diff options
| author | 2024-07-23 00:08:00 +0100 | |
|---|---|---|
| committer | 2024-07-23 00:08:00 +0100 | |
| commit | 1b0894b584e53870b507554a16b051d16cc4b470 (patch) | |
| tree | 3e99128a7e843c18c7916d78231296e81b7054d1 | |
| parent | Remove deployments on turing (diff) | |
Update certificate issuance to group together related certificates
We now can use CSV values to group different (but related) SANs into one
issued certificate.
As an example, when it was migrated in #402, certificates were
configured in such a way that certbot attempted to issue one certificate
for pydis.wtf and another for *.pydis.wtf, which is obviously not
desirable.
This restores previous behaviour to group together certificates served
from the same NGINX vhost, using some Ansible filters to ensure the
`creates` option of the task matches the certbot generated directory.
| -rw-r--r-- | ansible/host_vars/lovelace/nginx.yml | 3 | ||||
| -rw-r--r-- | ansible/roles/certbot/tasks/main.yml | 2 | ||||
| -rw-r--r-- | ansible/roles/certbot/vars/main/main.yml | 4 | 
3 files changed, 5 insertions, 4 deletions
| diff --git a/ansible/host_vars/lovelace/nginx.yml b/ansible/host_vars/lovelace/nginx.yml index 8d1080a..3c76955 100644 --- a/ansible/host_vars/lovelace/nginx.yml +++ b/ansible/host_vars/lovelace/nginx.yml @@ -31,6 +31,9 @@ nginx_configs:        server_name files.pydis.wtf cloud.native.is.fun.and.easy.pydis.wtf;        root        /var/www/files.pydis.wtf; +      ssl_certificate         /etc/letsencrypt/live/pydis.wtf/fullchain.pem; +      ssl_certificate_key     /etc/letsencrypt/live/pydis.wtf/privkey.pem; +        location / {          try_files $uri $uri/ =404;        } diff --git a/ansible/roles/certbot/tasks/main.yml b/ansible/roles/certbot/tasks/main.yml index 345dd5d..c6df7a1 100644 --- a/ansible/roles/certbot/tasks/main.yml +++ b/ansible/roles/certbot/tasks/main.yml @@ -56,7 +56,7 @@      --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini      -d {{ item }}    args: -    creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem" +    creates: "/etc/letsencrypt/live/{{ item | split(',') | first }}/fullchain.pem"    with_items:      - "{{ inventory_hostname }}.box.pydis.wtf"      - "{{ certbot_domains[inventory_hostname] }}" diff --git a/ansible/roles/certbot/vars/main/main.yml b/ansible/roles/certbot/vars/main/main.yml index dc44033..58da75d 100644 --- a/ansible/roles/certbot/vars/main/main.yml +++ b/ansible/roles/certbot/vars/main/main.yml @@ -4,9 +4,7 @@ certbot_email: "[email protected]"  certbot_domains:    lovelace:      - prometheus.lovelace.box.pydis.wtf -    - pydis.wtf -    - "*.pydis.wtf" -    - cloud.native.is.fun.and.easy.pydis.wtf +    - "pydis.wtf,*.pydis.wtf,cloud.native.is.fun.and.easy.pydis.wtf"  certbot_cert_users:    lovelace: | 
