forked from evolix/ansible-roles
evoacme : fix nginx challenge, check domain in make-csr
This commit is contained in:
parent
e173407baa
commit
59c982b46d
|
@ -1,4 +1,4 @@
|
||||||
# Evoacme 1.3
|
# Evoacme 1.4
|
||||||
|
|
||||||
EvoAcme is an [Ansible](https://www.ansible.com/) role and a [Certbot](https://certbot.eff.org) wrapper for generate [Let's Encrypt](https://letsencrypt.org/) certificates.
|
EvoAcme is an [Ansible](https://www.ansible.com/) role and a [Certbot](https://certbot.eff.org) wrapper for generate [Let's Encrypt](https://letsencrypt.org/) certificates.
|
||||||
|
|
||||||
|
@ -8,43 +8,44 @@ It is a project hosted at [Evolix's forge](https://forge.evolix.org/projects/ans
|
||||||
|
|
||||||
1 - Create a playbook with evoacme role
|
1 - Create a playbook with evoacme role
|
||||||
|
|
||||||
```
|
~~~
|
||||||
---
|
---
|
||||||
- hosts: hostname
|
- hosts: hostname
|
||||||
become: yes
|
become: yes
|
||||||
roles:
|
roles:
|
||||||
- role: evoacme
|
- role: evoacme
|
||||||
```
|
~~~
|
||||||
|
|
||||||
2 - Install evoacme prerequisite with ansible
|
2 - Install evoacme prerequisite with ansible
|
||||||
|
|
||||||
```
|
~~~
|
||||||
ansible-playbook playbook.yml -Kl hostname
|
ansible-playbook playbook.yml -Kl hostname
|
||||||
```
|
~~~
|
||||||
|
|
||||||
3 - Include letsencrypt.conf in your webserver
|
3 - Include letsencrypt.conf in your webserver
|
||||||
|
|
||||||
For Apache, you just need to ensure that you don't overwrite "/.well-known/acme-challenge" Alias with a Redirect or Rewrite directive.
|
For Apache, you just need to ensure that you don't overwrite "/.well-known/acme-challenge" Alias with a Redirect or Rewrite directive.
|
||||||
|
|
||||||
For Nginx, you must include letsencrypt.conf in all wanted vhost :
|
For Nginx, you must include letsencrypt.conf in all wanted vhost :
|
||||||
```
|
|
||||||
|
~~~
|
||||||
include /etc/nginx/letsencrypt.conf;
|
include /etc/nginx/letsencrypt.conf;
|
||||||
nginx -t
|
nginx -t
|
||||||
service nginx reload
|
service nginx reload
|
||||||
```
|
~~~
|
||||||
|
|
||||||
4 - Create a CSR for a vhost with make-csr
|
4 - Create a CSR for a vhost with make-csr
|
||||||
|
|
||||||
```
|
~~~
|
||||||
# vhostname is vhostfile without .conf ext
|
# vhostname is vhostfile without .conf ext
|
||||||
make-csr vhostname
|
make-csr vhostname
|
||||||
```
|
~~~
|
||||||
|
|
||||||
8 - Generate the certificate with evoacme
|
8 - Generate the certificate with evoacme
|
||||||
|
|
||||||
```
|
~~~
|
||||||
evoacme vhostname
|
evoacme vhostname
|
||||||
```
|
~~~
|
||||||
|
|
||||||
# License
|
# License
|
||||||
|
|
||||||
|
|
|
@ -34,14 +34,30 @@ if [ -f /etc/apache2/sites-enabled/${vhost}.conf ]; then
|
||||||
domains=`grep -oE "^( )*[^#]+" /etc/apache2/sites-enabled/${vhost}.conf|grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq`
|
domains=`grep -oE "^( )*[^#]+" /etc/apache2/sites-enabled/${vhost}.conf|grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq`
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Domain(s) for $vhost :"
|
valid_domains=''
|
||||||
|
srv_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
|
||||||
|
|
||||||
|
echo "Valid Domain(s) for $vhost :"
|
||||||
for domain in $domains
|
for domain in $domains
|
||||||
do
|
do
|
||||||
# TODO : vérifier si domaine pointe sur localhost
|
real_ip=$(dig +short $domain|grep -oE "([0-9]+\.){3}[0-9]+")
|
||||||
echo "- $domain"
|
for ip in "$srv_ip"; do
|
||||||
nb=$(( nb + 1 ))
|
if [ "$ip" == "$real_ip" ]; then
|
||||||
|
valid_domains="$valid_domains $domain"
|
||||||
|
nb=$(( nb + 1 ))
|
||||||
|
echo "- $domain"
|
||||||
|
fi
|
||||||
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
|
if [ $nb -eq 0 ]; then
|
||||||
|
nb=`echo $domains|wc -l`
|
||||||
|
echo "No valid domains : $domains" >&2
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
domains=$valid_domains
|
||||||
|
fi
|
||||||
|
|
||||||
mkdir -p /etc/ssl/requests -m 755
|
mkdir -p /etc/ssl/requests -m 755
|
||||||
chown root: /etc/ssl/requests
|
chown root: /etc/ssl/requests
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
location /.well-known/acme-challenge {
|
location /.well-known/acme-challenge {
|
||||||
alias {{ evoacme_acme_dir }}/.well-known/acme-challenge;
|
alias {{ evoacme_acme_dir }}/.well-known/acme-challenge;
|
||||||
try_files $uri =404;
|
try_files $uri =404;
|
||||||
|
allow all;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue