Merge branch '5213-handle-dns-alias-domain' into 'master'

mix multiple domains using domain alias or not

See merge request open-source/iml-certman!13

cm.sh

@@ -31,6 +31,7 @@
 # 2022-04-04  <axel.hahn@iml.unibe.ch>  added param "list-old"
 # 2022-04-07  <axel.hahn@iml.unibe.ch>  fix missing key in public_ensure before calling public_add too.
 # 2022-04-20  <axel.hahn@iml.unibe.ch>  fix multiple domains using domain alias
+# 2022-04-21  <axel.hahn@iml.unibe.ch>  mix multiple domains using domain alias or not
 # ======================================================================
 
 
@@ -406,11 +407,13 @@ function public_add(){
 
 	for _mydomain in $CM_fqdn $*
 	do
-		_params+="-d $_mydomain "
+		_params+="-d $_mydomain --challenge-alias "
 
 		if [ -n "${CM_challenge_alias}" ] && ! echo "$_mydomain" | grep "${CM_certmatch}" >/dev/null
 		then
-			_params+="--challenge-alias ${CM_challenge_alias} "
+			_params+="${CM_challenge_alias} "
+		else
+			_params+="no "
 		fi
 	done
 
@@ -418,7 +421,7 @@ function public_add(){
 	mkdir -p "${CM_dircerts}" 2>/dev/null
 
 	_wd "--- create certificate"
-	echo $ACME --issue $_params $ACME_Params 
+	echo "$ACME --issue $_params $ACME_Params"
 	if ! $ACME --issue $_params $ACME_Params 
 	then
 		echo "ERROR: adding cert failed. Trying to delete internal data ..."

docs/30_Usage.md

@@ -129,6 +129,14 @@ In a scenario of automatic deployment with Ansible or Puppet you don't want to f
 
 creates (or renews if close to expiriation) a certificate with 2 hostnames in it.
 
+This ensure action handles the logic if a certificate must be
+
+* created (if it does not exist) or
+* renewed (it already exists) or
+* re-created (the list of dns names in the certificate was changed)
+
+It detects if a domain in the certificate can use a txt record or needs dns auth mode.
+
 ## Show certificate data
 
 Use the listing `[APPPATH]/cm.sh list` or maybe filter it `[APPPATH]/cm.sh list | grep "mail."`

docs/50_Automation_with_Ansible.md

+# Automation with Ansible
+
+This is an example how our own installation works.
+
+Ansible can be started manually on a worksation of a sysadmin or on AWX. So we need a
+"central server" that manages and holds all certifiactes.
+
+In cm.sh is a queuing to handle only one certificate. Multiple simoultanous
+calls of cm.sh - from multiple machines or becaus of parallel tasks in your
+playbook are no problem.
+
+![Workflow with Ansible](images/lets-encrypt-workflow-ansible.png)
+
+The following snippets give you an idea how it is done. Even if it is not
+a comlete source with all values of the variables.
+
+## 1. Execute cm.sh
+
+The Ansible instances start the `cm.sh` as SSH command. This triggers the the creation or
+renew of a certificate - whatever is needed.
+
+```yaml
+- name: 'on {{ ssl_master_certhost }} - start {{ ssl_certman_dir }}/cm.sh ensure ...'
+  shell: | 
+    ssh {{ ssl_master_user }}@{{ ssl_master_certhost }} {{ ssl_certman_dir }}/cm.sh ensure {{ ssl_fqdn }} {{ ssl_aliases | join(' ')}}
+  become_user: "{{ lookup('env','USER') }}"
+  delegate_to: localhost
+  # maybe you need to set
+  # become: true|false
+```
+
+## 2. Rsync certs locally
+
+With rsync it syncs the certificate folder locally to the Ansible machine.
+
+```yaml
+- name: "sync certs locally"
+  shell: | 
+    rsync -rav {{ ssl_master_user }}@{{ ssl_master_certhost }}:{{ ssl_master_install_dir }}/certs/ {{ ssl_certs_local_dir }}
+  become_user: "{{ lookup('env','USER') }}"
+  delegate_to: localhost
+  # maybe you need to set
+  # become: true|false
+```
+
+## 3. Deploy files
+
+Now we can use normal Ansible copy mechanisms to brin these files to the target system.
+
+```yaml
+- name: Install key + certificate for {{ ssl_fqdn }} + intermediate CA
+  copy:
+    src:  '{{ item[0] }}'
+    dest: '{{ item[1] }}'
+    mode: '{{ item[2] }}'
+    backup: true
+  notify: "{{ ssl_change_notify | default([]) }}"
+  loop:
+    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.cert.cer',       '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.cert.cer'      , '0444']
+    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.fullchain.cer',  '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.fullchain.cer' , '0444']
+    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.key.pem',        '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.key.pem'       , '0400']
+    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.haproxy.pem',    '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.haproxy.pem'   , '0444']
+    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.ca.cer',         '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.ca.cer'        , '0444']
+    #                              ^
+    #                              |
+    #                              filestructure after ACME.SH dump
+```

docs/_index.md

@@ -87,3 +87,9 @@ to verify when what was done what for a given domain.
 Automation is wonderful. You create systems and certificates for them on the fly.
 And you destroy test machines. A parameter "list-old" shows certiciates that were not renewed
 anymore and are older 90 days.
+
+## Overview
+
+This is an overview of the components for issuing a certificate that take part:
+
+![Components](images/cert-manager-components.png)
\ No newline at end of file

docs/style.css

 /*
 
     patch css elements of daux.io blue theme
+    version 2022-04-22
 
 */
 
@@ -34,7 +35,17 @@
 
 /* ---------- tags ---------- */
 
-body, *{color: var(--color); }
+a.Brand::before {
+	background: rgb(255,0,51);
+	color: #fff;
+    font-family: arial;
+	font-weight: bold;
+	padding: 0.5em 0.3em;
+	content: 'IML';
+    margin-right: 0.4em;
+}
+
+body, *{color: var(--color);}
 body{background: var(--bg-body);}