fix: inconsistencies while setting the SSL cert.

When running the pleybook more than once the ssl_certificate_key line was being overwritten by the 'lineinfile' tasks because the regular expression was too greedy. This merge request uses a stricter regular expression to indentify and update the ssl_certificate line in the Nginx configuration.
2019-10-26 23:56:35 +01:00 · 2019-10-26 23:56:35 +01:00 · 317adf3931
commit 317adf3931
parent b03c997960
3 changed files with 18 additions and 6 deletions
--- a/roles/pleroma-nginx/tasks/main.yml
+++ b/roles/pleroma-nginx/tasks/main.yml
@ -55,13 +55,13 @@
    csr_path: "{{ pleroma_ssl_csrPath }}"
    provider: selfsigned

- name: Nginx -- Ensuring Nginx configuration references the self signed certificate
+- name: Nginx -- Ensuring Nginx configuration references the self signed certificate.
  lineinfile:
    path: "{{ pleroma_nginx_conf_file }}"
    owner: root
    group: root
    mode: '0600'
-    insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sSSL\sCERTIFICATE\]\].*$'
+    regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
    line: '    ssl_certificate           {{ pleroma_ssl_selfSignedCertPath }};'
    state: present
  when: not pleroma.ssl.letsEncrypt.enable
@ -105,7 +105,7 @@
          }
  when: pleroma.ssl.letsEncrypt.enable

- name: Nginx -- Checking if certificate file exists.
+- name: Nginx -- Checking if the full chain certificate exists.
  stat:
    path: "{{ pleroma_ssl_fullChainCert }}"
  register: certificate_file
@ -117,11 +117,22 @@
    owner: root
    group: root
    mode: '0600'
-    insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sSSL\sCERTIFICATE\]\].*$'
+    regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
    line: '    ssl_certificate           {{ pleroma_ssl_selfSignedCertPath }};'
    state: present
  when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false

+- name: Nginx -- Ensuring the existing full chain certificate is referenced in the Nginx config.
+  lineinfile:
+    path: "{{ pleroma_nginx_conf_file }}"
+    owner: root
+    group: root
+    mode: '0600'
+    regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
+    line: '    ssl_certificate           {{ pleroma_ssl_fullChainCert }};'
+    state: present
+  when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == true
+
 - name: Nginx -- Ensuring that Nginx is running for the ACME challenge.
  service:
    name: nginx
@ -182,7 +193,7 @@
    owner: root
    group: root
    mode: '0600'
-    regexp: '^\s+ssl_certificate.*$'
+    regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
    line: '    ssl_certificate           {{ pleroma_ssl_fullChainCert }};'
    state: present
  when: pleroma.ssl.letsEncrypt.enable
--- a/roles/pleroma-nginx/templates/etc_ngnix_confd_pleroma.conf.j2
+++ b/roles/pleroma-nginx/templates/etc_ngnix_confd_pleroma.conf.j2
@ -25,7 +25,7 @@ server {
    ssl_session_timeout 5m;

    ssl_certificate_key       {{ pleroma_ssl_privateKeyPath }};
-    # [[PLACEHOLDER FOR SSL CERTIFICATE]]
+    ssl_certificate           /path/to/certificate.pem;

    ssl_protocols TLSv1.2;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
--- a/roles/pleroma-nginx/vars/main.yml
+++ b/roles/pleroma-nginx/vars/main.yml
@ -10,5 +10,6 @@ pleroma_ssl_privateAcmeAccountKeyPath: "{{ pleroma_ssl_folder}}/acme_account.key
 pleroma_ssl_csrPath: "{{ pleroma_ssl_folder }}/pleroma.csr"
 pleroma_ssl_selfSignedCertPath: "{{ pleroma_ssl_folder }}/pleroma-self-signed.crt"
 pleroma_ssl_fullChainCert: "{{ pleroma_ssl_folder }}/{{ pleroma.config.host }}-fullchain.pem"
+pleroma_ssl_certificate_path_regexp: ^\s+ssl_certificate\s+\/([A-z0-9-+.]+\/)*([A-z0-9-_.]+\.(crt|pem);)(\s+)?$

 pleroma_letsEncrypt_baseDir: /var/lib/letsencrypt