roles/nginx: Allow usage of Let's Encrypt certs

Hosts can specify use_letsencrypt: 'yes' in their host_vars. For
now this assumes that the certificates already exist (ie, you have
to manually run Let's Encrypt first to register/create the certs).
This commit is contained in:
Alan Orth 2016-06-27 19:07:48 +03:00
parent 8f43bf28fd
commit b7ab2da08a
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
2 changed files with 20 additions and 10 deletions

View File

@ -16,8 +16,8 @@ nginx_ssl_buffer_size: 1400
nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2' nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2'
# TLS key directory # Directory root for Let's Encrypt certs
tls_key_dir: /etc/letsencrypt/live letsencrypt_root: /etc/letsencrypt/live
# stable is 1.10.x # stable is 1.10.x
# mainline is 1.11.x # mainline is 1.11.x

View File

@ -2,19 +2,29 @@
{% set domain_name = item.domain_name %} {% set domain_name = item.domain_name %}
{# assume HSTS is off unless a vhost explicitly sets it to "yes" #} {# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
{% set enable_hsts = item.enable_hsts | default("no") %} {% set enable_hsts = item.enable_hsts | default("no") %}
{# use self-signed certs? yes on development, no on production #} {# assume a vhost is not using Let's Encrypt unless it explicitly sets it to "yes" #}
{% set use_snakeoil_cert = item.use_snakeoil_cert | default("no") %} {% set use_letsencrypt = item.use_letsencrypt | default("no") %}
{% if use_letsencrypt == "yes" %}
{# better to check for "not yes" then "no" #}
{% if use_snakeoil_cert != "yes" %}
# concatenated key + cert # concatenated key + cert
# See: http://nginx.org/en/docs/http/configuring_https_servers.html # See: http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_certificate {{ tls_key_dir }}/{{ domain_name }}/fullchain.pem; ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem;
ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}/privkey.pem; ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem;
{% elif item.tls_certificate_path and item.tls_key_path %}
# concatenated key + cert
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_certificate {{ item.tls_certificate_path }};
ssl_certificate_key {{ item.tls_key_path }};
{% else %} {% else %}
# "snakeoil" certificate (self signed!) # "snakeoil" certificate (self signed!)
ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt; ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key; ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
{% endif %} {% endif %}
ssl_session_timeout {{ nginx_ssl_session_timeout }}; ssl_session_timeout {{ nginx_ssl_session_timeout }};
@ -27,7 +37,7 @@
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
{# OSCP stapling only works with real certs #} {# OSCP stapling only works with real certs #}
{% if use_snakeoil_cert != "yes" %} {% if use_letsencrypt == "yes" or item.tls_certificate_path %}
# OCSP stapling... # OCSP stapling...
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
@ -37,7 +47,7 @@
{% else %} {% else %}
resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8844] [2001:4860:4860::8888]; resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8844] [2001:4860:4860::8888];
{% endif %} {# end: linode_id #} {% endif %} {# end: linode_id #}
{% endif %} {# end: use_snakeoil_cert #} {% endif %} {# end: use_letsencrypt #}
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
# when a restart is performed the previous key is lost, which resets all previous # when a restart is performed the previous key is lost, which resets all previous