thomas
/
sovereign
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
No Description
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
627 Commits
1 Branch
Tree: e229c5519b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e229c5519b'
${ noResults }
sovereign/roles/common/tasks/ssl.yml

ssl.yml 2.4KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667 
  1. - name: Copy SSL private key into place

  2.   copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=ssl-cert owner=root mode=640

  3.   register: private_key

  4.   notify: restart apache

  5. 

  6. - name: Copy SSL public certificate into place

  7.   copy: src=wildcard_public_cert.crt dest=/etc/ssl/certs/wildcard_public_cert.crt group=root owner=root mode=644

  8.   register: certificate

  9.   notify: restart apache

  10. 

  11. - name: Copy CA combined certificate into place

  12.   copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root mode=644

  13.   register: ca_certificate

  14.   notify: restart apache

  15. 

  16. - name: Create a combined version of the public cert with intermediate and root CAs

  17.   shell: cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem >

  18.     /etc/ssl/certs/wildcard_combined.pem

  19.   when: private_key.changed or certificate.changed or ca_certificate.changed

  20. 

  21. - name: Set permissions on combined public cert

  22.   file: name=/etc/ssl/certs/wildcard_combined.pem mode=644

  23.   notify: restart apache

  24. 

  25. - name: Create strong Diffie-Hellman group

  26.   command: openssl dhparam -out /etc/ssl/private/dhparam2048.pem 2048

  27.     creates=/etc/ssl/private/dhparam2048.pem

  28. 

  29. - name: Enable Apache SSL module

  30.   command: a2enmod ssl creates=/etc/apache2/mods-enabled/ssl.load

  31.   notify: restart apache

  32. 

  33. - name: Enable NameVirtualHost for HTTPS

  34.   lineinfile:

  35.     dest=/etc/apache2/ports.conf regexp='^    NameVirtualHost \*:443'

  36.     insertafter='^<IfModule mod_ssl.c>'

  37.     line='    NameVirtualHost *:443'

  38.   notify: restart apache

  39. 

  40. - name: Enable Apache SOCACHE_SHMCB module for the SSL stapling cache

  41.   command: a2enmod socache_shmcb

  42.     creates=/etc/apache2/mods-enabled/socache_shmcb.load

  43.   notify: restart apache

  44.   when: ansible_distribution_release != 'wheezy'

  45. 

  46. - name: Add Apache SSL stapling cache configuration

  47.   copy:

  48.     src=etc_apache2_conf-available_ssl-stapling-cache.conf

  49.     dest=/etc/apache2/conf-available/ssl-stapling-cache.conf

  50.     owner=root

  51.     group=root

  52.   when: ansible_distribution_release != 'wheezy'

  53.   notify: restart apache

  54. 

  55. - name: Enable Apache SSL stapling cache configuration

  56.   command: a2enconf ssl-stapling-cache

  57.     creates=/etc/apache2/conf-enabled/ssl-stapling-cache.conf

  58.   when: ansible_distribution_release != 'wheezy'

  59.   notify: restart apache

  60. 

  61. - name: Add common Apache SSL config

  62.   template:

  63.     src=etc_apache2_ssl.conf.j2

  64.     dest=/etc/apache2/ssl.conf

  65.     owner=root

  66.     group=root

  67.   notify: restart apache