Skip to content
Snippets Groups Projects
Commit d4156f95 authored by Hahn Axel (hahn)'s avatar Hahn Axel (hahn)
Browse files

Merge branch '5213-handle-dns-alias-domain' into 'master'

mix multiple domains using domain alias or not

See merge request open-source/iml-certman!13
parents a4ad9dc2 63949a9f
No related branches found
No related tags found
1 merge request!13mix multiple domains using domain alias or not
...@@ -31,6 +31,7 @@ ...@@ -31,6 +31,7 @@
# 2022-04-04 <axel.hahn@iml.unibe.ch> added param "list-old" # 2022-04-04 <axel.hahn@iml.unibe.ch> added param "list-old"
# 2022-04-07 <axel.hahn@iml.unibe.ch> fix missing key in public_ensure before calling public_add too. # 2022-04-07 <axel.hahn@iml.unibe.ch> fix missing key in public_ensure before calling public_add too.
# 2022-04-20 <axel.hahn@iml.unibe.ch> fix multiple domains using domain alias # 2022-04-20 <axel.hahn@iml.unibe.ch> fix multiple domains using domain alias
# 2022-04-21 <axel.hahn@iml.unibe.ch> mix multiple domains using domain alias or not
# ====================================================================== # ======================================================================
...@@ -406,11 +407,13 @@ function public_add(){ ...@@ -406,11 +407,13 @@ function public_add(){
for _mydomain in $CM_fqdn $* for _mydomain in $CM_fqdn $*
do do
_params+="-d $_mydomain " _params+="-d $_mydomain --challenge-alias "
if [ -n "${CM_challenge_alias}" ] && ! echo "$_mydomain" | grep "${CM_certmatch}" >/dev/null if [ -n "${CM_challenge_alias}" ] && ! echo "$_mydomain" | grep "${CM_certmatch}" >/dev/null
then then
_params+="--challenge-alias ${CM_challenge_alias} " _params+="${CM_challenge_alias} "
else
_params+="no "
fi fi
done done
...@@ -418,7 +421,7 @@ function public_add(){ ...@@ -418,7 +421,7 @@ function public_add(){
mkdir -p "${CM_dircerts}" 2>/dev/null mkdir -p "${CM_dircerts}" 2>/dev/null
_wd "--- create certificate" _wd "--- create certificate"
echo $ACME --issue $_params $ACME_Params echo "$ACME --issue $_params $ACME_Params"
if ! $ACME --issue $_params $ACME_Params if ! $ACME --issue $_params $ACME_Params
then then
echo "ERROR: adding cert failed. Trying to delete internal data ..." echo "ERROR: adding cert failed. Trying to delete internal data ..."
......
...@@ -129,6 +129,14 @@ In a scenario of automatic deployment with Ansible or Puppet you don't want to f ...@@ -129,6 +129,14 @@ In a scenario of automatic deployment with Ansible or Puppet you don't want to f
creates (or renews if close to expiriation) a certificate with 2 hostnames in it. creates (or renews if close to expiriation) a certificate with 2 hostnames in it.
This ensure action handles the logic if a certificate must be
* created (if it does not exist) or
* renewed (it already exists) or
* re-created (the list of dns names in the certificate was changed)
It detects if a domain in the certificate can use a txt record or needs dns auth mode.
## Show certificate data ## Show certificate data
Use the listing `[APPPATH]/cm.sh list` or maybe filter it `[APPPATH]/cm.sh list | grep "mail."` Use the listing `[APPPATH]/cm.sh list` or maybe filter it `[APPPATH]/cm.sh list | grep "mail."`
......
# Automation with Ansible
This is an example how our own installation works.
Ansible can be started manually on a worksation of a sysadmin or on AWX. So we need a
"central server" that manages and holds all certifiactes.
In cm.sh is a queuing to handle only one certificate. Multiple simoultanous
calls of cm.sh - from multiple machines or becaus of parallel tasks in your
playbook are no problem.
![Workflow with Ansible](images/lets-encrypt-workflow-ansible.png)
The following snippets give you an idea how it is done. Even if it is not
a comlete source with all values of the variables.
## 1. Execute cm.sh
The Ansible instances start the `cm.sh` as SSH command. This triggers the the creation or
renew of a certificate - whatever is needed.
```yaml
- name: 'on {{ ssl_master_certhost }} - start {{ ssl_certman_dir }}/cm.sh ensure ...'
shell: |
ssh {{ ssl_master_user }}@{{ ssl_master_certhost }} {{ ssl_certman_dir }}/cm.sh ensure {{ ssl_fqdn }} {{ ssl_aliases | join(' ')}}
become_user: "{{ lookup('env','USER') }}"
delegate_to: localhost
# maybe you need to set
# become: true|false
```
## 2. Rsync certs locally
With rsync it syncs the certificate folder locally to the Ansible machine.
```yaml
- name: "sync certs locally"
shell: |
rsync -rav {{ ssl_master_user }}@{{ ssl_master_certhost }}:{{ ssl_master_install_dir }}/certs/ {{ ssl_certs_local_dir }}
become_user: "{{ lookup('env','USER') }}"
delegate_to: localhost
# maybe you need to set
# become: true|false
```
## 3. Deploy files
Now we can use normal Ansible copy mechanisms to brin these files to the target system.
```yaml
- name: Install key + certificate for {{ ssl_fqdn }} + intermediate CA
copy:
src: '{{ item[0] }}'
dest: '{{ item[1] }}'
mode: '{{ item[2] }}'
backup: true
notify: "{{ ssl_change_notify | default([]) }}"
loop:
- [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.cert.cer', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.cert.cer' , '0444']
- [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.fullchain.cer', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.fullchain.cer' , '0444']
- [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.key.pem', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.key.pem' , '0400']
- [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.haproxy.pem', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.haproxy.pem' , '0444']
- [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.ca.cer', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.ca.cer' , '0444']
# ^
# |
# filestructure after ACME.SH dump
```
...@@ -87,3 +87,9 @@ to verify when what was done what for a given domain. ...@@ -87,3 +87,9 @@ to verify when what was done what for a given domain.
Automation is wonderful. You create systems and certificates for them on the fly. Automation is wonderful. You create systems and certificates for them on the fly.
And you destroy test machines. A parameter "list-old" shows certiciates that were not renewed And you destroy test machines. A parameter "list-old" shows certiciates that were not renewed
anymore and are older 90 days. anymore and are older 90 days.
## Overview
This is an overview of the components for issuing a certificate that take part:
![Components](images/cert-manager-components.png)
\ No newline at end of file
docs/images/cert-manager-components.png

63.3 KiB

docs/images/lets-encrypt-workflow-ansible.png

101 KiB

/* /*
patch css elements of daux.io blue theme patch css elements of daux.io blue theme
version 2022-04-22
*/ */
...@@ -34,7 +35,17 @@ ...@@ -34,7 +35,17 @@
/* ---------- tags ---------- */ /* ---------- tags ---------- */
body, *{color: var(--color); } a.Brand::before {
background: rgb(255,0,51);
color: #fff;
font-family: arial;
font-weight: bold;
padding: 0.5em 0.3em;
content: 'IML';
margin-right: 0.4em;
}
body, *{color: var(--color);}
body{background: var(--bg-body);} body{background: var(--bg-body);}
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment