roles/nginx: Allow usage of Let's Encrypt certs

Hosts can specify use_letsencrypt: 'yes' in their host_vars. For now this assumes that the certificates already exist (ie, you have to manually run Let's Encrypt first to register/create the certs).
2016-06-27 19:07:48 +03:00 · 2016-06-27 19:07:48 +03:00 · b7ab2da08a
commit b7ab2da08a
parent 8f43bf28fd
2 changed files with 20 additions and 10 deletions
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -16,8 +16,8 @@ nginx_ssl_buffer_size: 1400
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
 nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2'

-# TLS key directory
-tls_key_dir: /etc/letsencrypt/live
+# Directory root for Let's Encrypt certs
+letsencrypt_root: /etc/letsencrypt/live

 # stable is 1.10.x
 # mainline is 1.11.x
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@ -2,19 +2,29 @@
 {% set domain_name       = item.domain_name %}
 {# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
 {% set enable_hsts       = item.enable_hsts | default("no") %}
-{# use self-signed certs? yes on development, no on production #}
-{% set use_snakeoil_cert = item.use_snakeoil_cert | default("no") %}
+{# assume a vhost is not using Let's Encrypt unless it explicitly sets it to "yes" #}
+{% set use_letsencrypt = item.use_letsencrypt | default("no") %}
+
+    {% if use_letsencrypt == "yes" %}

-    {# better to check for "not yes" then "no" #}
-    {% if use_snakeoil_cert != "yes" %}
    # concatenated key + cert
    # See: http://nginx.org/en/docs/http/configuring_https_servers.html
-    ssl_certificate {{ tls_key_dir }}/{{ domain_name }}/fullchain.pem;
-    ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}/privkey.pem;
+    ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem;
+    ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem;
+
+    {% elif item.tls_certificate_path and item.tls_key_path %}
+
+    # concatenated key + cert
+    # See: http://nginx.org/en/docs/http/configuring_https_servers.html
+    ssl_certificate {{ item.tls_certificate_path }};
+    ssl_certificate_key {{ item.tls_key_path }};
+
    {% else %}
+
    # "snakeoil" certificate (self signed!)
    ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
    ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
+
    {% endif %}

    ssl_session_timeout {{ nginx_ssl_session_timeout }};
@ -27,7 +37,7 @@
    ssl_prefer_server_ciphers on;

    {# OSCP stapling only works with real certs #}
-    {% if use_snakeoil_cert != "yes" %}
+    {% if use_letsencrypt == "yes" or item.tls_certificate_path %}
    # OCSP stapling...
    ssl_stapling on;
    ssl_stapling_verify on;
@ -37,7 +47,7 @@
    {% else %}
    resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8844] [2001:4860:4860::8888];
    {% endif %} {# end: linode_id #}
-    {% endif %} {# end: use_snakeoil_cert #}
+    {% endif %} {# end: use_letsencrypt #}

    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
    # when a restart is performed the previous key is lost, which resets all previous