From 1b0894b584e53870b507554a16b051d16cc4b470 Mon Sep 17 00:00:00 2001 From: Joe Banks Date: Tue, 23 Jul 2024 00:08:00 +0100 Subject: Update certificate issuance to group together related certificates We now can use CSV values to group different (but related) SANs into one issued certificate. As an example, when it was migrated in #402, certificates were configured in such a way that certbot attempted to issue one certificate for pydis.wtf and another for *.pydis.wtf, which is obviously not desirable. This restores previous behaviour to group together certificates served from the same NGINX vhost, using some Ansible filters to ensure the `creates` option of the task matches the certbot generated directory. --- ansible/host_vars/lovelace/nginx.yml | 3 +++ ansible/roles/certbot/tasks/main.yml | 2 +- ansible/roles/certbot/vars/main/main.yml | 4 +--- 3 files changed, 5 insertions(+), 4 deletions(-) (limited to 'ansible') diff --git a/ansible/host_vars/lovelace/nginx.yml b/ansible/host_vars/lovelace/nginx.yml index 8d1080a..3c76955 100644 --- a/ansible/host_vars/lovelace/nginx.yml +++ b/ansible/host_vars/lovelace/nginx.yml @@ -31,6 +31,9 @@ nginx_configs: server_name files.pydis.wtf cloud.native.is.fun.and.easy.pydis.wtf; root /var/www/files.pydis.wtf; + ssl_certificate /etc/letsencrypt/live/pydis.wtf/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/pydis.wtf/privkey.pem; + location / { try_files $uri $uri/ =404; } diff --git a/ansible/roles/certbot/tasks/main.yml b/ansible/roles/certbot/tasks/main.yml index 345dd5d..c6df7a1 100644 --- a/ansible/roles/certbot/tasks/main.yml +++ b/ansible/roles/certbot/tasks/main.yml @@ -56,7 +56,7 @@ --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d {{ item }} args: - creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem" + creates: "/etc/letsencrypt/live/{{ item | split(',') | first }}/fullchain.pem" with_items: - "{{ inventory_hostname }}.box.pydis.wtf" - "{{ certbot_domains[inventory_hostname] }}" diff --git a/ansible/roles/certbot/vars/main/main.yml b/ansible/roles/certbot/vars/main/main.yml index dc44033..58da75d 100644 --- a/ansible/roles/certbot/vars/main/main.yml +++ b/ansible/roles/certbot/vars/main/main.yml @@ -4,9 +4,7 @@ certbot_email: "joe@jb3.dev" certbot_domains: lovelace: - prometheus.lovelace.box.pydis.wtf - - pydis.wtf - - "*.pydis.wtf" - - cloud.native.is.fun.and.easy.pydis.wtf + - "pydis.wtf,*.pydis.wtf,cloud.native.is.fun.and.easy.pydis.wtf" certbot_cert_users: lovelace: -- cgit v1.2.3