From da2572ddb144086034eba1989ae909763e95c680 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 20 Dec 2015 14:13:08 +0100 Subject: Use the Let's Encrypt CA for our public certs. --- roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf | 2 +- roles/IMAP/tasks/imap.yml | 19 ++--------- roles/MSA/templates/etc/postfix/main.cf.j2 | 4 +-- roles/MX/tasks/main.yml | 2 +- roles/MX/templates/etc/postfix/main.cf.j2 | 4 +-- .../files/etc/nginx/sites-available/default | 11 +++++++ .../files/etc/nginx/snippets/acme-challenge.conf | 4 +++ roles/common-web/tasks/main.yml | 3 +- roles/common/handlers/main.yml | 3 ++ roles/common/tasks/main.yml | 3 ++ roles/git/files/etc/nginx/sites-available/git | 37 +++------------------- roles/git/tasks/cgit.yml | 20 ++---------- roles/lists/files/etc/nginx/sites-available/sympa | 8 +++-- roles/lists/tasks/nginx.yml | 20 ++---------- .../files/etc/nginx/sites-available/roundcube | 13 ++++++-- roles/webmail/tasks/roundcube.yml | 20 ++---------- roles/wiki/files/etc/nginx/sites-available/website | 17 ++++++---- roles/wiki/files/etc/nginx/sites-available/wiki | 10 ++---- roles/wiki/tasks/main.yml | 24 +++----------- 19 files changed, 80 insertions(+), 144 deletions(-) create mode 100644 roles/common-web/files/etc/nginx/sites-available/default create mode 100644 roles/common-web/files/etc/nginx/snippets/acme-challenge.conf (limited to 'roles') diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf index dc0b5bf..114388e 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf @@ -9,7 +9,7 @@ ssl = required # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = 1 - notify: - - Restart Dovecot - tags: - - genkey - name: Fetch Dovecot's X.509 certificate # Ensure we don't fetch private data @@ -105,7 +92,7 @@ dest=/etc/dovecot/{{ item }} owner=root group=root mode=0644 - register: r2 + register: r1 with_items: - conf.d/10-auth.conf - conf.d/10-logging.conf @@ -132,14 +119,14 @@ create=yes owner=root group=root mode=0644 - register: r3 + register: r2 when: "'IMAP' in group_names and 'webmail' not in group_names" notify: - Restart Dovecot - name: Start Dovecot service: name=dovecot state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed) - meta: flush_handlers diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index efcebef..caba881 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -75,8 +75,8 @@ smtp_tls_fingerprint_digest = sha256 {% endif %} smtpd_tls_security_level = encrypt -smtpd_tls_cert_file = /etc/postfix/ssl/smtp.fripost.org.pem -smtpd_tls_key_file = /etc/postfix/ssl/private/smtp.fripost.org.key +smtpd_tls_cert_file = /etc/postfix/ssl/smtp.fripost.org.chained.pem +smtpd_tls_key_file = /etc/postfix/ssl/smtp.fripost.org.key smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml index da6923b..1b820e3 100644 --- a/roles/MX/tasks/main.yml +++ b/roles/MX/tasks/main.yml @@ -82,7 +82,7 @@ # Ensure we don't fetch private data sudo: False # `/usr/sbin/postmulti -i mx -x /usr/sbin/postconf -xh smtpd_tls_cert_file` - fetch: src=/etc/ssl/certs/ssl-cert-snakeoil.pem + fetch: src=/etc/postfix/ssl/mx.fripost.org.pem dest=certs/public/mx{{ mxno | default('') }}.fripost.org.pem fail_on_missing=yes flat=yes diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index b9f7c09..0259538 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -93,8 +93,8 @@ smtp_tls_fingerprint_digest = sha256 smtpd_tls_security_level = may smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 -smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem -smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key +smtpd_tls_cert_file = /etc/postfix/ssl/mx.fripost.org.chained.pem +smtpd_tls_key_file = /etc/postfix/ssl/mx.fripost.org.key smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem smtpd_tls_CApath = /etc/ssl/certs/ smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache diff --git a/roles/common-web/files/etc/nginx/sites-available/default b/roles/common-web/files/etc/nginx/sites-available/default new file mode 100644 index 0000000..6df1615 --- /dev/null +++ b/roles/common-web/files/etc/nginx/sites-available/default @@ -0,0 +1,11 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log info; + + # serve ACME challenges on all virtual hosts + # /!\ need to be served individually for each explicit virtual host as well! + include snippets/acme-challenge.conf; +} diff --git a/roles/common-web/files/etc/nginx/snippets/acme-challenge.conf b/roles/common-web/files/etc/nginx/snippets/acme-challenge.conf new file mode 100644 index 0000000..b2a856a --- /dev/null +++ b/roles/common-web/files/etc/nginx/snippets/acme-challenge.conf @@ -0,0 +1,4 @@ +location /.well-known/acme-challenge/ { + alias /var/www/acme-challenge/; + default_type application/jose+json; +} diff --git a/roles/common-web/tasks/main.yml b/roles/common-web/tasks/main.yml index c44e3a5..fb6bb2d 100644 --- a/roles/common-web/tasks/main.yml +++ b/roles/common-web/tasks/main.yml @@ -8,7 +8,7 @@ tags: - logrotate -- name: Copy fastcgi parameters and SSL configuration snippets +- name: Copy fastcgi parameters, acme-challenge and SSL configuration snippets copy: src=etc/nginx/snippets/{{ item }} dest=/etc/nginx/snippets/{{ item }} owner=root group=root @@ -19,6 +19,7 @@ - fastcgi-php.conf - fastcgi-php-ssl.conf - ssl.conf + - acme-challenge.conf notify: - Restart Nginx diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index a852c4d..07047c7 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -52,3 +52,6 @@ - name: Restart freshclam service: name=clamav-freshclam state=restarted + +- name: Install LetsEncrypt's ACME client + apt: deb=/tmp/letsencrypt-tiny_0.1-1_all.deb diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 470a6b2..955493a 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -45,6 +45,9 @@ - rsync - screen - telnet-ssl + # for letencrypt + - liblwp-protocol-https-perl + - socat # XXX: this is a workaround the CAcert root CAs not being present in # Jessie. In stretch, we would merely install the 'ca-cacert' package. diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git index 67776de..afb5fca 100644 --- a/roles/git/files/etc/nginx/sites-available/git +++ b/roles/git/files/etc/nginx/sites-available/git @@ -4,42 +4,13 @@ server { server_name git.fripost.org; + include snippets/acme-challenge.conf; + access_log /var/log/nginx/git.access.log; error_log /var/log/nginx/git.error.log info; - location ^~ /static/ { - alias /usr/share/cgit/; - expires 30d; - } - - # Bypass the CGI to return static files stored on disk. Try first repo with - # a trailing '.git', then without. - location ~* "^/((?U)[^/]+)(?:\.git)?/objects/(?:[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(?:pack|idx))$" { - root /var/lib/gitolite/repositories; - try_files /$1.git/objects/$2 /$1/objects/$2 =404; - expires 30d; - gzip off; - # TODO honor git-daemon-export-ok - } - - # disallow push over HTTP/HTTPS - location ~* "^/[^/]+/git-receive-pack$" { return 403; } - - location ~* "^/[^/]+/(?:HEAD|info/refs|objects/info/[^/]+|git-upload-pack)$" { - gzip off; - include uwsgi_params; - uwsgi_modifier1 9; - uwsgi_param GIT_PROJECT_ROOT /var/lib/gitolite/repositories; - uwsgi_pass unix:/run/uwsgi/app/git-http-backend/socket; - } - - - # send all other URLs to cgit location / { - gzip off; - include uwsgi_params; - uwsgi_modifier1 9; - uwsgi_pass unix:/run/uwsgi/app/cgit/socket; + return 301 https://$host$request_uri; } } @@ -51,7 +22,7 @@ server { server_name git.fripost.org; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/git.fripost.org.pem; + ssl_certificate /etc/nginx/ssl/git.fripost.org.chained.pem; ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key; access_log /var/log/nginx/git.access.log; diff --git a/roles/git/tasks/cgit.yml b/roles/git/tasks/cgit.yml index 27e0554..7237aa9 100644 --- a/roles/git/tasks/cgit.yml +++ b/roles/git/tasks/cgit.yml @@ -72,26 +72,12 @@ - www-data -- name: Generate a private key and a X.509 certificate for Nginx - command: genkeypair.sh x509 - --pubkey=/etc/nginx/ssl/git.fripost.org.pem - --privkey=/etc/nginx/ssl/git.fripost.org.key - --ou=WWW --cn=git.fripost.org --dns=git.fripost.org - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart Nginx - tags: - - genkey - - name: Copy /etc/nginx/sites-available/git copy: src=etc/nginx/sites-available/git dest=/etc/nginx/sites-available/git owner=root group=root mode=0644 - register: r2 + register: r1 notify: - Restart Nginx @@ -100,13 +86,13 @@ dest=/etc/nginx/sites-enabled/git owner=root group=root state=link force=yes - register: r3 + register: r2 notify: - Restart Nginx - name: Start Nginx service: name=nginx state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed) - meta: flush_handlers diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa index ea0424f..5e469fa 100644 --- a/roles/lists/files/etc/nginx/sites-available/sympa +++ b/roles/lists/files/etc/nginx/sites-available/sympa @@ -4,10 +4,14 @@ server { server_name lists.fripost.org; + include snippets/acme-challenge.conf; + access_log /var/log/nginx/lists.access.log; error_log /var/log/nginx/lists.error.log info; - return 302 https://$host$request_uri; + location / { + return 301 https://$host$request_uri; + } } @@ -21,7 +25,7 @@ server { error_log /var/log/nginx/lists.error.log info; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem; + ssl_certificate /etc/nginx/ssl/lists.fripost.org.chained.pem; ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key; location = / { diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml index 4501d39..21e769a 100644 --- a/roles/lists/tasks/nginx.yml +++ b/roles/lists/tasks/nginx.yml @@ -1,26 +1,12 @@ - name: Install Nginx apt: pkg=nginx -- name: Generate a private key and a X.509 certificate for Nginx - command: genkeypair.sh x509 - --pubkey=/etc/nginx/ssl/lists.fripost.org.pem - --privkey=/etc/nginx/ssl/lists.fripost.org.key - --ou=WWW --cn=lists.fripost.org --dns=lists.fripost.org - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart Nginx - tags: - - genkey - - name: Copy /etc/nginx/sites-available/sympa copy: src=etc/nginx/sites-available/sympa dest=/etc/nginx/sites-available/sympa owner=root group=root mode=0644 - register: r2 + register: r1 notify: - Restart Nginx @@ -29,13 +15,13 @@ dest=/etc/nginx/sites-enabled/sympa owner=root group=root state=link - register: r3 + register: r2 notify: - Restart Nginx - name: Start nginx service: name=nginx state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed) - meta: flush_handlers diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube index 1297834..df10be9 100644 --- a/roles/webmail/files/etc/nginx/sites-available/roundcube +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -3,12 +3,17 @@ server { listen 80; listen [::]:80; - server_name mail.fripost.org; + server_name mail.fripost.org; + server_name webmail.fripost.org; + + include snippets/acme-challenge.conf; access_log /var/log/nginx/roundcube.access.log; error_log /var/log/nginx/roundcube.error.log info; - return 301 https://$host$request_uri; + location / { + return 301 https://$host$request_uri; + } } @@ -16,7 +21,9 @@ server { listen 443; listen [::]:443; - server_name mail.fripost.org; + server_name mail.fripost.org; + server_name webmail.fripost.org; + root /var/lib/roundcube; include snippets/ssl.conf; diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index ed6a3b4..3eaf766 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -103,26 +103,12 @@ - name: Start php5-fpm service: name=php5-fpm state=started -- name: Generate a private key and a X.509 certificate for Nginx - command: genkeypair.sh x509 - --pubkey=/etc/nginx/ssl/mail.fripost.org.pem - --privkey=/etc/nginx/ssl/mail.fripost.org.key - --ou=WWW --cn=mail.fripost.org --dns=mail.fripost.org - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart Nginx - tags: - - genkey - - name: Copy /etc/nginx/sites-available/roundcube copy: src=etc/nginx/sites-available/roundcube dest=/etc/nginx/sites-available/roundcube owner=root group=root mode=0644 - register: r2 + register: r1 notify: - Restart Nginx @@ -131,13 +117,13 @@ dest=/etc/nginx/sites-enabled/roundcube owner=root group=root state=link force=yes - register: r3 + register: r2 notify: - Restart Nginx - name: Start Nginx service: name=nginx state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed) - meta: flush_handlers diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website index 3e32158..2519286 100644 --- a/roles/wiki/files/etc/nginx/sites-available/website +++ b/roles/wiki/files/etc/nginx/sites-available/website @@ -5,10 +5,14 @@ server { server_name fripost.org; server_name www.fripost.org; - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log info; + include snippets/acme-challenge.conf; - return 301 https://fripost.org$request_uri; + access_log /var/log/nginx/www.access.log; + error_log /var/log/nginx/www.error.log info; + + location / { + return 301 https://$host$request_uri; + } } @@ -16,14 +20,15 @@ server { listen 443; listen [::]:443; - server_name fripost.org; + server_name fripost.org; + server_name www.fripost.org; include snippets/ssl.conf; ssl_certificate /etc/nginx/ssl/www.fripost.org.chained.pem; ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log info; + access_log /var/log/nginx/www.access.log; + error_log /var/log/nginx/www.error.log info; location / { try_files $uri $uri/ =404; diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki index 3777b87..2855e07 100644 --- a/roles/wiki/files/etc/nginx/sites-available/wiki +++ b/roles/wiki/files/etc/nginx/sites-available/wiki @@ -4,18 +4,14 @@ server { server_name wiki.fripost.org; + include snippets/acme-challenge.conf; + access_log /var/log/nginx/wiki.access.log; error_log /var/log/nginx/wiki.error.log info; location / { location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; } - try_files $uri $uri/ =404; - index index.html; - root /var/lib/ikiwiki/public_html/fripost-wiki; - } - - location = /ikiwiki.cgi { - return 302 https://$host$request_uri; + return 301 https://$host$request_uri; } } diff --git a/roles/wiki/tasks/main.yml b/roles/wiki/tasks/main.yml index 22a5831..763f99a 100644 --- a/roles/wiki/tasks/main.yml +++ b/roles/wiki/tasks/main.yml @@ -65,26 +65,12 @@ - meta: flush_handlers -- name: Generate a private key and a X.509 certificate for Nginx - command: genkeypair.sh x509 - --pubkey=/etc/nginx/ssl/fripost.org.pem - --privkey=/etc/nginx/ssl/fripost.org.key - --ou=WWW --cn=fripost.org --dns=fripost.org --dns=wiki.fripost.org - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart Nginx - tags: - - genkey - - name: Copy /etc/nginx/sites-available/{wiki,website} copy: src=etc/nginx/sites-available/{{ item }} dest=/etc/nginx/sites-available/{{ item }} owner=root group=root mode=0644 - register: r2 + register: r1 with_items: - website - wiki @@ -96,7 +82,7 @@ dest=/etc/nginx/sites-enabled/{{ item }} owner=root group=root state=link force=yes - register: r3 + register: r2 with_items: - website - wiki @@ -105,15 +91,15 @@ - name: Start Nginx service: name=nginx state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data sudo: False - fetch: src=/etc/nginx/ssl/fripost.org.pem - dest=certs/public/ + fetch: src=/etc/nginx/ssl/www.fripost.org.pem + dest=certs/public/fripost.org.pem fail_on_missing=yes flat=yes tags: -- cgit v1.2.3