From 97e78349145156ca6565ee5b2af54983a6fdd3a6 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 15 Jun 2016 18:00:57 +0200 Subject: Rename letsencrypt-tiny to lacme. --- common.yml | 4 +- roles/common-web/files/etc/nginx/snippets/ssl.conf | 4 +- roles/lacme/files/etc/lacme/lacme.conf | 86 ++++++++++++++++++++++ roles/lacme/handlers/main.yml | 2 + roles/lacme/tasks/main.yml | 37 ++++++++++ .../lacme/templates/etc/lacme/lacme-certs.conf.j2 | 63 ++++++++++++++++ .../files/etc/letsencrypt-tiny/letsencrypt.conf | 86 ---------------------- roles/letsencrypt/handlers/main.yml | 2 - roles/letsencrypt/tasks/main.yml | 37 ---------- .../etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 | 63 ---------------- 10 files changed, 193 insertions(+), 191 deletions(-) create mode 100644 roles/lacme/files/etc/lacme/lacme.conf create mode 100644 roles/lacme/handlers/main.yml create mode 100644 roles/lacme/tasks/main.yml create mode 100644 roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 delete mode 100644 roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf delete mode 100644 roles/letsencrypt/handlers/main.yml delete mode 100644 roles/letsencrypt/tasks/main.yml delete mode 100644 roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 diff --git a/common.yml b/common.yml index 2a062ee..2136c5d 100644 --- a/common.yml +++ b/common.yml @@ -16,9 +16,11 @@ hosts: IMAP:MX:MSA:webmail:lists:wiki:git gather_facts: False roles: - - letsencrypt + - lacme tags: - letsencrypt + - lacme + - ACME - name: Common SQL tasks hosts: MDA:webmail:lists:bacula-dir diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf index 4af4d53..4e2da6e 100644 --- a/roles/common-web/files/etc/nginx/snippets/ssl.conf +++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf @@ -2,7 +2,7 @@ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate -# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem +# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/lacme/lets-encrypt-x3-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem ssl on; @@ -27,4 +27,4 @@ ssl_stapling on; ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certs -ssl_trusted_certificate /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem; +ssl_trusted_certificate /usr/share/lacme/lets-encrypt-x3-cross-signed.pem; diff --git a/roles/lacme/files/etc/lacme/lacme.conf b/roles/lacme/files/etc/lacme/lacme.conf new file mode 100644 index 0000000..2956f1a --- /dev/null +++ b/roles/lacme/files/etc/lacme/lacme.conf @@ -0,0 +1,86 @@ +# For certificate issuance (new-cert command), specify the certificate +# configuration file to use +# +#config-certs = config/lacme-certs.conf + +[client] +# The value of "socket" specifies the lacme-accountd(1) UNIX-domain +# socket to connect to for signature requests from the ACME client. +# lacme(1) aborts if the socket is readable or writable by other users, +# or if its parent directory is writable by other users. +# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment +# variable is set. +# +#socket = /run/user/1000/S.lacme + +# username to drop privileges to (setting both effective and real uid). +# Preserve root privileges if the value is empty (not recommended). +# Default: "nobody". +# +user = lacme + +# groupname to drop privileges to (setting both effective and real gid, +# and also setting the list of supplementary gids to that single group). +# Preserve root privileges if the value is empty (not recommended). +# +group = nogroup + +# Path to the ACME client executable. +#command = /usr/lib/lacme/client + +# Root URI of the ACME server. NOTE: Use the staging server for testing +# as it has relaxed ratelimit. +# +#server = https://acme-v01.api.letsencrypt.org/ +#server = https://acme-staging.api.letsencrypt.org/ + +# Timeout in seconds after which the client stops polling the ACME +# server and considers the request failed. +# +#timeout = 10 + +# Whether to verify the server certificate chain. +SSL_verify = yes + +# Specify the version of the SSL protocol used to transmit data. +SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2 + +# Specify the cipher list for the connection. +SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL + + +[webserver] + +# Specify the local address to listen on, in the form ADDRESS[:PORT]. +# +#listen = 0.0.0.0:80 +#listen = [::]:80 + +# If a webserver is already running, specify a non-existent directory +# under which the webserver is configured to serve GET requests for +# challenge files under "/.well-known/acme-challenge/" (for each virtual +# hosts requiring authorization) as static files. +# +challenge-directory = /var/www/acme-challenge + +# username to drop privileges to (setting both effective and real uid). +# Preserve root privileges if the value is empty (not recommended). +# +user = www-data + +# groupname to drop privileges to (setting both effective and real gid, +# and also setting the list of supplementary gids to that single group). +# Preserve root privileges if the value is empty (not recommended). +# +user = www-data + +# Path to the ACME webserver executable. +#command = /usr/lib/lacme/webserver + +# Whether to automatically install iptables(8) rules to open the +# ADDRESS[:PORT] specified with listen. Theses rules are automatically +# removed once lacme(1) exits. +# +#iptables = Yes + +; vim:ft=dosini diff --git a/roles/lacme/handlers/main.yml b/roles/lacme/handlers/main.yml new file mode 100644 index 0000000..d97bf2d --- /dev/null +++ b/roles/lacme/handlers/main.yml @@ -0,0 +1,2 @@ +- name: Install lacme + apt: deb=/tmp/lacme_0.1-1_all.deb diff --git a/roles/lacme/tasks/main.yml b/roles/lacme/tasks/main.yml new file mode 100644 index 0000000..4b95d4c --- /dev/null +++ b/roles/lacme/tasks/main.yml @@ -0,0 +1,37 @@ +- name: Install dependencies for lacme + apt: pkg={{ item }} + with_items: + - libjson-perl + - libjson-xs-perl + - libconfig-tiny-perl + - libwww-perl + - liblwp-protocol-https-perl + - libnet-ssleay-perl + +- name: Copy lacme + copy: src=deb/lacme_0.1-1_all.deb + dest=/tmp + notify: Install lacme + +- meta: flush_handlers + +- name: Create a user 'lacme' + user: name=lacme system=yes + group=nogroup + createhome=no + home=/nonexistent + shell=/usr/sbin/nologin + password=! + state=present + +- name: Copy lacme/lacme-certs.conf + copy: src=etc/lacme/lacme.conf + dest=/etc/lacme/lacme.conf + owner=root group=root + mode=0644 + +- name: Copy lacme/lacme-certs.conf + template: src=etc/lacme/lacme-certs.conf.j2 + dest=/etc/lacme/lacme-certs.conf + owner=root group=root + mode=0644 diff --git a/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 b/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 new file mode 100644 index 0000000..ca3415a --- /dev/null +++ b/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 @@ -0,0 +1,63 @@ +hash = sha512 +keyusage = digitalSignature, keyEncipherment + +{% if 'IMAP' in group_names %} +[imap] +certificate-key = /etc/dovecot/ssl/imap.fripost.org.key +certificate-chain = /etc/dovecot/ssl/imap.fripost.org.pem +subject = /O=Fripost/CN=imap.fripost.org +subjectAltName = DNS:imap.fripost.org,DNS:sieve.fripost.org +notify = /bin/systemctl restart dovecot +{% endif %} + +{% if 'MSA' in group_names %} +[smtp] +certificate-key = /etc/postfix/ssl/smtp.fripost.org.key +certificate-chain = /etc/postfix/ssl/smtp.fripost.org.pem +subject = /O=Fripost/CN=smtp.fripost.org +notify = /bin/systemctl reload postfix +{% endif %} + +{% if 'MX' in group_names %} +[mx] +certificate-key = /etc/postfix/ssl/mx.fripost.org.key +certificate-chain = /etc/postfix/ssl/mx.fripost.org.pem +subject = /O=Fripost/CN=mx{{ mxno }}.fripost.org +notify = /bin/systemctl reload postfix +{% endif %} + +{% if 'lists' in group_names %} +[lists] +certificate-key = /etc/nginx/ssl/lists.fripost.org.key +certificate-chain = /etc/nginx/ssl/lists.fripost.org.pem +subject = /O=Fripost/CN=lists.fripost.org +notify = /bin/systemctl reload nginx +{% endif %} + +{% if 'wiki' in group_names %} +[www] +certificate-key = /etc/nginx/ssl/www.fripost.org.key +certificate-chain = /etc/nginx/ssl/www.fripost.org.pem +subject = /O=Fripost/CN=fripost.org +subjectAltName = DNS:fripost.org,DNS:www.fripost.org,DNS:wiki.fripost.org +notify = /bin/systemctl reload nginx +{% endif %} + +{% if 'webmail' in group_names %} +[webmail] +certificate-key = /etc/nginx/ssl/mail.fripost.org.key +certificate-chain = /etc/nginx/ssl/mail.fripost.org.pem +subject = /O=Fripost/CN=mail.fripost.org +subjectAltName = DNS:mail.fripost.org,DNS:webmail.fripost.org +notify = /bin/systemctl reload nginx +{% endif %} + +{% if 'git' in group_names %} +[git] +certificate-key = /etc/nginx/ssl/git.fripost.org.key +certificate-chain = /etc/nginx/ssl/git.fripost.org.pem +subject = /O=Fripost/CN=git.fripost.org +notify = /bin/systemctl reload nginx +{% endif %} + +; vim:ft=dosini diff --git a/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf b/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf deleted file mode 100644 index fb19d2a..0000000 --- a/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf +++ /dev/null @@ -1,86 +0,0 @@ -# For certificate issuance (new-cert command), specify the certificate -# configuration file to use -# -#config-certs = config/letsencrypt-certs.conf - -[client] -# The value of "socket" specifies the letsencrypt-accountd(1) -# UNIX-domain socket to connect to for signature requests from the ACME -# client. letsencrypt aborts if the socket is readable or writable by -# other users, or if its parent directory is writable by other users. -# Default: "$XDG_RUNTIME_DIR/S.letsencrypt" if the XDG_RUNTIME_DIR -# environment variable is set. -# -#socket = /run/user/1000/S.letsencrypt - -# username to drop privileges to (setting both effective and real uid). -# Preserve root privileges if the value is empty (not recommended). -# Default: "nobody". -# -user = letsencrypt - -# groupname to drop privileges to (setting both effective and real gid, -# and also setting the list of supplementary gids to that single group). -# Preserve root privileges if the value is empty (not recommended). -# -group = nogroup - -# Path to the ACME client executable. -#command = /usr/lib/letsencrypt-tiny/client - -# Root URI of the ACME server. NOTE: Use the staging server for testing -# as it has relaxed ratelimit. -# -#server = https://acme-v01.api.letsencrypt.org/ -#server = https://acme-staging.api.letsencrypt.org/ - -# Timeout in seconds after which the client stops polling the ACME -# server and considers the request failed. -# -#timeout = 10 - -# Whether to verify the server certificate chain. -SSL_verify = yes - -# Specify the version of the SSL protocol used to transmit data. -SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2 - -# Specify the cipher list for the connection. -SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL - - -[webserver] - -# Specify the local address to listen on, in the form ADDRESS[:PORT]. -# -#listen = 0.0.0.0:80 -#listen = [::]:80 - -# If a webserver is already running, specify a non-existent directory -# under which the webserver is configured to serve GET requests for -# challenge files under "/.well-known/acme-challenge/" (for each virtual -# hosts requiring authorization) as static files. -# -challenge-directory = /var/www/acme-challenge - -# username to drop privileges to (setting both effective and real uid). -# Preserve root privileges if the value is empty (not recommended). -# -user = www-data - -# groupname to drop privileges to (setting both effective and real gid, -# and also setting the list of supplementary gids to that single group). -# Preserve root privileges if the value is empty (not recommended). -# -user = www-data - -# Path to the ACME webserver executable. -#command = /usr/lib/letsencrypt-tiny/webserver - -# Whether to automatically install iptables(1) rules to open the -# ADDRESS[:PORT] specified with listen. Theses rules are automatically -# removed once letsencrypt exits. -# -#iptables = Yes - -; vim:ft=dosini diff --git a/roles/letsencrypt/handlers/main.yml b/roles/letsencrypt/handlers/main.yml deleted file mode 100644 index d9eed44..0000000 --- a/roles/letsencrypt/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: Install LetsEncrypt's ACME client - apt: deb=/tmp/letsencrypt-tiny_0.1-1_all.deb diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml deleted file mode 100644 index c7ef7ef..0000000 --- a/roles/letsencrypt/tasks/main.yml +++ /dev/null @@ -1,37 +0,0 @@ -- name: Install dependencies for letsencrypt-tiny - apt: pkg={{ item }} - with_items: - - libjson-perl - - libjson-xs-perl - - libconfig-tiny-perl - - libwww-perl - - liblwp-protocol-https-perl - - libnet-ssleay-perl - -- name: Copy LetsEncrypt's ACME client - copy: src=deb/letsencrypt-tiny_0.1-1_all.deb - dest=/tmp - notify: Install LetsEncrypt's ACME client - -- meta: flush_handlers - -- name: Create a user 'letsencrypt' - user: name=letsencrypt system=yes - group=nogroup - createhome=no - home=/nonexistent - shell=/usr/sbin/nologin - password=! - state=present - -- name: Copy letsencrypt-tiny/letsencrypt-certs.conf - copy: src=etc/letsencrypt-tiny/letsencrypt.conf - dest=/etc/letsencrypt-tiny/letsencrypt.conf - owner=root group=root - mode=0644 - -- name: Copy letsencrypt-tiny/letsencrypt-certs.conf - template: src=etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 - dest=/etc/letsencrypt-tiny/letsencrypt-certs.conf - owner=root group=root - mode=0644 diff --git a/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 b/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 deleted file mode 100644 index ca3415a..0000000 --- a/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 +++ /dev/null @@ -1,63 +0,0 @@ -hash = sha512 -keyusage = digitalSignature, keyEncipherment - -{% if 'IMAP' in group_names %} -[imap] -certificate-key = /etc/dovecot/ssl/imap.fripost.org.key -certificate-chain = /etc/dovecot/ssl/imap.fripost.org.pem -subject = /O=Fripost/CN=imap.fripost.org -subjectAltName = DNS:imap.fripost.org,DNS:sieve.fripost.org -notify = /bin/systemctl restart dovecot -{% endif %} - -{% if 'MSA' in group_names %} -[smtp] -certificate-key = /etc/postfix/ssl/smtp.fripost.org.key -certificate-chain = /etc/postfix/ssl/smtp.fripost.org.pem -subject = /O=Fripost/CN=smtp.fripost.org -notify = /bin/systemctl reload postfix -{% endif %} - -{% if 'MX' in group_names %} -[mx] -certificate-key = /etc/postfix/ssl/mx.fripost.org.key -certificate-chain = /etc/postfix/ssl/mx.fripost.org.pem -subject = /O=Fripost/CN=mx{{ mxno }}.fripost.org -notify = /bin/systemctl reload postfix -{% endif %} - -{% if 'lists' in group_names %} -[lists] -certificate-key = /etc/nginx/ssl/lists.fripost.org.key -certificate-chain = /etc/nginx/ssl/lists.fripost.org.pem -subject = /O=Fripost/CN=lists.fripost.org -notify = /bin/systemctl reload nginx -{% endif %} - -{% if 'wiki' in group_names %} -[www] -certificate-key = /etc/nginx/ssl/www.fripost.org.key -certificate-chain = /etc/nginx/ssl/www.fripost.org.pem -subject = /O=Fripost/CN=fripost.org -subjectAltName = DNS:fripost.org,DNS:www.fripost.org,DNS:wiki.fripost.org -notify = /bin/systemctl reload nginx -{% endif %} - -{% if 'webmail' in group_names %} -[webmail] -certificate-key = /etc/nginx/ssl/mail.fripost.org.key -certificate-chain = /etc/nginx/ssl/mail.fripost.org.pem -subject = /O=Fripost/CN=mail.fripost.org -subjectAltName = DNS:mail.fripost.org,DNS:webmail.fripost.org -notify = /bin/systemctl reload nginx -{% endif %} - -{% if 'git' in group_names %} -[git] -certificate-key = /etc/nginx/ssl/git.fripost.org.key -certificate-chain = /etc/nginx/ssl/git.fripost.org.pem -subject = /O=Fripost/CN=git.fripost.org -notify = /bin/systemctl reload nginx -{% endif %} - -; vim:ft=dosini -- cgit v1.2.3