Commit d6713d91 authored by Hahn Axel (hahn)'s avatar Hahn Axel (hahn)
Browse files

update docs

parent 73a3a6b5
......@@ -129,6 +129,14 @@ In a scenario of automatic deployment with Ansible or Puppet you don't want to f
creates (or renews if close to expiriation) a certificate with 2 hostnames in it.
This ensure action handles the logic if a certificate must be
* created (if it does not exist) or
* renewed (it already exists) or
* re-created (the list of dns names in the certificate was changed)
It detects if a domain in the certificate can use a txt record or needs dns auth mode.
## Show certificate data
Use the listing `[APPPATH]/cm.sh list` or maybe filter it `[APPPATH]/cm.sh list | grep "mail."`
......
# Automation with Ansible
This is an example how our own installation works.
Ansible can be started manually on a worksation of a sysadmin or on AWX. So we need a
"central server" that manages and holds all certifiactes.
In cm.sh is a queuing to handle only one certificate. Multiple simoultanous
calls of cm.sh - from multiple machines or becaus of parallel tasks in your
playbook are no problem.
![Workflow with Ansible](images/lets-encrypt-workflow-ansible.png)
The following snippets give you an idea how it is done. Even if it is not
a comlete source with all values of the variables.
## 1. Execute cm.sh
The Ansible instances start the `cm.sh` as SSH command. This triggers the the creation or
renew of a certificate - whatever is needed.
```yaml
- name: 'on {{ ssl_master_certhost }} - start {{ ssl_certman_dir }}/cm.sh ensure ...'
shell: |
ssh {{ ssl_master_user }}@{{ ssl_master_certhost }} {{ ssl_certman_dir }}/cm.sh ensure {{ ssl_fqdn }} {{ ssl_aliases | join(' ')}}
become_user: "{{ lookup('env','USER') }}"
delegate_to: localhost
# maybe you need to set
# become: true|false
```
## 2. Rsync certs locally
With rsync it syncs the certificate folder locally to the Ansible machine.
```yaml
- name: "sync certs locally"
shell: |
rsync -rav {{ ssl_master_user }}@{{ ssl_master_certhost }}:{{ ssl_master_install_dir }}/certs/ {{ ssl_certs_local_dir }}
become_user: "{{ lookup('env','USER') }}"
delegate_to: localhost
# maybe you need to set
# become: true|false
```
## 3. Deploy files
Now we can use normal Ansible copy mechanisms to brin these files to the target system.
```yaml
- name: Install key + certificate for {{ ssl_fqdn }} + intermediate CA
copy:
src: '{{ item[0] }}'
dest: '{{ item[1] }}'
mode: '{{ item[2] }}'
backup: true
notify: "{{ ssl_change_notify | default([]) }}"
loop:
- [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.cert.cer', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.cert.cer' , '0444']
- [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.fullchain.cer', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.fullchain.cer' , '0444']
- [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.key.pem', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.key.pem' , '0400']
- [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.haproxy.pem', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.haproxy.pem' , '0444']
- [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.ca.cer', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.ca.cer' , '0444']
# ^
# |
# filestructure after ACME.SH dump
```
......@@ -87,3 +87,9 @@ to verify when what was done what for a given domain.
Automation is wonderful. You create systems and certificates for them on the fly.
And you destroy test machines. A parameter "list-old" shows certiciates that were not renewed
anymore and are older 90 days.
## Overview
This is an overview of the components for issuing a certificate that take part:
![Components](images/cert-manager-components.png)
\ No newline at end of file
......@@ -34,7 +34,17 @@
/* ---------- tags ---------- */
body, *{color: var(--color); }
a.Brand::before {
background: rgb(255,0,51);
color: #fff;
font-family: arial;
font-weight: bold;
padding: 0.5em 0.3em;
content: 'IML';
margin-right: 0.4em;
}
body, *{color: var(--color);}
body{background: var(--bg-body);}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment