fix: inconsistencies while setting the SSL cert.
When running the pleybook more than once the ssl_certificate_key line was being overwritten by the 'lineinfile' tasks because the regular expression was too greedy. This merge request uses a stricter regular expression to indentify and update the ssl_certificate line in the Nginx configuration.
This commit is contained in:
parent
b03c997960
commit
317adf3931
3 changed files with 18 additions and 6 deletions
|
@ -55,13 +55,13 @@
|
||||||
csr_path: "{{ pleroma_ssl_csrPath }}"
|
csr_path: "{{ pleroma_ssl_csrPath }}"
|
||||||
provider: selfsigned
|
provider: selfsigned
|
||||||
|
|
||||||
- name: Nginx -- Ensuring Nginx configuration references the self signed certificate
|
- name: Nginx -- Ensuring Nginx configuration references the self signed certificate.
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: "{{ pleroma_nginx_conf_file }}"
|
path: "{{ pleroma_nginx_conf_file }}"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: '0600'
|
mode: '0600'
|
||||||
insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sSSL\sCERTIFICATE\]\].*$'
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
||||||
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
|
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
|
||||||
state: present
|
state: present
|
||||||
when: not pleroma.ssl.letsEncrypt.enable
|
when: not pleroma.ssl.letsEncrypt.enable
|
||||||
|
@ -105,7 +105,7 @@
|
||||||
}
|
}
|
||||||
when: pleroma.ssl.letsEncrypt.enable
|
when: pleroma.ssl.letsEncrypt.enable
|
||||||
|
|
||||||
- name: Nginx -- Checking if certificate file exists.
|
- name: Nginx -- Checking if the full chain certificate exists.
|
||||||
stat:
|
stat:
|
||||||
path: "{{ pleroma_ssl_fullChainCert }}"
|
path: "{{ pleroma_ssl_fullChainCert }}"
|
||||||
register: certificate_file
|
register: certificate_file
|
||||||
|
@ -117,11 +117,22 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: '0600'
|
mode: '0600'
|
||||||
insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sSSL\sCERTIFICATE\]\].*$'
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
||||||
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
|
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
|
||||||
state: present
|
state: present
|
||||||
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false
|
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false
|
||||||
|
|
||||||
|
- name: Nginx -- Ensuring the existing full chain certificate is referenced in the Nginx config.
|
||||||
|
lineinfile:
|
||||||
|
path: "{{ pleroma_nginx_conf_file }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0600'
|
||||||
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
||||||
|
line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};'
|
||||||
|
state: present
|
||||||
|
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == true
|
||||||
|
|
||||||
- name: Nginx -- Ensuring that Nginx is running for the ACME challenge.
|
- name: Nginx -- Ensuring that Nginx is running for the ACME challenge.
|
||||||
service:
|
service:
|
||||||
name: nginx
|
name: nginx
|
||||||
|
@ -182,7 +193,7 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: '0600'
|
mode: '0600'
|
||||||
regexp: '^\s+ssl_certificate.*$'
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
||||||
line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};'
|
line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};'
|
||||||
state: present
|
state: present
|
||||||
when: pleroma.ssl.letsEncrypt.enable
|
when: pleroma.ssl.letsEncrypt.enable
|
||||||
|
|
|
@ -25,7 +25,7 @@ server {
|
||||||
ssl_session_timeout 5m;
|
ssl_session_timeout 5m;
|
||||||
|
|
||||||
ssl_certificate_key {{ pleroma_ssl_privateKeyPath }};
|
ssl_certificate_key {{ pleroma_ssl_privateKeyPath }};
|
||||||
# [[PLACEHOLDER FOR SSL CERTIFICATE]]
|
ssl_certificate /path/to/certificate.pem;
|
||||||
|
|
||||||
ssl_protocols TLSv1.2;
|
ssl_protocols TLSv1.2;
|
||||||
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||||
|
|
|
@ -10,5 +10,6 @@ pleroma_ssl_privateAcmeAccountKeyPath: "{{ pleroma_ssl_folder}}/acme_account.key
|
||||||
pleroma_ssl_csrPath: "{{ pleroma_ssl_folder }}/pleroma.csr"
|
pleroma_ssl_csrPath: "{{ pleroma_ssl_folder }}/pleroma.csr"
|
||||||
pleroma_ssl_selfSignedCertPath: "{{ pleroma_ssl_folder }}/pleroma-self-signed.crt"
|
pleroma_ssl_selfSignedCertPath: "{{ pleroma_ssl_folder }}/pleroma-self-signed.crt"
|
||||||
pleroma_ssl_fullChainCert: "{{ pleroma_ssl_folder }}/{{ pleroma.config.host }}-fullchain.pem"
|
pleroma_ssl_fullChainCert: "{{ pleroma_ssl_folder }}/{{ pleroma.config.host }}-fullchain.pem"
|
||||||
|
pleroma_ssl_certificate_path_regexp: ^\s+ssl_certificate\s+\/([A-z0-9-+.]+\/)*([A-z0-9-_.]+\.(crt|pem);)(\s+)?$
|
||||||
|
|
||||||
pleroma_letsEncrypt_baseDir: /var/lib/letsencrypt
|
pleroma_letsEncrypt_baseDir: /var/lib/letsencrypt
|
||||||
|
|
Reference in a new issue