diff options
| author | Matthew Fennell <matthew@fennell.dev> | 2024-05-15 23:09:01 +0100 |
|---|---|---|
| committer | Matthew Fennell <matthew@fennell.dev> | 2024-05-15 23:09:01 +0100 |
| commit | 850275469f7da1a9829edfe45bd40b40d3cc6a02 (patch) | |
| tree | 3bb141331c0d5681325a272fc4be6625063e79ee | |
| parent | de867dadbcc3c69d97acf96bf3e86d11295eea39 (diff) | |
Delegate certificate management to acme project
Although this playbook originally installed certificates to the server, this
turned out to be a bad idea, because the playbook could in some circumstances
(if the acme project had already renewed the certs) have installed a different
certificate to the remote server.
By delgating responsibility to the acme server fully, this should prevent any
such issues, as well as potential DANE misconfigurations.
| -rw-r--r-- | README.md | 8 | ||||
| -rw-r--r-- | playbook.yaml | 22 |
2 files changed, 9 insertions, 21 deletions
@@ -105,6 +105,14 @@ make staging make prod ``` +## External tools + +Certificates are generally managed by the `acme` project. In particular, +although this playbook does set the DANE hash based on the certificates found +on the `acme` server, it does not directly install any itself. This is to +prevent the playbook from overwriting already-renewed certifictes, that the +playbook is not aware of. + ## Git hooks We provide sample git hooks in the `hooks` directory. To use these, ensure the diff --git a/playbook.yaml b/playbook.yaml index 5de4fea..06ebc59 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -59,7 +59,7 @@ -binary | hexdump -ve '/1 "%02x"' register: dane_hash changed_when: false - delegate_to: localhost + delegate_to: "{{ cert_host }}" # We allow status code 400 here as this is returned by deSEC if the domain # already exists. Ideally, we should filter out genuinely good/bad requests @@ -377,26 +377,6 @@ state: absent become: true - - name: Ensure prosody key is installed - ansible.builtin.copy: - src: "~/.lego/certificates/{{ virtual_host }}.key" - dest: "/etc/prosody/certs" - mode: "0640" - owner: root - group: prosody - become: true - notify: Restart prosody - - - name: Ensure prosody certificate is installed - ansible.builtin.copy: - src: "~/.lego/certificates/{{ virtual_host }}.crt" - dest: "/etc/prosody/certs" - mode: "0640" - owner: root - group: prosody - become: true - notify: Restart prosody - - name: Ensure prosody users are registered ansible.builtin.expect: command: "prosodyctl adduser {{ item.name }}@{{ virtual_host }}" |