From d3310007c3884dbad4a06dc40558a57a54296ea8 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 3 Feb 2017 15:52:48 +0100 Subject: [PATCH] evoacme : - Don't generate dhparams (not evoacme role) - Generate ssl conf file for vhost --- evoacme/README.md | 20 ++++++++++++++++++-- evoacme/files/evoacme.sh | 35 +++++++++++++---------------------- evoacme/files/make-csr.sh | 26 ++++++++++++++++++++++---- evoacme/tasks/dhparam.yml | 4 ---- evoacme/tasks/main.yml | 3 --- 5 files changed, 53 insertions(+), 35 deletions(-) delete mode 100644 evoacme/tasks/dhparam.yml diff --git a/evoacme/README.md b/evoacme/README.md index 9e5b97a3..147fe2d1 100644 --- a/evoacme/README.md +++ b/evoacme/README.md @@ -1,4 +1,4 @@ -# Evoacme 1.4 +# Evoacme 1.5 EvoAcme is an [Ansible](https://www.ansible.com/) role and a [Certbot](https://certbot.eff.org) wrapper for generate [Let's Encrypt](https://letsencrypt.org/) certificates. @@ -45,7 +45,7 @@ service nginx reload make-csr vhostname ~~~ -8 - Generate the certificate with evoacme +5 - Generate the certificate with evoacme ~~~ # evoacme look for /etc/ssl/requests/vhostname @@ -53,6 +53,22 @@ make-csr vhostname evoacme vhostname ~~~ +6 - Include ssl configuration + +Sll configuration has generated, you must include it in your vhost. + +For Apache : + +~~~ +Include /etc/apache2/ssl/vhost.conf +~~~ + +For Nginx : + +~~~ +include /etc/nginx/ssl/vhost.conf; +~~~ + # License Evoacme is open source software licensed under the AGPLv3 License. diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index b9eaf449..38376d6f 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -1,6 +1,9 @@ #!/bin/bash -source /etc/default/evoacme +[ -f /etc/default/evoacme ] && source /etc/default/evoacme +[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' +[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' +[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' vhost=$1 @@ -27,42 +30,30 @@ rm -f $CRT_DIR/${vhost}.crt $CRT_DIR/${vhost}-fullchain.pem $CRT_DIR/${vhost}-ch sudo -u acme certbot certonly --quiet --webroot --csr $CSR_DIR/${vhost}.csr --webroot-path $ACME_DIR -n --agree-tos --cert-path=$CRT_DIR/${vhost}.crt --fullchain-path=$CRT_DIR/${vhost}-fullchain.pem --chain-path=$CRT_DIR/${vhost}-chain.pem $emailopt --logs-dir $LOG_DIR 2> >(grep -v certbot.crypto_util) if [ $? != 0 ]; then - openssl x509 -req -sha256 -days 365 -in $CSR_DIR/${vhost}.csr -signkey $SSL_KEY_DIR/${vhost}.key -out $CRT_DIR/${vhost}-fullchain.pem + if [ -d /etc/apache2 ]; then + sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" /etc/apache2/ssl/${vhost}.conf + fi + if [ -d /etc/nginx ]; then + sed -i "s~^ssl_certificate[^_]*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" /etc/nginx/ssl/${vhost}.conf + fi exit 1 fi which apache2ctl>/dev/null if [ $? == 0 ]; then - apache2ctl -t 2>/dev/null + sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}-fullchain.pem~" /etc/apache2/ssl/${vhost}.conf + apache2ctl -t 2>/dev/null if [ $? == 0 ]; then service apache2 reload fi fi which nginx>/dev/null if [ $? == 0 ]; then + sed -i "s~^ssl_certificate[^_]*$~ssl_certificate $CRT_DIR/${vhost}-fullchain.pem;~" /etc/nginx/ssl/${vhost}.conf nginx -t 2>/dev/null if [ $? == 0 ]; then service nginx reload fi fi -if [ -z "$renew" ]; then - -cat <&2 - exit 1 else domains=$valid_domains fi @@ -92,3 +89,24 @@ if [ -f $CSR_DIR/${vhost}.csr ]; then chmod 644 $SELF_SIGNED_DIR/${vhost}.pem fi fi + +if [ -d /etc/apache2 ]; then + mkdir -p /etc/apache2/ssl + if [ ! -f /etc/apache2/ssl/${vhost}.conf ]; then + cat > /etc/apache2/ssl/${vhost}.conf < /etc/nginx/ssl/${vhost}.conf <