Adds support for managing certificates manually and for having the playbook generate self-signed certificates for you. With this, Let's Encrypt usage is no longer required. Fixes Github issue #50.development
parent
bfcba5256e
commit
d28bdb3258
@ -0,0 +1,32 @@
|
|||||||
|
# Adjusting SSL certificate retrieval (optional, advanced)
|
||||||
|
|
||||||
|
By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/).
|
||||||
|
|
||||||
|
If that's alright, you can skip this.
|
||||||
|
|
||||||
|
|
||||||
|
## Using self-signed SSL certificates
|
||||||
|
|
||||||
|
For private deployments (not publicly accessible from the internet), you may not be able to use Let's Encrypt certificates.
|
||||||
|
|
||||||
|
If self-signed certificates are alright with you, you can ask the playbook to generate such for you with the following configuration:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
matrix_ssl_retrieval_method: self-signed
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Using your own SSL certificates
|
||||||
|
|
||||||
|
If you'd like to manage SSL certificates by yourself and have the playbook use your certificate files, you can use the following configuration:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
matrix_ssl_retrieval_method: manually-managed
|
||||||
|
```
|
||||||
|
|
||||||
|
With such a configuration, the playbook would expect you to drop the SSL certificate files in the directory specified by `matrix_ssl_config_dir_path` (`/matrix/ssl/config` by default) obeying the following hierarchy:
|
||||||
|
|
||||||
|
- `<matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem`
|
||||||
|
- `<matrix_ssl_config_dir_path>/live/<domain>/privkey.pem`
|
||||||
|
|
||||||
|
where `<domain>` refers to the domains that you need (usually `matrix.<your-domain>` and `riot.<your-domain>`).
|
@ -1,54 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- name: Determine domains to obtain certificates for (Matrix)
|
|
||||||
set_fact:
|
|
||||||
domains_to_obtain_certificate_for: "['{{ hostname_matrix }}']"
|
|
||||||
|
|
||||||
- name: Determine domains to obtain certificates for (Riot)
|
|
||||||
set_fact:
|
|
||||||
domains_to_obtain_certificate_for: "{{ domains_to_obtain_certificate_for + [hostname_riot] }}"
|
|
||||||
when: matrix_riot_web_enabled
|
|
||||||
|
|
||||||
- name: Allow access to HTTP/HTTPS in firewalld
|
|
||||||
firewalld:
|
|
||||||
service: "{{ item }}"
|
|
||||||
state: enabled
|
|
||||||
immediate: yes
|
|
||||||
permanent: yes
|
|
||||||
with_items:
|
|
||||||
- http
|
|
||||||
- https
|
|
||||||
when: ansible_os_family == 'RedHat'
|
|
||||||
|
|
||||||
- name: Ensure certbot Docker image is pulled
|
|
||||||
docker_image:
|
|
||||||
name: "{{ matrix_ssl_certbot_docker_image }}"
|
|
||||||
|
|
||||||
- name: Ensure SSL certificate paths exists
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: directory
|
|
||||||
mode: 0770
|
|
||||||
owner: "{{ matrix_user_username }}"
|
|
||||||
group: "{{ matrix_user_username }}"
|
|
||||||
with_items:
|
|
||||||
- "{{ matrix_ssl_log_dir_path }}"
|
|
||||||
- "{{ matrix_ssl_config_dir_path }}"
|
|
||||||
|
|
||||||
- name: Obtain initial certificates
|
|
||||||
include_tasks: "tasks/setup/setup_ssl_for_domain.yml"
|
|
||||||
with_items: "{{ domains_to_obtain_certificate_for }}"
|
|
||||||
loop_control:
|
|
||||||
loop_var: domain_name
|
|
||||||
|
|
||||||
- name: Ensure SSL renewal script installed
|
|
||||||
template:
|
|
||||||
src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-certificates-renew.j2"
|
|
||||||
dest: "/usr/local/bin/matrix-ssl-certificates-renew"
|
|
||||||
mode: 0750
|
|
||||||
|
|
||||||
- name: Ensure periodic SSL renewal cronjob configured
|
|
||||||
template:
|
|
||||||
src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2"
|
|
||||||
dest: "/etc/cron.d/matrix-ssl-certificate-renewal"
|
|
||||||
mode: 0600
|
|
@ -0,0 +1,38 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Fail if using unsupported SSL certificate retrieval method
|
||||||
|
fail:
|
||||||
|
msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value"
|
||||||
|
when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed']"
|
||||||
|
|
||||||
|
|
||||||
|
# Common tasks, required by any method below.
|
||||||
|
|
||||||
|
- name: Determine domains that we require certificates for (Matrix)
|
||||||
|
set_fact:
|
||||||
|
domains_requiring_certificates: "['{{ hostname_matrix }}']"
|
||||||
|
|
||||||
|
- name: Determine domains that we require certificates for (Riot)
|
||||||
|
set_fact:
|
||||||
|
domains_requiring_certificates: "{{ domains_requiring_certificates + [hostname_riot] }}"
|
||||||
|
when: "matrix_riot_web_enabled"
|
||||||
|
|
||||||
|
- name: Ensure SSL certificate paths exists
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
mode: 0770
|
||||||
|
owner: "{{ matrix_user_username }}"
|
||||||
|
group: "{{ matrix_user_username }}"
|
||||||
|
with_items:
|
||||||
|
- "{{ matrix_ssl_log_dir_path }}"
|
||||||
|
- "{{ matrix_ssl_config_dir_path }}"
|
||||||
|
|
||||||
|
|
||||||
|
# Method specific tasks follow
|
||||||
|
|
||||||
|
- include: tasks/setup/ssl/setup_ssl_lets_encrypt.yml
|
||||||
|
|
||||||
|
- include: tasks/setup/ssl/setup_ssl_self_signed.yml
|
||||||
|
|
||||||
|
- include: tasks/setup/ssl/setup_ssl_manually_managed.yml
|
@ -0,0 +1,61 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
#
|
||||||
|
# Tasks related to setting up Let's Encrypt's management of certificates
|
||||||
|
#
|
||||||
|
|
||||||
|
- name: (Deprecation) Fail if using outdated configuration
|
||||||
|
fail:
|
||||||
|
msg: "You're using the `host_specific_matrix_ssl_support_email` variable, which has been superseded by `host_specific_matrix_ssl_lets_encrypt_support_email`. Please change your configuration to use the new name!"
|
||||||
|
when: "matrix_ssl_retrieval_method == 'lets-encrypt' and host_specific_matrix_ssl_support_email is defined"
|
||||||
|
|
||||||
|
- name: Allow access to HTTP/HTTPS in firewalld
|
||||||
|
firewalld:
|
||||||
|
service: "{{ item }}"
|
||||||
|
state: enabled
|
||||||
|
immediate: yes
|
||||||
|
permanent: yes
|
||||||
|
with_items:
|
||||||
|
- http
|
||||||
|
- https
|
||||||
|
when: "matrix_ssl_retrieval_method == 'lets-encrypt' and ansible_os_family == 'RedHat'"
|
||||||
|
|
||||||
|
- name: Ensure certbot Docker image is pulled
|
||||||
|
docker_image:
|
||||||
|
name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
|
||||||
|
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
||||||
|
|
||||||
|
- name: Obtain certificates
|
||||||
|
include_tasks: "tasks/setup/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
|
||||||
|
with_items: "{{ domains_requiring_certificates }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: domain_name
|
||||||
|
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
||||||
|
|
||||||
|
- name: Ensure SSL renewal script installed
|
||||||
|
template:
|
||||||
|
src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-certificates-renew.j2"
|
||||||
|
dest: "/usr/local/bin/matrix-ssl-certificates-renew"
|
||||||
|
mode: 0750
|
||||||
|
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
||||||
|
|
||||||
|
- name: Ensure periodic SSL renewal cronjob configured
|
||||||
|
template:
|
||||||
|
src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2"
|
||||||
|
dest: "/etc/cron.d/matrix-ssl-certificate-renewal"
|
||||||
|
mode: 0600
|
||||||
|
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Tasks related to getting rid of Let's Encrypt's management of certificates
|
||||||
|
#
|
||||||
|
|
||||||
|
- name: Ensure Let's Encrypt SSL certificate management files removed
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: absent
|
||||||
|
with_items:
|
||||||
|
- /usr/local/bin/matrix-ssl-certificates-renew
|
||||||
|
- /etc/cron.d/matrix-ssl-certificate-renewal
|
||||||
|
when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
|
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Verify certificates
|
||||||
|
include_tasks: "tasks/setup/ssl/setup_ssl_manually_managed_verify_for_domain.yml"
|
||||||
|
with_items: "{{ domains_requiring_certificates }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: domain_name
|
||||||
|
when: "matrix_ssl_retrieval_method == 'manually-managed'"
|
@ -0,0 +1,23 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
matrix_ssl_certificate_verification_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
|
||||||
|
matrix_ssl_certificate_verification_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"
|
||||||
|
|
||||||
|
- name: Check if SSL certificate file exists
|
||||||
|
stat:
|
||||||
|
path: "{{ matrix_ssl_certificate_verification_cert_path }}"
|
||||||
|
register: matrix_ssl_certificate_verification_cert_path_stat_result
|
||||||
|
|
||||||
|
- fail:
|
||||||
|
msg: "Failed finding a certificate file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_path }}`"
|
||||||
|
when: "not matrix_ssl_certificate_verification_cert_path_stat_result.stat.exists"
|
||||||
|
|
||||||
|
- name: Check if SSL certificate key file exists
|
||||||
|
stat:
|
||||||
|
path: "{{ matrix_ssl_certificate_verification_cert_key_path }}"
|
||||||
|
register: matrix_ssl_certificate_verification_cert_key_path_stat_result
|
||||||
|
|
||||||
|
- fail:
|
||||||
|
msg: "Failed finding a certificate key file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_key_path }}`"
|
||||||
|
when: "not matrix_ssl_certificate_verification_cert_key_path_stat_result.stat.exists"
|
@ -0,0 +1,24 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Ensure OpenSSL installed (RedHat)
|
||||||
|
yum:
|
||||||
|
name:
|
||||||
|
- openssl
|
||||||
|
state: present
|
||||||
|
update_cache: no
|
||||||
|
when: ansible_os_family == 'RedHat'
|
||||||
|
|
||||||
|
- name: Ensure APT usage dependencies are installed (Debian)
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- openssl
|
||||||
|
state: present
|
||||||
|
update_cache: no
|
||||||
|
when: ansible_os_family == 'Debian'
|
||||||
|
|
||||||
|
- name: Obtain certificates
|
||||||
|
include_tasks: "tasks/setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml"
|
||||||
|
with_items: "{{ domains_requiring_certificates }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: domain_name
|
||||||
|
when: "matrix_ssl_retrieval_method == 'self-signed'"
|
@ -0,0 +1,40 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
matrix_ssl_certificate_csr_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/csr.csr"
|
||||||
|
matrix_ssl_certificate_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
|
||||||
|
matrix_ssl_certificate_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"
|
||||||
|
|
||||||
|
- name: Check if SSL certificate file exists
|
||||||
|
stat:
|
||||||
|
path: "{{ matrix_ssl_certificate_cert_path }}"
|
||||||
|
register: matrix_ssl_certificate_cert_path_stat_result
|
||||||
|
|
||||||
|
# In order to do any sort of generation (below), we need to ensure the directory exists first
|
||||||
|
- name: Ensure SSL certificate directory exists
|
||||||
|
file:
|
||||||
|
path: "{{ matrix_ssl_certificate_csr_path|dirname }}"
|
||||||
|
state: directory
|
||||||
|
mode: 0750
|
||||||
|
owner: "{{ matrix_user_username }}"
|
||||||
|
group: "{{ matrix_user_username }}"
|
||||||
|
when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"
|
||||||
|
|
||||||
|
# The proper way to do this is by using a sequence of
|
||||||
|
# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`.
|
||||||
|
#
|
||||||
|
# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work,
|
||||||
|
# which is not available on CentOS 7 (at least).
|
||||||
|
#
|
||||||
|
# We'll do it in a more manual way.
|
||||||
|
- name: Generate SSL certificate
|
||||||
|
command: |
|
||||||
|
openssl req -x509 \
|
||||||
|
-sha256 \
|
||||||
|
-newkey rsa:4096 \
|
||||||
|
-nodes \
|
||||||
|
-subj "/CN={{ domain_name }}" \
|
||||||
|
-keyout {{ matrix_ssl_certificate_cert_key_path }} \
|
||||||
|
-out {{ matrix_ssl_certificate_cert_path }} \
|
||||||
|
-days 3650
|
||||||
|
when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"
|
Loading…
Reference in new issue