAs
 16 
 - name: Create a combined version of the public cert with intermediate and root CAs
11 
   shell: cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem >
 17 
   shell: cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem >
12 
-    /etc/ssl/certs/wildcard_combined.pem creates=/etc/ssl/certs/wildcard_combined.pem
18 
+    /etc/ssl/certs/wildcard_combined.pem
19 
+  when: private_key.changed or certificate.changed or ca_certificate.changed
13
20
14 
 - name: Set permissions on combined public cert
 21 
 - name: Set permissions on combined public cert
15 
   file: name=/etc/ssl/certs/wildcard_combined.pem mode=644
 22 
   file: name=/etc/ssl/certs/wildcard_combined.pem mode=644
23 
+  notify: restart apache
16
24
17 
 - name: Create strong Diffie-Hellman group
 25 
 - name: Create strong Diffie-Hellman group
18 
   command: openssl dhparam -out /etc/ssl/private/dhparam2048.pem 2048
 26 
   command: openssl dhparam -out /etc/ssl/private/dhparam2048.pem 2048
20
28
21 
 - name: Enable Apache SSL module
 29 
 - name: Enable Apache SSL module
22 
   command: a2enmod ssl creates=/etc/apache2/mods-enabled/ssl.load
 30 
   command: a2enmod ssl creates=/etc/apache2/mods-enabled/ssl.load
31 
+  notify: restart apache
23
32
24 
 - name: Enable NameVirtualHost for HTTPS
 33 
 - name: Enable NameVirtualHost for HTTPS
25 
-  lineinfile: dest=/etc/apache2/ports.conf regexp='^    NameVirtualHost \*:443' insertafter='^<IfModule mod_ssl.c>' line='    NameVirtualHost *:443'
34 
+  lineinfile:
35 
+    dest=/etc/apache2/ports.conf regexp='^    NameVirtualHost \*:443'
36 
+    insertafter='^<IfModule mod_ssl.c>'
37 
+    line='    NameVirtualHost *:443'
38 
+  notify: restart apache
26
39
27 
 - name: Enable Apache SOCACHE_SHMCB module for the SSL stapling cache
 40 
 - name: Enable Apache SOCACHE_SHMCB module for the SSL stapling cache
28 
   command: a2enmod socache_shmcb
 41 
   command: a2enmod socache_shmcb
51 
     dest=/etc/apache2/ssl.conf
 64 
     dest=/etc/apache2/ssl.conf
52 
     owner=root
 65 
     owner=root
53 
     group=root
 66 
     group=root
67 
+  notify: restart apache

Write Preview
Loading…
Cancel
Save