From 317adf39318c1b348ef437155dba590ff7cf676d Mon Sep 17 00:00:00 2001 From: Dan Anglin Date: Sat, 26 Oct 2019 23:56:35 +0100 Subject: [PATCH] fix: inconsistencies while setting the SSL cert. When running the pleybook more than once the ssl_certificate_key line was being overwritten by the 'lineinfile' tasks because the regular expression was too greedy. This merge request uses a stricter regular expression to indentify and update the ssl_certificate line in the Nginx configuration. --- roles/pleroma-nginx/tasks/main.yml | 21 ++++++++++++++----- .../templates/etc_ngnix_confd_pleroma.conf.j2 | 2 +- roles/pleroma-nginx/vars/main.yml | 1 + 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/roles/pleroma-nginx/tasks/main.yml b/roles/pleroma-nginx/tasks/main.yml index cf58c0f..da7e8bf 100644 --- a/roles/pleroma-nginx/tasks/main.yml +++ b/roles/pleroma-nginx/tasks/main.yml @@ -55,13 +55,13 @@ csr_path: "{{ pleroma_ssl_csrPath }}" provider: selfsigned -- name: Nginx -- Ensuring Nginx configuration references the self signed certificate +- name: Nginx -- Ensuring Nginx configuration references the self signed certificate. lineinfile: path: "{{ pleroma_nginx_conf_file }}" owner: root group: root mode: '0600' - insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sSSL\sCERTIFICATE\]\].*$' + regexp: '{{ pleroma_ssl_certificate_path_regexp }}' line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};' state: present when: not pleroma.ssl.letsEncrypt.enable @@ -105,7 +105,7 @@ } when: pleroma.ssl.letsEncrypt.enable -- name: Nginx -- Checking if certificate file exists. +- name: Nginx -- Checking if the full chain certificate exists. stat: path: "{{ pleroma_ssl_fullChainCert }}" register: certificate_file @@ -117,11 +117,22 @@ owner: root group: root mode: '0600' - insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sSSL\sCERTIFICATE\]\].*$' + regexp: '{{ pleroma_ssl_certificate_path_regexp }}' line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};' state: present when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false +- name: Nginx -- Ensuring the existing full chain certificate is referenced in the Nginx config. + lineinfile: + path: "{{ pleroma_nginx_conf_file }}" + owner: root + group: root + mode: '0600' + regexp: '{{ pleroma_ssl_certificate_path_regexp }}' + line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};' + state: present + when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == true + - name: Nginx -- Ensuring that Nginx is running for the ACME challenge. service: name: nginx @@ -182,7 +193,7 @@ owner: root group: root mode: '0600' - regexp: '^\s+ssl_certificate.*$' + regexp: '{{ pleroma_ssl_certificate_path_regexp }}' line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};' state: present when: pleroma.ssl.letsEncrypt.enable diff --git a/roles/pleroma-nginx/templates/etc_ngnix_confd_pleroma.conf.j2 b/roles/pleroma-nginx/templates/etc_ngnix_confd_pleroma.conf.j2 index be0e973..46a3dda 100644 --- a/roles/pleroma-nginx/templates/etc_ngnix_confd_pleroma.conf.j2 +++ b/roles/pleroma-nginx/templates/etc_ngnix_confd_pleroma.conf.j2 @@ -25,7 +25,7 @@ server { ssl_session_timeout 5m; ssl_certificate_key {{ pleroma_ssl_privateKeyPath }}; - # [[PLACEHOLDER FOR SSL CERTIFICATE]] + ssl_certificate /path/to/certificate.pem; ssl_protocols TLSv1.2; ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; diff --git a/roles/pleroma-nginx/vars/main.yml b/roles/pleroma-nginx/vars/main.yml index 6b855ad..00b034a 100644 --- a/roles/pleroma-nginx/vars/main.yml +++ b/roles/pleroma-nginx/vars/main.yml @@ -10,5 +10,6 @@ pleroma_ssl_privateAcmeAccountKeyPath: "{{ pleroma_ssl_folder}}/acme_account.key pleroma_ssl_csrPath: "{{ pleroma_ssl_folder }}/pleroma.csr" pleroma_ssl_selfSignedCertPath: "{{ pleroma_ssl_folder }}/pleroma-self-signed.crt" pleroma_ssl_fullChainCert: "{{ pleroma_ssl_folder }}/{{ pleroma.config.host }}-fullchain.pem" +pleroma_ssl_certificate_path_regexp: ^\s+ssl_certificate\s+\/([A-z0-9-+.]+\/)*([A-z0-9-_.]+\.(crt|pem);)(\s+)?$ pleroma_letsEncrypt_baseDir: /var/lib/letsencrypt