forked from evolix/ansible-roles
evoacme : fix nginx challenge, check domain in make-csr
This commit is contained in:
parent
e173407baa
commit
59c982b46d
|
@ -1,4 +1,4 @@
|
|||
# Evoacme 1.3
|
||||
# Evoacme 1.4
|
||||
|
||||
EvoAcme is an [Ansible](https://www.ansible.com/) role and a [Certbot](https://certbot.eff.org) wrapper for generate [Let's Encrypt](https://letsencrypt.org/) certificates.
|
||||
|
||||
|
@ -8,43 +8,44 @@ It is a project hosted at [Evolix's forge](https://forge.evolix.org/projects/ans
|
|||
|
||||
1 - Create a playbook with evoacme role
|
||||
|
||||
```
|
||||
~~~
|
||||
---
|
||||
- hosts: hostname
|
||||
become: yes
|
||||
roles:
|
||||
- role: evoacme
|
||||
```
|
||||
~~~
|
||||
|
||||
2 - Install evoacme prerequisite with ansible
|
||||
|
||||
```
|
||||
~~~
|
||||
ansible-playbook playbook.yml -Kl hostname
|
||||
```
|
||||
~~~
|
||||
|
||||
3 - Include letsencrypt.conf in your webserver
|
||||
|
||||
For Apache, you just need to ensure that you don't overwrite "/.well-known/acme-challenge" Alias with a Redirect or Rewrite directive.
|
||||
|
||||
For Nginx, you must include letsencrypt.conf in all wanted vhost :
|
||||
```
|
||||
|
||||
~~~
|
||||
include /etc/nginx/letsencrypt.conf;
|
||||
nginx -t
|
||||
service nginx reload
|
||||
```
|
||||
~~~
|
||||
|
||||
4 - Create a CSR for a vhost with make-csr
|
||||
|
||||
```
|
||||
~~~
|
||||
# vhostname is vhostfile without .conf ext
|
||||
make-csr vhostname
|
||||
```
|
||||
~~~
|
||||
|
||||
8 - Generate the certificate with evoacme
|
||||
|
||||
```
|
||||
~~~
|
||||
evoacme vhostname
|
||||
```
|
||||
~~~
|
||||
|
||||
# License
|
||||
|
||||
|
|
|
@ -34,14 +34,30 @@ if [ -f /etc/apache2/sites-enabled/${vhost}.conf ]; then
|
|||
domains=`grep -oE "^( )*[^#]+" /etc/apache2/sites-enabled/${vhost}.conf|grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq`
|
||||
fi
|
||||
|
||||
echo "Domain(s) for $vhost :"
|
||||
valid_domains=''
|
||||
srv_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
|
||||
|
||||
echo "Valid Domain(s) for $vhost :"
|
||||
for domain in $domains
|
||||
do
|
||||
# TODO : vérifier si domaine pointe sur localhost
|
||||
echo "- $domain"
|
||||
nb=$(( nb + 1 ))
|
||||
real_ip=$(dig +short $domain|grep -oE "([0-9]+\.){3}[0-9]+")
|
||||
for ip in "$srv_ip"; do
|
||||
if [ "$ip" == "$real_ip" ]; then
|
||||
valid_domains="$valid_domains $domain"
|
||||
nb=$(( nb + 1 ))
|
||||
echo "- $domain"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
if [ $nb -eq 0 ]; then
|
||||
nb=`echo $domains|wc -l`
|
||||
echo "No valid domains : $domains" >&2
|
||||
exit 1
|
||||
else
|
||||
domains=$valid_domains
|
||||
fi
|
||||
|
||||
mkdir -p /etc/ssl/requests -m 755
|
||||
chown root: /etc/ssl/requests
|
||||
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
location /.well-known/acme-challenge {
|
||||
alias {{ evoacme_acme_dir }}/.well-known/acme-challenge;
|
||||
try_files $uri =404;
|
||||
allow all;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue