From 68ce1cd6d58ee4e7710a4aa6aee3d1159836b4e0 Mon Sep 17 00:00:00 2001 From: apavlov Date: Mon, 1 Jul 2024 20:55:57 +0300 Subject: [PATCH] each server own cert --- roles/rproxy/tasks/main.yml | 57 +++++++++++++++------------ roles/rproxy/templates/server.cnf.j2 | 8 ++-- roles/rproxy/templates/server.conf.j2 | 4 +- 3 files changed, 37 insertions(+), 32 deletions(-) diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index a206feb..06c96ea 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -56,32 +56,6 @@ src: files/RootCA.key dest: '{{ rproxy_dir }}/certs/RootCA.key' - - name: Copy server certificate cnf - ansible.builtin.template: - src: templates/server.cnf.j2 - dest: '{{ rproxy_dir }}/certs/server.cnf' - - - name: Generate server key - ansible.builtin.shell: - cmd: 'openssl genrsa -out {{ rproxy_dir }}/certs/{{ domain.stdout }}.key 2048' - - - name: Generate server csr - ansible.builtin.shell: - cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ domain.stdout }}.key -new -out {{ rproxy_dir }}/certs/{{ domain.stdout }}.csr -config {{ rproxy_dir }}/certs/server.cnf' - - - name: Sign server certificate - ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ domain.stdout }}.csr -out {{ rproxy_dir }}/certs/{{ domain.stdout }}.crt -CAcreateserial' - - - name: Create fullchain certificate - ansible.builtin.shell: - cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/{{ domain.stdout }}.crt' - - - name: Delete csr - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/{{ domain.stdout }}.csr" - state: absent - - name: Start rproxy community.docker.docker_compose: project_src: "{{ rproxy_dir }}" @@ -94,6 +68,37 @@ src: templates/server.conf.j2 dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf" + - name: Copy server certificate cnf + ansible.builtin.template: + src: templates/server.cnf.j2 + dest: '{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' + + - name: Generate server key + ansible.builtin.shell: + cmd: 'openssl genrsa -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key 2048' + + - name: Generate server csr + ansible.builtin.shell: + cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key -new -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -config {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' + + - name: Sign server certificate + ansible.builtin.shell: + cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial' + + - name: Create fullchain certificate + ansible.builtin.shell: + cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt' + + - name: Delete csr + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr" + state: absent + + - name: Delete cnf + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf" + state: absent + - name: Restart rproxy community.docker.docker_compose: project_src: "{{ rproxy_dir }}" diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 index 441cb7b..9105517 100644 --- a/roles/rproxy/templates/server.cnf.j2 +++ b/roles/rproxy/templates/server.cnf.j2 @@ -1,17 +1,17 @@ [ req ] prompt = no days = 365 -distinguished_name = {{ domain.stdout }} +distinguished_name = {{ rproxy_service_name }}.{{ domain.stdout }} req_extensions = v3_req -[ olsson.ul ] +[ {{ rproxy_service_name }}.{{ domain.stdout }} ] countryName = RU stateOrProvinceName = RU localityName = MSK organizationName = {{ domain.stdout }} organizationalUnitName = IT -commonName = {{ domain.stdout }} +commonName = {{ rproxy_service_name }}.{{ domain.stdout }} emailAddress = admin@{{ domain.stdout }} [ v3_req ] @@ -20,4 +20,4 @@ extendedKeyUsage = serverAuth subjectAltName = @sans [ sans ] -DNS.0 = *.{{ domain.stdout }} \ No newline at end of file +DNS.0 = {{ rproxy_service_name }}.{{ domain.stdout }} \ No newline at end of file diff --git a/roles/rproxy/templates/server.conf.j2 b/roles/rproxy/templates/server.conf.j2 index 9910c7f..c833687 100644 --- a/roles/rproxy/templates/server.conf.j2 +++ b/roles/rproxy/templates/server.conf.j2 @@ -15,8 +15,8 @@ server { server_name {{ rproxy_service_name }}.{{ domain.stdout }}; access_log /var/log/nginx/{{ rproxy_service_name }}.access.log; error_log /var/log/nginx/{{ rproxy_service_name }}.error.log; - ssl_certificate /etc/nginx/certs/{{ domain.stdout }}.crt; - ssl_certificate_key /etc/nginx/certs/{{ domain.stdout }}.key; + ssl_certificate /etc/nginx/certs/{{ rproxy_service_name }}.crt; + ssl_certificate_key /etc/nginx/certs/{{ rproxy_service_name }}.key; ssl_protocols TLSv1.2; ssl_ciphers EECDH:+AES256:-3DES:!RSA+AES:!RSA+3DES:!NULL:!RC4; ssl_prefer_server_ciphers on;