From 671b6762bebe18304f30de10b6cd4481645966f5 Mon Sep 17 00:00:00 2001 From: apavlov Date: Sun, 30 Jun 2024 16:39:34 +0300 Subject: [PATCH 01/28] mask passwords --- Jenkinsfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 7001ed1..9475bad 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -13,7 +13,11 @@ pipeline { } stage('Run') { steps { - sh 'ansible-playbook rproxy.yml -i ${target_host}, -u ${username} -e "ansible_password=${password}"' + script { + wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: params.password]]]) { + sh 'ansible-playbook rproxy.yml -i ${target_host}, -u ${username} -e "ansible_password=${password}"' + } + } } } } From 2d5397e60a378ff63589b79123bd4a884d365797 Mon Sep 17 00:00:00 2001 From: apavlov Date: Sun, 30 Jun 2024 16:40:05 +0300 Subject: [PATCH 02/28] switch bransh --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 9475bad..df7363a 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -8,7 +8,7 @@ pipeline { stages { stage('Download') { steps { - git branch: 'master', url:'${git_url}/Ansible/rproxy.git', credentialsId: 'git' + git branch: 'dev', url:'${git_url}/Ansible/rproxy.git', credentialsId: 'git' } } stage('Run') { From 33f1db41e9bacf3fbeed6dcb640b08d20199c672 Mon Sep 17 00:00:00 2001 From: apavlov Date: Sun, 30 Jun 2024 16:45:34 +0300 Subject: [PATCH 03/28] fix quotes --- roles/rproxy/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index 2fa4f27..f4b22d9 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -13,12 +13,12 @@ - name: Remove rproxy dir ansible.builtin.file: - path: {{ rproxy_dir }} + path: "{{ rproxy_dir }}" state: absent - name: Create rproxy dir ansible.builtin.file: - path: {{ rproxy_dir }} + path: "{{ rproxy_dir }}" state: directory - name: Create sites dir From 41bcd91195375021904063d9efe9ba7e63528d8c Mon Sep 17 00:00:00 2001 From: apavlov Date: Sun, 30 Jun 2024 18:30:49 +0300 Subject: [PATCH 04/28] progress --- Jenkinsfile | 47 +++++++- roles/rproxy/files/nginx.conf | 7 -- roles/rproxy/tasks/main.yml | 119 ++++++++++++++----- roles/rproxy/templates/docker-compose.yml.j2 | 4 +- roles/rproxy/templates/server.cnf.j2 | 23 ++++ roles/rproxy/templates/server.conf.j2 | 25 ++-- rproxy.yml | 11 +- 7 files changed, 179 insertions(+), 57 deletions(-) create mode 100644 roles/rproxy/templates/server.cnf.j2 diff --git a/Jenkinsfile b/Jenkinsfile index df7363a..97e6292 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -4,6 +4,14 @@ pipeline { string(name: "target_host", defaultValue: "", trim: true, description: "Target host") string(name: "username", defaultValue: "", trim: true, description: "Ansible user") password(name: "password", defaultValue: "", description: "Ansible password") + booleanParam(name: "rproxy_install", defaultValue: true, description: "Install Rproxy") + base64File(name: "rootca", description: "RootCA (only for 'Install Rproxy')") + base64File(name: "rootca_key", description: "RootCA key (only for 'Install Rproxy')") + booleanParam(name: "config_add", defaultValue: true, description: "Add config") + string(name: "rproxy_service_name", defaultValue: "", trim: true, description: "Service name (for 'Add config' job only)") + string(name: "rproxy_service_port", defaultValue: "", trim: true, description: "Service port (for 'Add config' job only)") + string(name: "rproxy_service_address", defaultValue: "", trim: true, description: "Service address (for 'Add config' job only)") + } stages { stage('Download') { @@ -11,11 +19,46 @@ pipeline { git branch: 'dev', url:'${git_url}/Ansible/rproxy.git', credentialsId: 'git' } } - stage('Run') { + stage('Save certs') { + when { + expression { + return params.rproxy_install + } + } + steps { + sh 'mkdir roles/rproxy/files/certs' + withFileParameter('rootca') { + sh 'mv ${rootca} roles/rproxy/files/certs/RootCA.crt' + } + withFileParameter('rootca_key') { + sh 'mv ${rootca_key} roles/rproxy/files/certs/RootCA.key' + } + } + } + stage('Install Rproxy') { + when { + expression { + return params.rproxy_install + } + } steps { script { wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: params.password]]]) { - sh 'ansible-playbook rproxy.yml -i ${target_host}, -u ${username} -e "ansible_password=${password}"' + sh 'ansible-playbook rproxy.yml -i ${target_host}, -t install -u ${username} -e "ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"' + } + } + } + } + stage('Add config') { + when { + expression { + return params.config_add + } + } + steps { + script { + wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: params.password]]]) { + sh 'ansible-playbook rproxy.yml -i ${target_host}, -t add_config -u ${username} -e "ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"' } } } diff --git a/roles/rproxy/files/nginx.conf b/roles/rproxy/files/nginx.conf index c92b4e8..5c5ab7d 100644 --- a/roles/rproxy/files/nginx.conf +++ b/roles/rproxy/files/nginx.conf @@ -1,4 +1,3 @@ -load_module modules/ngx_http_headers_more_filter_module.so; user nginx; worker_processes auto; @@ -20,14 +19,8 @@ http { '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; - sendfile on; - #tcp_nopush on; - keepalive_timeout 65; - - #gzip on; - include /etc/nginx/sites/*.conf; server_tokens off; } \ No newline at end of file diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index f4b22d9..f5a1d8c 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -3,44 +3,97 @@ ansible.builtin.shell: cmd: hostname -d register: domain + tags: + - install + - add_config -- name: Install dependencies - ansible.builtin.apt: - name: - - docker.io - - docker-compose - update_cache: yes +- name: Install rproxy + block: + - name: Install dependencies + ansible.builtin.apt: + name: + - docker.io + - docker-compose + update_cache: yes -- name: Remove rproxy dir - ansible.builtin.file: - path: "{{ rproxy_dir }}" - state: absent + - name: Remove rproxy dir + ansible.builtin.file: + path: "{{ rproxy_dir }}" + state: absent -- name: Create rproxy dir - ansible.builtin.file: - path: "{{ rproxy_dir }}" - state: directory + - name: Create rproxy dir + ansible.builtin.file: + path: "{{ rproxy_dir }}" + state: directory -- name: Create sites dir - ansible.builtin.file: - path: "{{ rproxy_dir }}/sites" - state: directory + - name: Create sites dir + ansible.builtin.file: + path: "{{ rproxy_dir }}/sites" + state: directory -- name: Copy docker-compose - ansible.builtin.template: - src: templates/docker-compose.yml.j2 - dest: "{{ rproxy_dir }}/docker-compose.yml" + - name: Create certs dir + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs" + state: directory -- name: Copy nginx.conf - ansible.builtin.copy: - src: files/nginx.conf - dest: "{{ rproxy_dir }}/nginx.conf" + - name: Copy docker-compose + ansible.builtin.template: + src: templates/docker-compose.yml.j2 + dest: "{{ rproxy_dir }}/docker-compose.yml" -- name: Copy server.conf - ansible.builtin.template: - src: templates/server.conf.j2 - dest: "{{ rproxy_dir }}/sites/server.conf" + - name: Copy nginx.conf + ansible.builtin.copy: + src: files/nginx.conf + dest: "{{ rproxy_dir }}/nginx.conf" + + - name: Copy RootCA certificate + ansible.builtin.copy: + src: files/RootCA.crt + dest: '{{ rproxy_dir }}/certs/RootCA.crt' + + - name: Copy RootCA key + ansible.builtin.copy: + src: files/RootCA.key + dest: '{{ rproxy_dir }}/certs/RootCA.key' + + - name: Copy server certificate cnf + ansible.builtin.template: + src: templates/server.cnf.j2 + dest: '{{ rproxy_dir }}/certs/server.cnf' + + - name: Generate server key + ansible.builtin.shell: + cmd: 'openssl genrsa -out {{ rproxy_dir }}/certs/{{ domain.stdout }}.key 2048' + + - name: Generate server csr + ansible.builtin.shell: + cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ domain.stdout }}.key -new -out {{ rproxy_dir }}/certs/{{ domain.stdout }}.csr -config {{ rproxy_dir }}/certs/server.cnf' + + - name: Sign server certificate + ansible.builtin.shell: + cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ domain.stdout }}.csr -out {{ rproxy_dir }}/certs/{{ domain.stdout }}.crt -CAcreateserial' + + - name: Delete csr + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/{{ domain.stdout }}.csr" + state: absent + + - name: Start rproxy + community.docker.docker_compose: + project_src: "{{ rproxy_dir }}" + tags: install + +- name: Create configs + block: + - name: Copy server.conf + ansible.builtin.template: + src: templates/server.conf.j2 + dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf" + + - name: Restart rproxy + community.docker.docker_compose: + project_src: "{{ rproxy_dir }}" + build: false + restarted: true + tags: add_config -- name: Start rproxy - community.docker.docker_compose: - project_src: "{{ rproxy_dir }}" \ No newline at end of file diff --git a/roles/rproxy/templates/docker-compose.yml.j2 b/roles/rproxy/templates/docker-compose.yml.j2 index 7cc197b..7908b6b 100644 --- a/roles/rproxy/templates/docker-compose.yml.j2 +++ b/roles/rproxy/templates/docker-compose.yml.j2 @@ -8,9 +8,7 @@ services: volumes: - {{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf - {{ rproxy_dir }}/sites:/etc/nginx/sites - - {{ rproxy_dir }}/sites/default.conf:/etc/nginx/conf.d/default.conf - - {{ rproxy_dir }}/{{ domain.stdout }}.crt:/etc/nginx/{{ domain.stdout }}.crt - - {{ rproxy_dir }}/{{ domain.stdout }}.key:/etc/nginx/{{ domain.stdout }}.key + - {{ rproxy_dir }}/certs:/etc/nginx/certs ports: - 443:443 - 80:80 \ No newline at end of file diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 new file mode 100644 index 0000000..441cb7b --- /dev/null +++ b/roles/rproxy/templates/server.cnf.j2 @@ -0,0 +1,23 @@ +[ req ] +prompt = no +days = 365 +distinguished_name = {{ domain.stdout }} +req_extensions = v3_req + + +[ olsson.ul ] +countryName = RU +stateOrProvinceName = RU +localityName = MSK +organizationName = {{ domain.stdout }} +organizationalUnitName = IT +commonName = {{ domain.stdout }} +emailAddress = admin@{{ domain.stdout }} + +[ v3_req ] +basicConstraints = CA:false +extendedKeyUsage = serverAuth +subjectAltName = @sans + +[ sans ] +DNS.0 = *.{{ domain.stdout }} \ No newline at end of file diff --git a/roles/rproxy/templates/server.conf.j2 b/roles/rproxy/templates/server.conf.j2 index 1cd5b63..22a21af 100644 --- a/roles/rproxy/templates/server.conf.j2 +++ b/roles/rproxy/templates/server.conf.j2 @@ -1,32 +1,35 @@ -{% for rproxy_service in rproxy_service_list %} +upstream {{ rproxy_service_name }}.{{ domain.stdout }} { + server {{ rproxy_service_address }}:{{ rproxy_service_port }}; +} + server { listen 80; - server_name {{ rproxy_service }}.{{ domain.stdout }}; - access_log /var/log/nginx/{{ rproxy_service }}.access.log; - error_log /var/log/nginx/{{ rproxy_service }}.error.log; + server_name {{ rproxy_service_name }}.{{ domain.stdout }}; + access_log /var/log/nginx/{{ rproxy_service_name }}.access.log; + error_log /var/log/nginx/{{ rproxy_service_name }}.error.log; return 301 https://$server_name$request_uri; } server { listen 443 ssl; - server_name {{ rproxy_service }}.{{ domain.stdout }}; - access_log /var/log/nginx/{{ rproxy_service }}.access.log; - error_log /var/log/nginx/{{ rproxy_service }}.error.log; - ssl_certificate /etc/nginx/{{ domain.stdout }}.crt; - ssl_certificate_key /etc/nginx/{{ domain.stdout }}.key; + server_name {{ rproxy_service_name }}.{{ domain.stdout }}; + access_log /var/log/nginx/{{ rproxy_service_name }}.access.log; + error_log /var/log/nginx/{{ rproxy_service_name }}.error.log; + ssl_certificate /etc/nginx/certs/{{ domain.stdout }}.crt; + ssl_certificate_key /etc/nginx/certs/{{ domain.stdout }}.key; ssl_protocols TLSv1.2; ssl_ciphers EECDH:+AES256:-3DES:!RSA+AES:!RSA+3DES:!NULL:!RC4; ssl_prefer_server_ciphers on; proxy_connect_timeout 600s; fastcgi_request_buffering off; fastcgi_buffers 64 4K; + location / { proxy_pass_header Server; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass https://{{ rproxy_service }}.{{ domain.stdout }}/; + proxy_pass https://{{ rproxy_service_name }}.{{ domain.stdout }}/; } } -{% endfor %} \ No newline at end of file diff --git a/rproxy.yml b/rproxy.yml index 6acc338..9ee0785 100644 --- a/rproxy.yml +++ b/rproxy.yml @@ -5,7 +5,16 @@ vars: ansible_python_interpreter: /usr/bin/python3 rproxy_dir: /opt/rproxy - rproxy_service_list: [jenkins] + vars_prompt: + - name: rproxy_service_name + prompt: Enter service for rproxy + + - name: rproxy_service_port + prompt: Enter service for rproxy + + - name: rproxy_service_address + prompt: Enter service for rproxy + roles: - rproxy From dc44f5d6dd11684abe03274443bd473e73d7044b Mon Sep 17 00:00:00 2001 From: apavlov Date: Sun, 30 Jun 2024 18:36:36 +0300 Subject: [PATCH 05/28] path fix --- Jenkinsfile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 97e6292..807e8b2 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -26,12 +26,11 @@ pipeline { } } steps { - sh 'mkdir roles/rproxy/files/certs' withFileParameter('rootca') { - sh 'mv ${rootca} roles/rproxy/files/certs/RootCA.crt' + sh 'mv ${rootca} roles/rproxy/files/RootCA.crt' } withFileParameter('rootca_key') { - sh 'mv ${rootca_key} roles/rproxy/files/certs/RootCA.key' + sh 'mv ${rootca_key} roles/rproxy/files/RootCA.key' } } } From 6b4067be150bd2e0931be4f63bfaf7d92cf30092 Mon Sep 17 00:00:00 2001 From: apavlov Date: Mon, 1 Jul 2024 20:30:29 +0300 Subject: [PATCH 06/28] fullchain cert + fix 502 --- roles/rproxy/tasks/main.yml | 4 ++++ roles/rproxy/templates/server.conf.j2 | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index f5a1d8c..a206feb 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -73,6 +73,10 @@ ansible.builtin.shell: cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ domain.stdout }}.csr -out {{ rproxy_dir }}/certs/{{ domain.stdout }}.crt -CAcreateserial' + - name: Create fullchain certificate + ansible.builtin.shell: + cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/{{ domain.stdout }}.crt' + - name: Delete csr ansible.builtin.file: path: "{{ rproxy_dir }}/certs/{{ domain.stdout }}.csr" diff --git a/roles/rproxy/templates/server.conf.j2 b/roles/rproxy/templates/server.conf.j2 index 22a21af..9910c7f 100644 --- a/roles/rproxy/templates/server.conf.j2 +++ b/roles/rproxy/templates/server.conf.j2 @@ -30,6 +30,6 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass https://{{ rproxy_service_name }}.{{ domain.stdout }}/; + proxy_pass http://{{ rproxy_service_name }}.{{ domain.stdout }}/; } } From 68ce1cd6d58ee4e7710a4aa6aee3d1159836b4e0 Mon Sep 17 00:00:00 2001 From: apavlov Date: Mon, 1 Jul 2024 20:55:57 +0300 Subject: [PATCH 07/28] each server own cert --- roles/rproxy/tasks/main.yml | 57 +++++++++++++++------------ roles/rproxy/templates/server.cnf.j2 | 8 ++-- roles/rproxy/templates/server.conf.j2 | 4 +- 3 files changed, 37 insertions(+), 32 deletions(-) diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index a206feb..06c96ea 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -56,32 +56,6 @@ src: files/RootCA.key dest: '{{ rproxy_dir }}/certs/RootCA.key' - - name: Copy server certificate cnf - ansible.builtin.template: - src: templates/server.cnf.j2 - dest: '{{ rproxy_dir }}/certs/server.cnf' - - - name: Generate server key - ansible.builtin.shell: - cmd: 'openssl genrsa -out {{ rproxy_dir }}/certs/{{ domain.stdout }}.key 2048' - - - name: Generate server csr - ansible.builtin.shell: - cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ domain.stdout }}.key -new -out {{ rproxy_dir }}/certs/{{ domain.stdout }}.csr -config {{ rproxy_dir }}/certs/server.cnf' - - - name: Sign server certificate - ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ domain.stdout }}.csr -out {{ rproxy_dir }}/certs/{{ domain.stdout }}.crt -CAcreateserial' - - - name: Create fullchain certificate - ansible.builtin.shell: - cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/{{ domain.stdout }}.crt' - - - name: Delete csr - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/{{ domain.stdout }}.csr" - state: absent - - name: Start rproxy community.docker.docker_compose: project_src: "{{ rproxy_dir }}" @@ -94,6 +68,37 @@ src: templates/server.conf.j2 dest: "{{ rproxy_dir }}/sites/{{ rproxy_service_name }}.conf" + - name: Copy server certificate cnf + ansible.builtin.template: + src: templates/server.cnf.j2 + dest: '{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' + + - name: Generate server key + ansible.builtin.shell: + cmd: 'openssl genrsa -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key 2048' + + - name: Generate server csr + ansible.builtin.shell: + cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key -new -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -config {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' + + - name: Sign server certificate + ansible.builtin.shell: + cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial' + + - name: Create fullchain certificate + ansible.builtin.shell: + cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt' + + - name: Delete csr + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr" + state: absent + + - name: Delete cnf + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf" + state: absent + - name: Restart rproxy community.docker.docker_compose: project_src: "{{ rproxy_dir }}" diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 index 441cb7b..9105517 100644 --- a/roles/rproxy/templates/server.cnf.j2 +++ b/roles/rproxy/templates/server.cnf.j2 @@ -1,17 +1,17 @@ [ req ] prompt = no days = 365 -distinguished_name = {{ domain.stdout }} +distinguished_name = {{ rproxy_service_name }}.{{ domain.stdout }} req_extensions = v3_req -[ olsson.ul ] +[ {{ rproxy_service_name }}.{{ domain.stdout }} ] countryName = RU stateOrProvinceName = RU localityName = MSK organizationName = {{ domain.stdout }} organizationalUnitName = IT -commonName = {{ domain.stdout }} +commonName = {{ rproxy_service_name }}.{{ domain.stdout }} emailAddress = admin@{{ domain.stdout }} [ v3_req ] @@ -20,4 +20,4 @@ extendedKeyUsage = serverAuth subjectAltName = @sans [ sans ] -DNS.0 = *.{{ domain.stdout }} \ No newline at end of file +DNS.0 = {{ rproxy_service_name }}.{{ domain.stdout }} \ No newline at end of file diff --git a/roles/rproxy/templates/server.conf.j2 b/roles/rproxy/templates/server.conf.j2 index 9910c7f..c833687 100644 --- a/roles/rproxy/templates/server.conf.j2 +++ b/roles/rproxy/templates/server.conf.j2 @@ -15,8 +15,8 @@ server { server_name {{ rproxy_service_name }}.{{ domain.stdout }}; access_log /var/log/nginx/{{ rproxy_service_name }}.access.log; error_log /var/log/nginx/{{ rproxy_service_name }}.error.log; - ssl_certificate /etc/nginx/certs/{{ domain.stdout }}.crt; - ssl_certificate_key /etc/nginx/certs/{{ domain.stdout }}.key; + ssl_certificate /etc/nginx/certs/{{ rproxy_service_name }}.crt; + ssl_certificate_key /etc/nginx/certs/{{ rproxy_service_name }}.key; ssl_protocols TLSv1.2; ssl_ciphers EECDH:+AES256:-3DES:!RSA+AES:!RSA+3DES:!NULL:!RC4; ssl_prefer_server_ciphers on; From 5ab42a9f950b3d626a7276f1fda509586a176309 Mon Sep 17 00:00:00 2001 From: apavlov Date: Mon, 1 Jul 2024 21:10:13 +0300 Subject: [PATCH 08/28] fix? --- roles/rproxy/templates/server.cnf.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 index 9105517..8a03f29 100644 --- a/roles/rproxy/templates/server.cnf.j2 +++ b/roles/rproxy/templates/server.cnf.j2 @@ -1,7 +1,7 @@ [ req ] prompt = no days = 365 -distinguished_name = {{ rproxy_service_name }}.{{ domain.stdout }} +distinguished_name = {{ rproxy_service_name }}.{{ domain.stdout }} req_extensions = v3_req @@ -11,7 +11,7 @@ stateOrProvinceName = RU localityName = MSK organizationName = {{ domain.stdout }} organizationalUnitName = IT -commonName = {{ rproxy_service_name }}.{{ domain.stdout }} +commonName = {{ rproxy_service_name }}.{{ domain.stdout }} emailAddress = admin@{{ domain.stdout }} [ v3_req ] @@ -20,4 +20,4 @@ extendedKeyUsage = serverAuth subjectAltName = @sans [ sans ] -DNS.0 = {{ rproxy_service_name }}.{{ domain.stdout }} \ No newline at end of file +DNS.1 = {{ rproxy_service_name }}.{{ domain.stdout }} \ No newline at end of file From 6b06a211d9fc8be1c5cb78f33488d82badc403e2 Mon Sep 17 00:00:00 2001 From: apavlov Date: Mon, 1 Jul 2024 21:30:40 +0300 Subject: [PATCH 09/28] in progress --- TODO | 1 + roles/rproxy/templates/server.cnf.j2 | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 TODO diff --git a/TODO b/TODO new file mode 100644 index 0000000..5483d53 --- /dev/null +++ b/TODO @@ -0,0 +1 @@ +Certificate wrong cnf days and not works( \ No newline at end of file diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 index 8a03f29..56dbf2e 100644 --- a/roles/rproxy/templates/server.cnf.j2 +++ b/roles/rproxy/templates/server.cnf.j2 @@ -20,4 +20,5 @@ extendedKeyUsage = serverAuth subjectAltName = @sans [ sans ] -DNS.1 = {{ rproxy_service_name }}.{{ domain.stdout }} \ No newline at end of file +DNS.1 = {{ rproxy_service_name }}.{{ domain.stdout }} +IP.1 = {{ rproxy_service_address }} \ No newline at end of file From 6cb2d2abbd86149bdec2eab3595cd263d58684c5 Mon Sep 17 00:00:00 2001 From: apavlov Date: Tue, 9 Jul 2024 21:04:45 +0300 Subject: [PATCH 10/28] days for server certificate --- TODO | 1 - roles/rproxy/tasks/main.yml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 TODO diff --git a/TODO b/TODO deleted file mode 100644 index 5483d53..0000000 --- a/TODO +++ /dev/null @@ -1 +0,0 @@ -Certificate wrong cnf days and not works( \ No newline at end of file diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index 06c96ea..2279df4 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -79,7 +79,7 @@ - name: Generate server csr ansible.builtin.shell: - cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key -new -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -config {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' + cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key -new -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -config {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf -days 365' - name: Sign server certificate ansible.builtin.shell: From b8e8a3d781ae9617363d3b935845c98877e3eeeb Mon Sep 17 00:00:00 2001 From: apavlov Date: Tue, 9 Jul 2024 21:15:44 +0300 Subject: [PATCH 11/28] test change subjectAltName --- roles/rproxy/templates/docker-compose.yml.j2 | 2 +- roles/rproxy/templates/server.cnf.j2 | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/rproxy/templates/docker-compose.yml.j2 b/roles/rproxy/templates/docker-compose.yml.j2 index 7908b6b..c424260 100644 --- a/roles/rproxy/templates/docker-compose.yml.j2 +++ b/roles/rproxy/templates/docker-compose.yml.j2 @@ -3,7 +3,7 @@ version: '3.3' services: nginx: image: nginx:latest - container_name: nginx + container_name: rproxy restart: always volumes: - {{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 index 56dbf2e..d035d8e 100644 --- a/roles/rproxy/templates/server.cnf.j2 +++ b/roles/rproxy/templates/server.cnf.j2 @@ -21,4 +21,5 @@ subjectAltName = @sans [ sans ] DNS.1 = {{ rproxy_service_name }}.{{ domain.stdout }} +DNS.2 = jenkins-master.{{ domain.stdout }} IP.1 = {{ rproxy_service_address }} \ No newline at end of file From 444fb6ca946d0ea8419cead9d5da8f3aa1b26781 Mon Sep 17 00:00:00 2001 From: apavlov Date: Tue, 9 Jul 2024 21:20:43 +0300 Subject: [PATCH 12/28] test wildcard san --- roles/rproxy/templates/server.cnf.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 index d035d8e..959ea57 100644 --- a/roles/rproxy/templates/server.cnf.j2 +++ b/roles/rproxy/templates/server.cnf.j2 @@ -20,6 +20,5 @@ extendedKeyUsage = serverAuth subjectAltName = @sans [ sans ] -DNS.1 = {{ rproxy_service_name }}.{{ domain.stdout }} -DNS.2 = jenkins-master.{{ domain.stdout }} +DNS.1 = *.{{ domain.stdout }} IP.1 = {{ rproxy_service_address }} \ No newline at end of file From 0d77b94b59f368b8443bde120e464670d06c6d95 Mon Sep 17 00:00:00 2001 From: apavlov Date: Tue, 9 Jul 2024 21:35:31 +0300 Subject: [PATCH 13/28] joke --- roles/rproxy/templates/server.cnf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 index 959ea57..d1c504f 100644 --- a/roles/rproxy/templates/server.cnf.j2 +++ b/roles/rproxy/templates/server.cnf.j2 @@ -19,6 +19,6 @@ basicConstraints = CA:false extendedKeyUsage = serverAuth subjectAltName = @sans -[ sans ] +[sans] DNS.1 = *.{{ domain.stdout }} IP.1 = {{ rproxy_service_address }} \ No newline at end of file From b617726baad18a6d82f140fa9caf578597c9c70d Mon Sep 17 00:00:00 2001 From: apavlov Date: Tue, 9 Jul 2024 21:49:24 +0300 Subject: [PATCH 14/28] change cnf --- roles/rproxy/tasks/main.yml | 2 +- roles/rproxy/templates/server.cnf.j2 | 5 ++--- server.cnf.j2 | 24 ++++++++++++++++++++++++ 3 files changed, 27 insertions(+), 4 deletions(-) create mode 100644 server.cnf.j2 diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index 2279df4..06c96ea 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -79,7 +79,7 @@ - name: Generate server csr ansible.builtin.shell: - cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key -new -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -config {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf -days 365' + cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key -new -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -config {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' - name: Sign server certificate ansible.builtin.shell: diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 index d1c504f..fd59ce4 100644 --- a/roles/rproxy/templates/server.cnf.j2 +++ b/roles/rproxy/templates/server.cnf.j2 @@ -1,4 +1,3 @@ -[ req ] prompt = no days = 365 distinguished_name = {{ rproxy_service_name }}.{{ domain.stdout }} @@ -15,10 +14,10 @@ commonName = {{ rproxy_service_name }}.{{ domain.stdout }} emailAddress = admin@{{ domain.stdout }} [ v3_req ] -basicConstraints = CA:false +basicConstraints = critical; CA:false extendedKeyUsage = serverAuth subjectAltName = @sans -[sans] +[ sans ] DNS.1 = *.{{ domain.stdout }} IP.1 = {{ rproxy_service_address }} \ No newline at end of file diff --git a/server.cnf.j2 b/server.cnf.j2 new file mode 100644 index 0000000..d1c504f --- /dev/null +++ b/server.cnf.j2 @@ -0,0 +1,24 @@ +[ req ] +prompt = no +days = 365 +distinguished_name = {{ rproxy_service_name }}.{{ domain.stdout }} +req_extensions = v3_req + + +[ {{ rproxy_service_name }}.{{ domain.stdout }} ] +countryName = RU +stateOrProvinceName = RU +localityName = MSK +organizationName = {{ domain.stdout }} +organizationalUnitName = IT +commonName = {{ rproxy_service_name }}.{{ domain.stdout }} +emailAddress = admin@{{ domain.stdout }} + +[ v3_req ] +basicConstraints = CA:false +extendedKeyUsage = serverAuth +subjectAltName = @sans + +[sans] +DNS.1 = *.{{ domain.stdout }} +IP.1 = {{ rproxy_service_address }} \ No newline at end of file From 0a3b6c3b4a44c3a41f4f5704a0ac5f57c17d19af Mon Sep 17 00:00:00 2001 From: apavlov Date: Tue, 9 Jul 2024 21:51:48 +0300 Subject: [PATCH 15/28] fix header --- roles/rproxy/templates/server.cnf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 index fd59ce4..0a84d5d 100644 --- a/roles/rproxy/templates/server.cnf.j2 +++ b/roles/rproxy/templates/server.cnf.j2 @@ -1,3 +1,4 @@ +[ req ] prompt = no days = 365 distinguished_name = {{ rproxy_service_name }}.{{ domain.stdout }} From a3d087f832fd689843d30cba38d5ca19e0bc749d Mon Sep 17 00:00:00 2001 From: apavlov Date: Tue, 9 Jul 2024 21:53:57 +0300 Subject: [PATCH 16/28] change cnf --- roles/rproxy/templates/server.cnf.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 index 0a84d5d..16ce8b1 100644 --- a/roles/rproxy/templates/server.cnf.j2 +++ b/roles/rproxy/templates/server.cnf.j2 @@ -1,4 +1,3 @@ -[ req ] prompt = no days = 365 distinguished_name = {{ rproxy_service_name }}.{{ domain.stdout }} @@ -15,7 +14,7 @@ commonName = {{ rproxy_service_name }}.{{ domain.stdout }} emailAddress = admin@{{ domain.stdout }} [ v3_req ] -basicConstraints = critical; CA:false +basicConstraints = CA:false extendedKeyUsage = serverAuth subjectAltName = @sans From 5649ea73d8ccdcb35d349d1d01878b3a660cdd61 Mon Sep 17 00:00:00 2001 From: apavlov Date: Tue, 9 Jul 2024 22:00:18 +0300 Subject: [PATCH 17/28] x509 --- roles/rproxy/templates/server.cnf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 index 16ce8b1..35f860b 100644 --- a/roles/rproxy/templates/server.cnf.j2 +++ b/roles/rproxy/templates/server.cnf.j2 @@ -1,7 +1,7 @@ prompt = no days = 365 distinguished_name = {{ rproxy_service_name }}.{{ domain.stdout }} -req_extensions = v3_req +x509_extensions = v3_x509 [ {{ rproxy_service_name }}.{{ domain.stdout }} ] @@ -13,7 +13,7 @@ organizationalUnitName = IT commonName = {{ rproxy_service_name }}.{{ domain.stdout }} emailAddress = admin@{{ domain.stdout }} -[ v3_req ] +[ v3_x509 ] basicConstraints = CA:false extendedKeyUsage = serverAuth subjectAltName = @sans From 4dbb33af44564adec166f0536b5e51c58f7e0452 Mon Sep 17 00:00:00 2001 From: apavlov Date: Tue, 9 Jul 2024 22:07:30 +0300 Subject: [PATCH 18/28] keyUsage --- roles/rproxy/templates/server.cnf.j2 | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 index 35f860b..cf0a421 100644 --- a/roles/rproxy/templates/server.cnf.j2 +++ b/roles/rproxy/templates/server.cnf.j2 @@ -1,7 +1,8 @@ +[ req ] prompt = no days = 365 distinguished_name = {{ rproxy_service_name }}.{{ domain.stdout }} -x509_extensions = v3_x509 +req_extensions = v3_req [ {{ rproxy_service_name }}.{{ domain.stdout }} ] @@ -13,9 +14,9 @@ organizationalUnitName = IT commonName = {{ rproxy_service_name }}.{{ domain.stdout }} emailAddress = admin@{{ domain.stdout }} -[ v3_x509 ] +[ v3_req ] basicConstraints = CA:false -extendedKeyUsage = serverAuth +keyUsage = digitalSignature, keyEncipherment subjectAltName = @sans [ sans ] From c61ce77cc5a0626d772c579835b3f2d94a202122 Mon Sep 17 00:00:00 2001 From: apavlov Date: Tue, 9 Jul 2024 22:10:13 +0300 Subject: [PATCH 19/28] delete donwload stage --- Jenkinsfile | 5 ----- 1 file changed, 5 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 807e8b2..70c19d7 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -14,11 +14,6 @@ pipeline { } stages { - stage('Download') { - steps { - git branch: 'dev', url:'${git_url}/Ansible/rproxy.git', credentialsId: 'git' - } - } stage('Save certs') { when { expression { From 80f29187defdb16d2ce7a66dfe3ea381d71bf740 Mon Sep 17 00:00:00 2001 From: apavlov Date: Tue, 9 Jul 2024 22:11:08 +0300 Subject: [PATCH 20/28] 123 --- roles/rproxy/templates/server.cnf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 index cf0a421..456c01d 100644 --- a/roles/rproxy/templates/server.cnf.j2 +++ b/roles/rproxy/templates/server.cnf.j2 @@ -17,7 +17,7 @@ emailAddress = admin@{{ domain.stdout }} [ v3_req ] basicConstraints = CA:false keyUsage = digitalSignature, keyEncipherment -subjectAltName = @sans +subjectAltName = DNS:*.{{ domain.stdout }} [ sans ] DNS.1 = *.{{ domain.stdout }} From 2516df309231fd7ec3bf18df58458d77c6725bca Mon Sep 17 00:00:00 2001 From: apavlov Date: Tue, 9 Jul 2024 22:12:17 +0300 Subject: [PATCH 21/28] return --- roles/rproxy/templates/server.cnf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 index 456c01d..cb6e916 100644 --- a/roles/rproxy/templates/server.cnf.j2 +++ b/roles/rproxy/templates/server.cnf.j2 @@ -16,8 +16,8 @@ emailAddress = admin@{{ domain.stdout }} [ v3_req ] basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment -subjectAltName = DNS:*.{{ domain.stdout }} +keyUsage = digitalSignature, keyEncipherment +subjectAltName = @sans [ sans ] DNS.1 = *.{{ domain.stdout }} From 88ea60e93233d4b8ad285a0fe51d5483a2810fd8 Mon Sep 17 00:00:00 2001 From: apavlov Date: Wed, 10 Jul 2024 20:20:55 +0300 Subject: [PATCH 22/28] change config insert hop --- roles/rproxy/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index 06c96ea..709461e 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -79,11 +79,11 @@ - name: Generate server csr ansible.builtin.shell: - cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key -new -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -config {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' + cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key -new -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr' - name: Sign server certificate ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial' + cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial -config {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' - name: Create fullchain certificate ansible.builtin.shell: From 358533399f177c996bbf9e12169e8f0097a7315a Mon Sep 17 00:00:00 2001 From: apavlov Date: Wed, 10 Jul 2024 20:36:10 +0300 Subject: [PATCH 23/28] extfile added --- roles/rproxy/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index 709461e..8699218 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -79,11 +79,11 @@ - name: Generate server csr ansible.builtin.shell: - cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key -new -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr' + cmd: 'openssl req -key {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key -new -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -config {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' - name: Sign server certificate ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial -config {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' + cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial -extfile {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' - name: Create fullchain certificate ansible.builtin.shell: From 17bb4d127167d014b9a79d43ffea390f6aa2c167 Mon Sep 17 00:00:00 2001 From: apavlov Date: Thu, 11 Jul 2024 00:59:00 +0300 Subject: [PATCH 24/28] fix cnf --- roles/rproxy/tasks/main.yml | 2 +- roles/rproxy/templates/server.cnf.j2 | 11 ++++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index 8699218..3c3bc94 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -83,7 +83,7 @@ - name: Sign server certificate ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial -extfile {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf' + cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial -config {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf -days 365' - name: Create fullchain certificate ansible.builtin.shell: diff --git a/roles/rproxy/templates/server.cnf.j2 b/roles/rproxy/templates/server.cnf.j2 index cb6e916..323b0c9 100644 --- a/roles/rproxy/templates/server.cnf.j2 +++ b/roles/rproxy/templates/server.cnf.j2 @@ -1,8 +1,8 @@ [ req ] prompt = no -days = 365 distinguished_name = {{ rproxy_service_name }}.{{ domain.stdout }} req_extensions = v3_req +x509_extensions = v3_x509 [ {{ rproxy_service_name }}.{{ domain.stdout }} ] @@ -16,9 +16,14 @@ emailAddress = admin@{{ domain.stdout }} [ v3_req ] basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment +keyUsage = digitalSignature, keyEncipherment +subjectAltName = @sans + +[ v3_x509 ] +basicConstraints = CA:false +keyUsage = digitalSignature, keyEncipherment subjectAltName = @sans [ sans ] -DNS.1 = *.{{ domain.stdout }} +DNS.1 = {{ rproxy_service_name }}.{{ domain.stdout }} IP.1 = {{ rproxy_service_address }} \ No newline at end of file From 1059c1c8dccaf87fc7c641ed0417cbd3252e782d Mon Sep 17 00:00:00 2001 From: apavlov Date: Thu, 11 Jul 2024 01:02:20 +0300 Subject: [PATCH 25/28] 333 --- roles/rproxy/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index 3c3bc94..300e4f6 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -83,7 +83,7 @@ - name: Sign server certificate ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial -config {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf -days 365' + cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial -days 365' - name: Create fullchain certificate ansible.builtin.shell: From f4b1d148ae8cd2f4f988d17d13dc6e862ba97f25 Mon Sep 17 00:00:00 2001 From: apavlov Date: Thu, 11 Jul 2024 01:04:25 +0300 Subject: [PATCH 26/28] extfile --- roles/rproxy/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index 300e4f6..f550374 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -83,7 +83,7 @@ - name: Sign server certificate ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial -days 365' + cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial -extfile {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf -days 365' - name: Create fullchain certificate ansible.builtin.shell: From 20d004492f7173c50e1cc50f7228f28fa5014ba1 Mon Sep 17 00:00:00 2001 From: apavlov Date: Thu, 11 Jul 2024 01:12:05 +0300 Subject: [PATCH 27/28] v3_x509 --- roles/rproxy/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index f550374..8d0fe8e 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -83,7 +83,7 @@ - name: Sign server certificate ansible.builtin.shell: - cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial -extfile {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf -days 365' + cmd: 'openssl x509 -req -CA {{ rproxy_dir }}/certs/RootCA.crt -CAkey {{ rproxy_dir }}/certs/RootCA.key -in {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr -out {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt -CAcreateserial -extfile {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.cnf -days 365 -extensions v3_x509' - name: Create fullchain certificate ansible.builtin.shell: From 46ac974f8dd272819c5a898b4f705d246a815965 Mon Sep 17 00:00:00 2001 From: apavlov Date: Thu, 11 Jul 2024 01:21:31 +0300 Subject: [PATCH 28/28] finish --- server.cnf.j2 | 24 ------------------------ 1 file changed, 24 deletions(-) delete mode 100644 server.cnf.j2 diff --git a/server.cnf.j2 b/server.cnf.j2 deleted file mode 100644 index d1c504f..0000000 --- a/server.cnf.j2 +++ /dev/null @@ -1,24 +0,0 @@ -[ req ] -prompt = no -days = 365 -distinguished_name = {{ rproxy_service_name }}.{{ domain.stdout }} -req_extensions = v3_req - - -[ {{ rproxy_service_name }}.{{ domain.stdout }} ] -countryName = RU -stateOrProvinceName = RU -localityName = MSK -organizationName = {{ domain.stdout }} -organizationalUnitName = IT -commonName = {{ rproxy_service_name }}.{{ domain.stdout }} -emailAddress = admin@{{ domain.stdout }} - -[ v3_req ] -basicConstraints = CA:false -extendedKeyUsage = serverAuth -subjectAltName = @sans - -[sans] -DNS.1 = *.{{ domain.stdout }} -IP.1 = {{ rproxy_service_address }} \ No newline at end of file