Commit d4156f95 authored by Hahn Axel (hahn)'s avatar Hahn Axel (hahn)
Browse files

Merge branch '5213-handle-dns-alias-domain' into 'master'

mix multiple domains using domain alias or not

See merge request open-source/iml-certman!13
parents a4ad9dc2 63949a9f
......@@ -31,6 +31,7 @@
# 2022-04-04 <axel.hahn@iml.unibe.ch> added param "list-old"
# 2022-04-07 <axel.hahn@iml.unibe.ch> fix missing key in public_ensure before calling public_add too.
# 2022-04-20 <axel.hahn@iml.unibe.ch> fix multiple domains using domain alias
# 2022-04-21 <axel.hahn@iml.unibe.ch> mix multiple domains using domain alias or not
# ======================================================================
......@@ -406,11 +407,13 @@ function public_add(){
for _mydomain in $CM_fqdn $*
do
_params+="-d $_mydomain "
_params+="-d $_mydomain --challenge-alias "
if [ -n "${CM_challenge_alias}" ] && ! echo "$_mydomain" | grep "${CM_certmatch}" >/dev/null
then
_params+="--challenge-alias ${CM_challenge_alias} "
_params+="${CM_challenge_alias} "
else
_params+="no "
fi
done
......@@ -418,7 +421,7 @@ function public_add(){
mkdir -p "${CM_dircerts}" 2>/dev/null
_wd "--- create certificate"
echo $ACME --issue $_params $ACME_Params
echo "$ACME --issue $_params $ACME_Params"
if ! $ACME --issue $_params $ACME_Params
then
echo "ERROR: adding cert failed. Trying to delete internal data ..."
......
......@@ -129,6 +129,14 @@ In a scenario of automatic deployment with Ansible or Puppet you don't want to f
creates (or renews if close to expiriation) a certificate with 2 hostnames in it.
This ensure action handles the logic if a certificate must be
* created (if it does not exist) or
* renewed (it already exists) or
* re-created (the list of dns names in the certificate was changed)
It detects if a domain in the certificate can use a txt record or needs dns auth mode.
## Show certificate data
Use the listing `[APPPATH]/cm.sh list` or maybe filter it `[APPPATH]/cm.sh list | grep "mail."`
......
# Automation with Ansible
This is an example how our own installation works.
Ansible can be started manually on a worksation of a sysadmin or on AWX. So we need a
"central server" that manages and holds all certifiactes.
In cm.sh is a queuing to handle only one certificate. Multiple simoultanous
calls of cm.sh - from multiple machines or becaus of parallel tasks in your
playbook are no problem.
![Workflow with Ansible](images/lets-encrypt-workflow-ansible.png)
The following snippets give you an idea how it is done. Even if it is not
a comlete source with all values of the variables.
## 1. Execute cm.sh
The Ansible instances start the `cm.sh` as SSH command. This triggers the the creation or
renew of a certificate - whatever is needed.
```yaml
- name: 'on {{ ssl_master_certhost }} - start {{ ssl_certman_dir }}/cm.sh ensure ...'
shell: |
ssh {{ ssl_master_user }}@{{ ssl_master_certhost }} {{ ssl_certman_dir }}/cm.sh ensure {{ ssl_fqdn }} {{ ssl_aliases | join(' ')}}
become_user: "{{ lookup('env','USER') }}"
delegate_to: localhost
# maybe you need to set
# become: true|false
```
## 2. Rsync certs locally
With rsync it syncs the certificate folder locally to the Ansible machine.
```yaml
- name: "sync certs locally"
shell: |
rsync -rav {{ ssl_master_user }}@{{ ssl_master_certhost }}:{{ ssl_master_install_dir }}/certs/ {{ ssl_certs_local_dir }}
become_user: "{{ lookup('env','USER') }}"
delegate_to: localhost
# maybe you need to set
# become: true|false
```
## 3. Deploy files
Now we can use normal Ansible copy mechanisms to brin these files to the target system.
```yaml
- name: Install key + certificate for {{ ssl_fqdn }} + intermediate CA
copy:
src: '{{ item[0] }}'
dest: '{{ item[1] }}'
mode: '{{ item[2] }}'
backup: true
notify: "{{ ssl_change_notify | default([]) }}"
loop:
- [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.cert.cer', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.cert.cer' , '0444']
- [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.fullchain.cer', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.fullchain.cer' , '0444']
- [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.key.pem', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.key.pem' , '0400']
- [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.haproxy.pem', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.haproxy.pem' , '0444']
- [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.ca.cer', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.ca.cer' , '0444']
# ^
# |
# filestructure after ACME.SH dump
```
......@@ -87,3 +87,9 @@ to verify when what was done what for a given domain.
Automation is wonderful. You create systems and certificates for them on the fly.
And you destroy test machines. A parameter "list-old" shows certiciates that were not renewed
anymore and are older 90 days.
## Overview
This is an overview of the components for issuing a certificate that take part:
![Components](images/cert-manager-components.png)
\ No newline at end of file
/*
patch css elements of daux.io blue theme
version 2022-04-22
*/
......@@ -34,7 +35,17 @@
/* ---------- tags ---------- */
body, *{color: var(--color); }
a.Brand::before {
background: rgb(255,0,51);
color: #fff;
font-family: arial;
font-weight: bold;
padding: 0.5em 0.3em;
content: 'IML';
margin-right: 0.4em;
}
body, *{color: var(--color);}
body{background: var(--bg-body);}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment