roles/nginx: generate snakeoil cert manually

The ssl-cert does this, but it includes the hostname of the server as the subject name in the cert, which is a huge leak of privacy.
2021-09-27 10:48:24 +03:00
parent a4acc85704
commit 79b29f0c51
3 changed files with 10 additions and 12 deletions
--- a/roles/nginx/tasks/vhosts.yml
+++ b/roles/nginx/tasks/vhosts.yml
@ -7,6 +7,11 @@
    notify:
      - reload nginx

+  - name: Generate self-signed TLS cert
+    command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
+    notify:
+      - reload nginx
+
  - name: Download 4096-bit RFC 7919 dhparams
    get_url:
      url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem