From 18a1e941000104403ef08744850e1f3ee0fb0189 Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Thu, 14 Aug 2025 23:50:01 +0300 Subject: [PATCH 1/7] Qa FreeIPA CA certificate generation --- Jenkinsfile | 19 ----- README.md | 12 +-- roles/rproxy/tasks/addconfig.yml | 136 +++++++++++------------------- roles/rproxy/tasks/dockerrepo.yml | 80 +++++++++--------- roles/rproxy/tasks/repo.yml | 115 +++++++++---------------- roles/rproxy/tasks/rproxy.yml | 17 +--- roles/rproxy/vars/main.yml | 2 +- 7 files changed, 135 insertions(+), 246 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 6b69593..cf7236e 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -33,25 +33,6 @@ pipeline { } } } - stage('Save certs') { - when { - expression { - return params.rproxy_install - } - } - steps { - script { - withCredentials([ - file(credentialsId: "ROOTCA_CERT", variable: "rootca"), - file(credentialsId: "ROOTCA_KEY", variable: "rootca_key") - ]) { - sh(script: "cp ${rootca} roles/gitlab/files/RootCA.crt", returnStdout: false) - sh(script: "cp ${rootca_key} roles/gitlab/files/RootCA.key", returnStdout: false) - sh(script: "chmod 700 roles/patroni/files/RootCA*", returnStdout: false) - } - } - } - } stage('Prepare inventory') { steps { script { diff --git a/README.md b/README.md index 7a6549a..785bdf9 100644 --- a/README.md +++ b/README.md @@ -37,17 +37,7 @@ Files should be stored in /opt/rproxy/repo/ to be shared. ## Docker-registry Would be installed with rproxy service. Hosted on port 5000. Images would be stored in /opt/dockerrepo/repo/. Uses SSL so you should have trust with root certificate. \ -Install trust with root certificate: -```bash -# RHEL based -openssl x509 -in RootCA.crt -out RootCA.pem -outform PEM -mv RootCA.pem /etc/pki/ca-trust/source/anchors/ -update-ca-trust force-enable - -# Debian based -mv RootCA.crt /usr/local/share/ca-certificates/ -update-ca-certificates -``` +Install trust with root certificate How to store image: ```bash # After image build diff --git a/roles/rproxy/tasks/addconfig.yml b/roles/rproxy/tasks/addconfig.yml index 6cc5dbf..ff44901 100644 --- a/roles/rproxy/tasks/addconfig.yml +++ b/roles/rproxy/tasks/addconfig.yml @@ -8,95 +8,61 @@ - name: Generate certificates for {{ rproxy_service_name }} block: - - name: "Generate {{ rproxy_service_name }}.key" - community.crypto.openssl_privatekey: - path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key" - size: "2048" + - name: Create CNAME dns record + community.general.ipa_dnsrecord: + ipa_user: "{{ ansible_user }}" + ipa_pass: "{{ ansible_password }}" + zone_name: "{{ ansible_facts['domain'] }}" + record_name: "{{ rproxy_service_name }}" + record_type: 'CNAME' + record_value: "{{ ansible_facts['hostname'] }}" + state: present - - name: "Generate {{ rproxy_service_name }}.csr" - community.crypto.openssl_csr: - path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr" - privatekey_path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key" - country_name: "RU" - state_or_province_name: "RU" - locality_name: "MSK" - organization_name: "{{ ansible_domain }}" - organizational_unit_name: "IT" - common_name: "{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}" - email_address: "admin@{{ ansible_domain }}" - subject_alt_name: "DNS:{{ rproxy_service_name }}.{{ ansible_facts['domain'] }},DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}" - key_usage: - - digitalSignature - - nonRepudiation - - keyEncipherment - - dataEncipherment - extended_key_usage: - - serverAuth - - - name: "Generate {{ rproxy_service_name }}.crt" - community.crypto.x509_certificate: - csr_path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr" - path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt" - privatekey_path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.key" - provider: ownca - ownca_create_subject_key_identifier: always_create - ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt" - ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key" - ownca_not_after: "+365d" - - - name: Create fullchain certificate + - name: Kinit ansible.builtin.shell: - cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.crt' + cmd: "echo '{{ ansible_password }}' | kinit" + become: false + become_user: "{{ ansible_user }}" - - name: Delete csr + - name: Create SPN for HTTP + ansible.builtin.shell: + cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} --skip-host-check" + become: false + become_user: "{{ ansible_user }}" + ignore_errors: true + + - name: Request certificate via ipa-getcert + ansible.builtin.command: > + ipa-getcert request + -f {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt + -k {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key + -K HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} + -N CN={{ rproxy_service_name }}.{{ ansible_facts['domain'] }} + + # sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists + + - name: Wait for certificate to appear + ansible.builtin.wait_for: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt" + timeout: 60 + + - name: Change certificate permissions ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.csr" - state: absent + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt" + mode: "0744" -- name: Restart rproxy - block: - - name: Restart container - containers.podman.podman_container: - name: rproxy - image: "docker.io/library/nginx:{{ rproxy_version }}" - state: started - restart: true - ports: - - "443:443" - - "80:80" - - "9000:9000" - volumes: - - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw' - - '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw' - - '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw' - - '{{ repo_data_dir }}:/repo:z,rw' - - "/etc/localtime:/etc/localtime:ro" - privileged: true - security_opt: - - "label=disable" - log_driver: journald - generate_systemd: - path: /etc/systemd/system/ - restart_policy: always - stop_timeout: 120 - names: true + - name: Wait for certificate key to appear + ansible.builtin.wait_for: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key" + timeout: 60 - - name: Daemon reload - ansible.builtin.shell: - cmd: systemctl daemon-reload + - name: Change certificate key permissions + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key" + mode: "0744" - - name: Enable rproxy service - ansible.builtin.systemd: - name: "container-rproxy.service" - state: started - enabled: yes - -- name: Create CNAME dns record - community.general.ipa_dnsrecord: - ipa_user: "{{ ansible_user }}" - ipa_pass: "{{ ansible_password }}" - zone_name: "{{ ansible_facts['domain'] }}" - record_name: "{{ rproxy_service_name }}" - record_type: 'CNAME' - record_value: "{{ ansible_facts['hostname'] }}" - state: present \ No newline at end of file +- name: Restart rproxy service + ansible.builtin.systemd: + name: "container-rproxy.service" + state: restarted + enabled: yes \ No newline at end of file diff --git a/roles/rproxy/tasks/dockerrepo.yml b/roles/rproxy/tasks/dockerrepo.yml index 6e3e5d9..4e41384 100644 --- a/roles/rproxy/tasks/dockerrepo.yml +++ b/roles/rproxy/tasks/dockerrepo.yml @@ -23,50 +23,48 @@ - name: Create certificates for image repository block: - - name: "Generate dockerrepo.key" - community.crypto.openssl_privatekey: - path: "{{ dockerrepo_dir }}/certs/dockerrepo.key" - size: "2048" - - - name: "Generate server.csr" - community.crypto.openssl_csr: - path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr" - privatekey_path: "{{ dockerrepo_dir }}/certs/dockerrepo.key" - country_name: "RU" - state_or_province_name: "RU" - locality_name: "MSK" - organization_name: "{{ ansible_domain }}" - organizational_unit_name: "IT" - common_name: "{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}" - email_address: "admin@{{ ansible_domain }}" - subject_alt_name: "DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},DNS:imagerepo.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}" - key_usage: - - digitalSignature - - nonRepudiation - - keyEncipherment - - dataEncipherment - extended_key_usage: - - serverAuth - - - name: "Generate server.crt" - community.crypto.x509_certificate: - csr_path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr" - path: "{{ dockerrepo_dir }}/certs/dockerrepo.crt" - privatekey_path: "{{ dockerrepo_dir }}/certs/dockerrepo.key" - provider: ownca - ownca_create_subject_key_identifier: always_create - ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt" - ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key" - ownca_not_after: "+365d" - - - name: Create fullchain certificate + - name: Kinit ansible.builtin.shell: - cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ dockerrepo_dir }}/certs/dockerrepo.crt' + cmd: "echo '{{ ansible_password }}' | kinit" + become: false + become_user: "{{ ansible_user }}" - - name: Delete csr + - name: Create SPN for HTTP + ansible.builtin.shell: + cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}" + become: false + become_user: "{{ ansible_user }}" + ignore_errors: true + + - name: Request certificate via ipa-getcert + ansible.builtin.command: > + ipa-getcert request + -f {{ rproxy_dir }}/certs/dockerrepo.crt + -k {{ rproxy_dir }}/certs/dockerrepo.key + -K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} + -N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} + + # sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists + + - name: Wait for certificate to appear + ansible.builtin.wait_for: + path: "{{ rproxy_dir }}/certs/dockerrepo.crt" + timeout: 60 + + - name: Change certificate permissions ansible.builtin.file: - path: "{{ dockerrepo_dir }}/certs/dockerrepo.csr" - state: absent + path: "{{ rproxy_dir }}/certs/dockerrepo.crt" + mode: "0744" + + - name: Wait for certificate key to appear + ansible.builtin.wait_for: + path: "{{ rproxy_dir }}/certs/dockerrepo.key" + timeout: 60 + + - name: Change certificate key permissions + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/dockerrepo.key" + mode: "0744" - name: Start image repository block: diff --git a/roles/rproxy/tasks/repo.yml b/roles/rproxy/tasks/repo.yml index cad5fb7..bad05b2 100644 --- a/roles/rproxy/tasks/repo.yml +++ b/roles/rproxy/tasks/repo.yml @@ -14,85 +14,52 @@ - name: Create https certificates for repository block: - - name: "Generate repo.key" - community.crypto.openssl_privatekey: - path: "{{ rproxy_dir }}/certs/repo.key" - size: "2048" + - name: Kinit + ansible.builtin.shell: + cmd: "echo '{{ ansible_password }}' | kinit" + become: false + become_user: "{{ ansible_user }}" - - name: "Generate server.csr" - community.crypto.openssl_csr: - path: "{{ rproxy_dir }}/certs/repo.csr" - privatekey_path: "{{ rproxy_dir }}/certs/repo.key" - country_name: "RU" - state_or_province_name: "RU" - locality_name: "MSK" - organization_name: "{{ ansible_domain }}" - organizational_unit_name: "IT" - common_name: "{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}" - email_address: "admin@{{ ansible_domain }}" - subject_alt_name: "DNS:{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }},DNS:repo.{{ ansible_facts['domain'] }},IP:{{ ansible_facts['default_ipv4']['address'] }}" - key_usage: - - digitalSignature - - nonRepudiation - - keyEncipherment - - dataEncipherment - extended_key_usage: - - serverAuth + - name: Create SPN for HTTP + ansible.builtin.shell: + cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}" + become: false + become_user: "{{ ansible_user }}" + ignore_errors: true - - name: "Generate server.crt" - community.crypto.x509_certificate: - csr_path: "{{ rproxy_dir }}/certs/repo.csr" + - name: Request certificate via ipa-getcert + ansible.builtin.command: > + ipa-getcert request + -f {{ rproxy_dir }}/certs/repo.crt + -k {{ rproxy_dir }}/certs/repo.key + -K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} + -N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} + -F {{ rproxy_dir }}/certs/RootCA.crt + + # sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists + + - name: Wait for certificate to appear + ansible.builtin.wait_for: path: "{{ rproxy_dir }}/certs/repo.crt" - privatekey_path: "{{ rproxy_dir }}/certs/repo.key" - provider: ownca - ownca_create_subject_key_identifier: always_create - ownca_path: "{{ rproxy_dir }}/certs/RootCA.crt" - ownca_privatekey_path: "{{ rproxy_dir }}/certs/RootCA.key" - ownca_not_after: "+365d" + timeout: 60 - - name: Create fullchain certificate - ansible.builtin.shell: - cmd: 'cat {{ rproxy_dir }}/certs/RootCA.crt >> {{ rproxy_dir }}/certs/repo.crt' - - - name: Delete csr + - name: Change certificate permissions ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/repo.csr" - state: absent + path: "{{ rproxy_dir }}/certs/repo.crt" + mode: "0744" -- name: Restart rproxy - block: - - name: Restart container - containers.podman.podman_container: - name: rproxy - image: "docker.io/library/nginx:{{ rproxy_version }}" - state: started - restart: true - ports: - - "443:443" - - "80:80" - - "9000:9000" - volumes: - - '{{ rproxy_dir }}/nginx.conf:/etc/nginx/nginx.conf:z,rw' - - '{{ rproxy_dir }}/sites:/etc/nginx/sites:z,rw' - - '{{ rproxy_dir }}/certs:/etc/nginx/certs:z,rw' - - '{{ repo_data_dir }}:/repo:z,rw' - - "/etc/localtime:/etc/localtime:ro" - privileged: true - security_opt: - - "label=disable" - log_driver: journald - generate_systemd: - path: /etc/systemd/system/ - restart_policy: always - stop_timeout: 120 - names: true + - name: Wait for certificate key to appear + ansible.builtin.wait_for: + path: "{{ rproxy_dir }}/certs/repo.key" + timeout: 60 - - name: Daemon reload - ansible.builtin.shell: - cmd: systemctl daemon-reload + - name: Change certificate key permissions + ansible.builtin.file: + path: "{{ rproxy_dir }}/certs/repo.key" + mode: "0744" - - name: Enable rproxy service - ansible.builtin.systemd: - name: "container-rproxy.service" - state: started - enabled: yes \ No newline at end of file +- name: Restart rproxy service + ansible.builtin.systemd: + name: "container-rproxy.service" + state: restarted + enabled: yes \ No newline at end of file diff --git a/roles/rproxy/tasks/rproxy.yml b/roles/rproxy/tasks/rproxy.yml index cf2884e..de2058f 100644 --- a/roles/rproxy/tasks/rproxy.yml +++ b/roles/rproxy/tasks/rproxy.yml @@ -36,16 +36,6 @@ src: files/nginx.conf dest: "{{ rproxy_dir }}/nginx.conf" - - name: Copy RootCA certificate - ansible.builtin.copy: - src: files/RootCA.crt - dest: '{{ rproxy_dir }}/certs/RootCA.crt' - - - name: Copy RootCA key - ansible.builtin.copy: - src: files/RootCA.key - dest: '{{ rproxy_dir }}/certs/RootCA.key' - - name: Install rproxy block: - name: Pull rproxy image @@ -83,12 +73,9 @@ stop_timeout: 120 names: true - - name: Daemon reload - ansible.builtin.shell: - cmd: systemctl daemon-reload - - name: Enable rproxy service ansible.builtin.systemd: name: "container-rproxy.service" state: started - enabled: yes \ No newline at end of file + enabled: yes + daemon_reload: yes \ No newline at end of file diff --git a/roles/rproxy/vars/main.yml b/roles/rproxy/vars/main.yml index d98cc9c..a189b12 100644 --- a/roles/rproxy/vars/main.yml +++ b/roles/rproxy/vars/main.yml @@ -1,6 +1,6 @@ ansible_python_interpreter: /usr/bin/python3 rproxy_dir: /opt/rproxy -rproxy_version: latest +rproxy_version: 1.29.0 data_dir: /opt/data repo_data_dir: /opt/data/repo dockerrepo_dir: /opt/dockerrepo -- 2.49.1 From eae462797ca944d4ef7df80cd224f99af3e2114c Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Thu, 14 Aug 2025 23:54:13 +0300 Subject: [PATCH 2/7] Fix SPN name request --- roles/rproxy/tasks/addconfig.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rproxy/tasks/addconfig.yml b/roles/rproxy/tasks/addconfig.yml index ff44901..a441f3b 100644 --- a/roles/rproxy/tasks/addconfig.yml +++ b/roles/rproxy/tasks/addconfig.yml @@ -26,7 +26,7 @@ - name: Create SPN for HTTP ansible.builtin.shell: - cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} --skip-host-check" + cmd: "ipa service-add HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --skip-host-check" become: false become_user: "{{ ansible_user }}" ignore_errors: true -- 2.49.1 From f4717d9d695bf0666636777eb6d13fcb491e7795 Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Fri, 15 Aug 2025 00:03:23 +0300 Subject: [PATCH 3/7] Add fake host creation for certificate create --- roles/rproxy/tasks/addconfig.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/roles/rproxy/tasks/addconfig.yml b/roles/rproxy/tasks/addconfig.yml index a441f3b..086ca43 100644 --- a/roles/rproxy/tasks/addconfig.yml +++ b/roles/rproxy/tasks/addconfig.yml @@ -24,9 +24,15 @@ become: false become_user: "{{ ansible_user }}" + - name: Create fake host for certificate + ansible.builtin.shell: + cmd: "ipa host-add {{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --force --desc=\"Fake host for SPN\"" + become: false + become_user: "{{ ansible_user }}" + - name: Create SPN for HTTP ansible.builtin.shell: - cmd: "ipa service-add HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --skip-host-check" + cmd: "ipa service-add HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --skip-host-check --force" become: false become_user: "{{ ansible_user }}" ignore_errors: true -- 2.49.1 From d7919a4a45e8abf268059c097f726247e1e6c3fc Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Fri, 15 Aug 2025 00:09:06 +0300 Subject: [PATCH 4/7] Allow rproxy generate certificates for proxy host --- roles/rproxy/tasks/addconfig.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/rproxy/tasks/addconfig.yml b/roles/rproxy/tasks/addconfig.yml index 086ca43..9539903 100644 --- a/roles/rproxy/tasks/addconfig.yml +++ b/roles/rproxy/tasks/addconfig.yml @@ -37,6 +37,12 @@ become_user: "{{ ansible_user }}" ignore_errors: true + - name: "Allow {{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} to get certificates for HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} SPN " + ansible.builtin.shell: + cmd: "ipa service-add-host --hosts={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}" + become: false + become_user: "{{ ansible_user }}" + - name: Request certificate via ipa-getcert ansible.builtin.command: > ipa-getcert request -- 2.49.1 From d9ec47518432266d267ddaf6131c253ed676403e Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Fri, 15 Aug 2025 00:11:47 +0300 Subject: [PATCH 5/7] Ignore if fake host already exists --- roles/rproxy/tasks/addconfig.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/rproxy/tasks/addconfig.yml b/roles/rproxy/tasks/addconfig.yml index 9539903..7c23544 100644 --- a/roles/rproxy/tasks/addconfig.yml +++ b/roles/rproxy/tasks/addconfig.yml @@ -29,6 +29,7 @@ cmd: "ipa host-add {{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --force --desc=\"Fake host for SPN\"" become: false become_user: "{{ ansible_user }}" + ignore_errors: true - name: Create SPN for HTTP ansible.builtin.shell: -- 2.49.1 From a738ee71a870bf2287e931c40d5f2f3f28dab358 Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Fri, 15 Aug 2025 00:13:45 +0300 Subject: [PATCH 6/7] Fix certs name for service --- roles/rproxy/templates/server.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/rproxy/templates/server.conf.j2 b/roles/rproxy/templates/server.conf.j2 index bc3603b..4cf04ff 100644 --- a/roles/rproxy/templates/server.conf.j2 +++ b/roles/rproxy/templates/server.conf.j2 @@ -15,8 +15,8 @@ server { server_name {{ rproxy_service_name }}.{{ ansible_domain }}; access_log /var/log/nginx/{{ rproxy_service_name }}.access.log; error_log /var/log/nginx/{{ rproxy_service_name }}.error.log; - ssl_certificate /etc/nginx/certs/{{ rproxy_service_name }}.crt; - ssl_certificate_key /etc/nginx/certs/{{ rproxy_service_name }}.key; + ssl_certificate /etc/nginx/certs/{{ rproxy_service_name }}.{{ ansible_domain }}.crt; + ssl_certificate_key /etc/nginx/certs/{{ rproxy_service_name }}.{{ ansible_domain }}.key; ssl_protocols TLSv1.2; ssl_ciphers EECDH:+AES256:-3DES:!RSA+AES:!RSA+3DES:!NULL:!RC4; ssl_prefer_server_ciphers on; -- 2.49.1 From de3484c82622c788005acf408141df15c52b1a49 Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Fri, 15 Aug 2025 00:15:32 +0300 Subject: [PATCH 7/7] Ignore if rproxy already allow to fetch certificates --- roles/rproxy/tasks/addconfig.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/rproxy/tasks/addconfig.yml b/roles/rproxy/tasks/addconfig.yml index 7c23544..2de19ea 100644 --- a/roles/rproxy/tasks/addconfig.yml +++ b/roles/rproxy/tasks/addconfig.yml @@ -43,6 +43,7 @@ cmd: "ipa service-add-host --hosts={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}" become: false become_user: "{{ ansible_user }}" + ignore_errors: true - name: Request certificate via ipa-getcert ansible.builtin.command: > -- 2.49.1