fix: inconsistencies while setting the SSL cert.
When running the pleybook more than once the ssl_certificate_key line was being overwritten by the 'lineinfile' tasks because the regular expression was too greedy. This merge request uses a stricter regular expression to indentify and update the ssl_certificate line in the Nginx configuration.
This commit is contained in:
parent
b03c997960
commit
317adf3931
3 changed files with 18 additions and 6 deletions
|
@ -55,13 +55,13 @@
|
|||
csr_path: "{{ pleroma_ssl_csrPath }}"
|
||||
provider: selfsigned
|
||||
|
||||
- name: Nginx -- Ensuring Nginx configuration references the self signed certificate
|
||||
- name: Nginx -- Ensuring Nginx configuration references the self signed certificate.
|
||||
lineinfile:
|
||||
path: "{{ pleroma_nginx_conf_file }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0600'
|
||||
insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sSSL\sCERTIFICATE\]\].*$'
|
||||
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
||||
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
|
||||
state: present
|
||||
when: not pleroma.ssl.letsEncrypt.enable
|
||||
|
@ -105,7 +105,7 @@
|
|||
}
|
||||
when: pleroma.ssl.letsEncrypt.enable
|
||||
|
||||
- name: Nginx -- Checking if certificate file exists.
|
||||
- name: Nginx -- Checking if the full chain certificate exists.
|
||||
stat:
|
||||
path: "{{ pleroma_ssl_fullChainCert }}"
|
||||
register: certificate_file
|
||||
|
@ -117,11 +117,22 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: '0600'
|
||||
insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sSSL\sCERTIFICATE\]\].*$'
|
||||
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
||||
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
|
||||
state: present
|
||||
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false
|
||||
|
||||
- name: Nginx -- Ensuring the existing full chain certificate is referenced in the Nginx config.
|
||||
lineinfile:
|
||||
path: "{{ pleroma_nginx_conf_file }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0600'
|
||||
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
||||
line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};'
|
||||
state: present
|
||||
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == true
|
||||
|
||||
- name: Nginx -- Ensuring that Nginx is running for the ACME challenge.
|
||||
service:
|
||||
name: nginx
|
||||
|
@ -182,7 +193,7 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: '0600'
|
||||
regexp: '^\s+ssl_certificate.*$'
|
||||
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
||||
line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};'
|
||||
state: present
|
||||
when: pleroma.ssl.letsEncrypt.enable
|
||||
|
|
|
@ -25,7 +25,7 @@ server {
|
|||
ssl_session_timeout 5m;
|
||||
|
||||
ssl_certificate_key {{ pleroma_ssl_privateKeyPath }};
|
||||
# [[PLACEHOLDER FOR SSL CERTIFICATE]]
|
||||
ssl_certificate /path/to/certificate.pem;
|
||||
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||
|
|
|
@ -10,5 +10,6 @@ pleroma_ssl_privateAcmeAccountKeyPath: "{{ pleroma_ssl_folder}}/acme_account.key
|
|||
pleroma_ssl_csrPath: "{{ pleroma_ssl_folder }}/pleroma.csr"
|
||||
pleroma_ssl_selfSignedCertPath: "{{ pleroma_ssl_folder }}/pleroma-self-signed.crt"
|
||||
pleroma_ssl_fullChainCert: "{{ pleroma_ssl_folder }}/{{ pleroma.config.host }}-fullchain.pem"
|
||||
pleroma_ssl_certificate_path_regexp: ^\s+ssl_certificate\s+\/([A-z0-9-+.]+\/)*([A-z0-9-_.]+\.(crt|pem);)(\s+)?$
|
||||
|
||||
pleroma_letsEncrypt_baseDir: /var/lib/letsencrypt
|
||||
|
|
Reference in a new issue