dprevot/ansible-roles
1
0
Fork 0
forked from evolix/ansible-roles
Code Issues Pull requests 1 Projects Releases Wiki Activity

evoacme : fix nginx challenge, check domain in make-csr

Browse source
This commit is contained in:
Victor LABORIE 2017-01-17 14:54:31 +01:00
parent e173407baa
commit 59c982b46d
3 changed files with 33 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
evoacme/README.md
View file

@ -1,4 +1,4 @@
# Evoacme 1.3 # Evoacme 1.4
EvoAcme is an [Ansible](https://www.ansible.com/) role and a [Certbot](https://certbot.eff.org) wrapper for generate [Let's Encrypt](https://letsencrypt.org/) certificates. EvoAcme is an [Ansible](https://www.ansible.com/) role and a [Certbot](https://certbot.eff.org) wrapper for generate [Let's Encrypt](https://letsencrypt.org/) certificates.
@ -8,43 +8,44 @@ It is a project hosted at [Evolix's forge](https://forge.evolix.org/projects/ans
1 - Create a playbook with evoacme role 1 - Create a playbook with evoacme role
``` ~~~
--- ---
- hosts: hostname - hosts: hostname
become: yes become: yes
roles: roles:
- role: evoacme - role: evoacme
``` ~~~
2 - Install evoacme prerequisite with ansible 2 - Install evoacme prerequisite with ansible
``` ~~~
ansible-playbook playbook.yml -Kl hostname ansible-playbook playbook.yml -Kl hostname
``` ~~~
3 - Include letsencrypt.conf in your webserver 3 - Include letsencrypt.conf in your webserver
For Apache, you just need to ensure that you don't overwrite "/.well-known/acme-challenge" Alias with a Redirect or Rewrite directive. For Apache, you just need to ensure that you don't overwrite "/.well-known/acme-challenge" Alias with a Redirect or Rewrite directive.
For Nginx, you must include letsencrypt.conf in all wanted vhost : For Nginx, you must include letsencrypt.conf in all wanted vhost :
```
~~~
include /etc/nginx/letsencrypt.conf; include /etc/nginx/letsencrypt.conf;
nginx -t nginx -t
service nginx reload service nginx reload
``` ~~~
4 - Create a CSR for a vhost with make-csr 4 - Create a CSR for a vhost with make-csr
``` ~~~
# vhostname is vhostfile without .conf ext # vhostname is vhostfile without .conf ext
make-csr vhostname make-csr vhostname
``` ~~~
8 - Generate the certificate with evoacme 8 - Generate the certificate with evoacme
``` ~~~
evoacme vhostname evoacme vhostname
``` ~~~
# License # License

22
evoacme/files/make-csr.sh
View file

@ -34,13 +34,29 @@ if [ -f /etc/apache2/sites-enabled/${vhost}.conf ]; then
domains=`grep -oE "^( )*[^#]+" /etc/apache2/sites-enabled/${vhost}.conf|grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq` domains=`grep -oE "^( )*[^#]+" /etc/apache2/sites-enabled/${vhost}.conf|grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq`
fi fi
echo "Domain(s) for $vhost :" valid_domains=''
srv_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
echo "Valid Domain(s) for $vhost :"
for domain in $domains for domain in $domains
do do
# TODO : vérifier si domaine pointe sur localhost real_ip=$(dig +short $domain|grep -oE "([0-9]+\.){3}[0-9]+")
echo "- $domain" for ip in "$srv_ip"; do
if [ "$ip" == "$real_ip" ]; then
valid_domains="$valid_domains $domain"
nb=$(( nb + 1 )) nb=$(( nb + 1 ))
echo "- $domain"
fi
done done
done
if [ $nb -eq 0 ]; then
nb=`echo $domains|wc -l`
echo "No valid domains : $domains" >&2
exit 1
else
domains=$valid_domains
fi
mkdir -p /etc/ssl/requests -m 755 mkdir -p /etc/ssl/requests -m 755
chown root: /etc/ssl/requests chown root: /etc/ssl/requests

1
evoacme/templates/nginx.conf.j2
View file

@ -1,4 +1,5 @@
location /.well-known/acme-challenge { location /.well-known/acme-challenge {
alias {{ evoacme_acme_dir }}/.well-known/acme-challenge; alias {{ evoacme_acme_dir }}/.well-known/acme-challenge;
try_files $uri =404; try_files $uri =404;
allow all;
} }