Let's Encrypt

12 files changed, 196 insertions, 8 deletions

diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index 114388e..dc0b5bf 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -9,7 +9,7 @@ ssl = required
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/dovecot/ssl/imap.fripost.org.chained.pem
+ssl_cert = </etc/dovecot/ssl/imap.fripost.org.pem
 ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
 
 # If key file is password protected, give the password here. Alternatively
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index caba881..24b83c6 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -75,7 +75,7 @@ smtp_tls_fingerprint_digest     = sha256
 {% endif %}
 
 smtpd_tls_security_level        = encrypt
-smtpd_tls_cert_file             = /etc/postfix/ssl/smtp.fripost.org.chained.pem
+smtpd_tls_cert_file             = /etc/postfix/ssl/smtp.fripost.org.pem
 smtpd_tls_key_file              = /etc/postfix/ssl/smtp.fripost.org.key
 smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 0259538..a9e7ee4 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -93,7 +93,7 @@ smtp_tls_fingerprint_digest     = sha256
 
 smtpd_tls_security_level        = may
 smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
-smtpd_tls_cert_file             = /etc/postfix/ssl/mx.fripost.org.chained.pem
+smtpd_tls_cert_file             = /etc/postfix/ssl/mx.fripost.org.pem
 smtpd_tls_key_file              = /etc/postfix/ssl/mx.fripost.org.key
 smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
 smtpd_tls_CApath                = /etc/ssl/certs/
diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git
index afb5fca..a78ef3f 100644
--- a/roles/git/files/etc/nginx/sites-available/git
+++ b/roles/git/files/etc/nginx/sites-available/git
@@ -22,7 +22,7 @@ server {
     server_name  git.fripost.org;
 
     include snippets/ssl.conf;
-    ssl_certificate     /etc/nginx/ssl/git.fripost.org.chained.pem;
+    ssl_certificate     /etc/nginx/ssl/git.fripost.org.pem;
     ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key;
 
     access_log /var/log/nginx/git.access.log;
diff --git a/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf b/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf
new file mode 100644
index 0000000..fb19d2a
--- /dev/null
+++ b/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf
@@ -0,0 +1,86 @@
+# For certificate issuance (new-cert command), specify the certificate
+# configuration file to use
+#
+#config-certs = config/letsencrypt-certs.conf
+
+[client]
+# The value of "socket" specifies the letsencrypt-accountd(1)
+# UNIX-domain socket to connect to for signature requests from the ACME
+# client.  letsencrypt aborts if the socket is readable or writable by
+# other users, or if its parent directory is writable by other users.
+# Default: "$XDG_RUNTIME_DIR/S.letsencrypt" if the XDG_RUNTIME_DIR
+# environment variable is set.
+#
+#socket = /run/user/1000/S.letsencrypt
+
+# username to drop privileges to (setting both effective and real uid).
+# Preserve root privileges if the value is empty (not recommended).
+# Default: "nobody".
+#
+user = letsencrypt
+
+# groupname to drop privileges to (setting both effective and real gid,
+# and also setting the list of supplementary gids to that single group).
+# Preserve root privileges if the value is empty (not recommended).
+#
+group = nogroup
+
+# Path to the ACME client executable.
+#command = /usr/lib/letsencrypt-tiny/client
+
+# Root URI of the ACME server.  NOTE: Use the staging server for testing
+# as it has relaxed ratelimit.
+#
+#server = https://acme-v01.api.letsencrypt.org/
+#server = https://acme-staging.api.letsencrypt.org/
+
+# Timeout in seconds after which the client stops polling the ACME
+# server and considers the request failed.
+#
+#timeout = 10
+
+# Whether to verify the server certificate chain.
+SSL_verify = yes
+
+# Specify the version of the SSL protocol used to transmit data.
+SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2
+
+# Specify the cipher list for the connection.
+SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+
+
+[webserver]
+
+# Specify the local address to listen on, in the form ADDRESS[:PORT].
+#
+#listen = 0.0.0.0:80
+#listen = [::]:80
+
+# If a webserver is already running, specify a non-existent directory
+# under which the webserver is configured to serve GET requests for
+# challenge files under "/.well-known/acme-challenge/" (for each virtual
+# hosts requiring authorization) as static files.
+#
+challenge-directory = /var/www/acme-challenge
+
+# username to drop privileges to (setting both effective and real uid).
+# Preserve root privileges if the value is empty (not recommended).
+#
+user = www-data
+
+# groupname to drop privileges to (setting both effective and real gid,
+# and also setting the list of supplementary gids to that single group).
+# Preserve root privileges if the value is empty (not recommended).
+#
+user = www-data
+
+# Path to the ACME webserver executable.
+#command = /usr/lib/letsencrypt-tiny/webserver
+
+# Whether to automatically install iptables(1) rules to open the
+# ADDRESS[:PORT] specified with listen.  Theses rules are automatically
+# removed once letsencrypt exits.
+#
+#iptables = Yes
+
+; vim:ft=dosini
diff --git a/roles/letsencrypt/handlers/main.yml b/roles/letsencrypt/handlers/main.yml
new file mode 100644
index 0000000..d9eed44
--- /dev/null
+++ b/roles/letsencrypt/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: Install LetsEncrypt's ACME client
+  apt: deb=/tmp/letsencrypt-tiny_0.1-1_all.deb
diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml
new file mode 100644
index 0000000..c7ef7ef
--- /dev/null
+++ b/roles/letsencrypt/tasks/main.yml
@@ -0,0 +1,37 @@
+- name: Install dependencies for letsencrypt-tiny
+  apt: pkg={{ item }}
+  with_items:
+    - libjson-perl
+    - libjson-xs-perl
+    - libconfig-tiny-perl
+    - libwww-perl
+    - liblwp-protocol-https-perl
+    - libnet-ssleay-perl
+
+- name: Copy LetsEncrypt's ACME client
+  copy: src=deb/letsencrypt-tiny_0.1-1_all.deb
+        dest=/tmp
+  notify: Install LetsEncrypt's ACME client
+
+- meta: flush_handlers
+
+- name: Create a user 'letsencrypt'
+  user: name=letsencrypt system=yes
+        group=nogroup
+        createhome=no
+        home=/nonexistent
+        shell=/usr/sbin/nologin
+        password=!
+        state=present
+
+- name: Copy letsencrypt-tiny/letsencrypt-certs.conf
+  copy: src=etc/letsencrypt-tiny/letsencrypt.conf
+        dest=/etc/letsencrypt-tiny/letsencrypt.conf
+        owner=root group=root
+        mode=0644
+
+- name: Copy letsencrypt-tiny/letsencrypt-certs.conf
+  template: src=etc/letsencrypt-tiny/letsencrypt-certs.conf.j2
+            dest=/etc/letsencrypt-tiny/letsencrypt-certs.conf
+            owner=root group=root
+            mode=0644
diff --git a/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 b/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2
new file mode 100644
index 0000000..fef5c62
--- /dev/null
+++ b/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2
@@ -0,0 +1,63 @@
+hash = sha512
+keyusage = digitalSignature, keyEncipherment
+
+{% if 'IMAP' in group_names %}
+[imap]
+certificate-key = /etc/dovecot/ssl/imap.fripost.org.key
+certificate-chain = /etc/dovecot/ssl/imap.fripost.org.pem
+subject = /O=Fripost/CN=imap.fripost.org
+subjectAltName = DNS:imap.fripost.org,DNS:sieve.fripost.org
+notify = /bin/systemctl restart dovecot
+{% endif %}
+
+{% if 'MSA' in group_names %}
+[smtp]
+certificate-key = /etc/postfix/ssl/smtp.fripost.org.key
+certificate-chain = /etc/postfix/ssl/smtp.fripost.org.pem
+subject = /O=Fripost/CN=smtp.fripost.org
+notify = /bin/systemctl restart postfix
+{% endif %}
+
+{% if 'MX' in group_names %}
+[mx]
+certificate-key = /etc/postfix/ssl/mx.fripost.org.key
+certificate-chain = /etc/postfix/ssl/mx.fripost.org.pem
+subject = /O=Fripost/CN=mx{{ mxno }}.fripost.org
+notify = /bin/systemctl restart postfix
+{% endif %}
+
+{% if 'lists' in group_names %}
+[lists]
+certificate-key = /etc/nginx/ssl/lists.fripost.org.key
+certificate-chain = /etc/nginx/ssl/lists.fripost.org.pem
+subject = /O=Fripost/CN=lists.fripost.org
+notify = /bin/systemctl restart nginx
+{% endif %}
+
+{% if 'wiki' in group_names %}
+[www]
+certificate-key = /etc/nginx/ssl/www.fripost.org.key
+certificate-chain = /etc/nginx/ssl/www.fripost.org.pem
+subject = /O=Fripost/CN=fripost.org
+subjectAltName = DNS:fripost.org,DNS:www.fripost.org,DNS:wiki.fripost.org
+notify = /bin/systemctl restart nginx
+{% endif %}
+
+{% if 'webmail' in group_names %}
+[webmail]
+certificate-key = /etc/nginx/ssl/mail.fripost.org.key
+certificate-chain = /etc/nginx/ssl/mail.fripost.org.pem
+subject = /O=Fripost/CN=mail.fripost.org
+subjectAltName = DNS:mail.fripost.org,DNS:webmail.fripost.org
+notify = /bin/systemctl restart nginx
+{% endif %}
+
+{% if 'git' in group_names %}
+[git]
+certificate-key = /etc/nginx/ssl/git.fripost.org.key
+certificate-chain = /etc/nginx/ssl/git.fripost.org.pem
+subject = /O=Fripost/CN=git.fripost.org
+notify = /bin/systemctl restart nginx
+{% endif %}
+
+; vim:ft=dosini
diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa
index 5e469fa..bcf1d22 100644
--- a/roles/lists/files/etc/nginx/sites-available/sympa
+++ b/roles/lists/files/etc/nginx/sites-available/sympa
@@ -25,7 +25,7 @@ server {
     error_log  /var/log/nginx/lists.error.log info;
 
     include snippets/ssl.conf;
-    ssl_certificate     /etc/nginx/ssl/lists.fripost.org.chained.pem;
+    ssl_certificate     /etc/nginx/ssl/lists.fripost.org.pem;
     ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key;
 
     location = / {
diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube
index df10be9..304b05d 100644
--- a/roles/webmail/files/etc/nginx/sites-available/roundcube
+++ b/roles/webmail/files/etc/nginx/sites-available/roundcube
@@ -27,7 +27,7 @@ server {
     root         /var/lib/roundcube;
 
     include snippets/ssl.conf;
-    ssl_certificate     /etc/nginx/ssl/mail.fripost.org.chained.pem;
+    ssl_certificate     /etc/nginx/ssl/mail.fripost.org.pem;
     ssl_certificate_key /etc/nginx/ssl/mail.fripost.org.key;
 
     location = /favicon.ico {
diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website
index 2519286..5d382ec 100644
--- a/roles/wiki/files/etc/nginx/sites-available/website
+++ b/roles/wiki/files/etc/nginx/sites-available/website
@@ -24,7 +24,7 @@ server {
     server_name www.fripost.org;
 
     include snippets/ssl.conf;
-    ssl_certificate     /etc/nginx/ssl/www.fripost.org.chained.pem;
+    ssl_certificate     /etc/nginx/ssl/www.fripost.org.pem;
     ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key;
 
     access_log /var/log/nginx/www.access.log;
diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki
index 2855e07..d61ff28 100644
--- a/roles/wiki/files/etc/nginx/sites-available/wiki
+++ b/roles/wiki/files/etc/nginx/sites-available/wiki
@@ -23,7 +23,7 @@ server {
     server_name wiki.fripost.org;
 
     include snippets/ssl.conf;
-    ssl_certificate     /etc/nginx/ssl/www.fripost.org.chained.pem;
+    ssl_certificate     /etc/nginx/ssl/www.fripost.org.pem;
     ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key;
 
     access_log /var/log/nginx/wiki.access.log;