From 8db300909d8f79a69d80e83517f2b660a790b5f9 Mon Sep 17 00:00:00 2001 From: Mstiekema Date: Mon, 4 Apr 2022 21:49:30 +0200 Subject: [PATCH 1/4] Updated certbot for wildcard cert --- ansible/roles/certbot/tasks/main.yml | 33 +++++++++---------- .../certbot/templates/certbot-creds.ini.j2 | 3 ++ 2 files changed, 19 insertions(+), 17 deletions(-) create mode 100644 ansible/roles/certbot/templates/certbot-creds.ini.j2 diff --git a/ansible/roles/certbot/tasks/main.yml b/ansible/roles/certbot/tasks/main.yml index 23520e88f..cf48585d3 100644 --- a/ansible/roles/certbot/tasks/main.yml +++ b/ansible/roles/certbot/tasks/main.yml @@ -1,8 +1,10 @@ --- -- name: "install certbot" +- name: "install certbot and digital ocean plugin" apt: - name: "certbot" + name: + - "certbot" + - "python3-certbot-dns-digitalocean" state: "latest" # This directory will be used to validate all websites that need a certificate @@ -39,8 +41,14 @@ - "certbot.timer.d/override.conf" notify: "systemctl daemon-reload" -- name: "make sure nginx is reloaded if needed" - meta: "flush_handlers" +- name: "place digital ocean credentials file" + template: + src: "certbot-creds.ini.j2" + dest: "/etc/letsencrypt/certbot-creds.ini" + mode: "600" + +# To make sure nginx is reloaded if needed +- meta: "flush_handlers" - name: "request certificates" # --non-interactive makes sure command never waits for user input @@ -58,22 +66,13 @@ --agree-tos --email "domreg@svsticky.nl" --keep-until-expiring - --cert-name {{ item.name }} - --webroot - --webroot-path /var/www/acme-challenges - --domain {{ item.name }} - {% if 'staging' not in group_names %} - {% for hostname in item.alternative_names %} - --domain {{ hostname }} - {% endfor %} - {% endif %} + --cert-name {{ canonical_hostname }} + --dns-digitalocean + --dns-digitalocean-credentials /etc/letsencrypt/certbot-creds.ini + -d "*.{{ canonical_hostname }}" --deploy-hook "systemctl reload nginx" - with_items: "{{ websites }}" register: "certbot_output" changed_when: "'no action taken' not in certbot_output.stdout" - when: item.state == "present" - loop_control: - label: "{{ item.name }}" - name: "ensure certbot timer is started" service: diff --git a/ansible/roles/certbot/templates/certbot-creds.ini.j2 b/ansible/roles/certbot/templates/certbot-creds.ini.j2 new file mode 100644 index 000000000..cfd95f05b --- /dev/null +++ b/ansible/roles/certbot/templates/certbot-creds.ini.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} + +dns_digitalocean_token = {{ vault_secret_digital_ocean.dns_token }} From a1e91dcd86c119607d7a4d72792f3ed87b7e186e Mon Sep 17 00:00:00 2001 From: Mstiekema Date: Mon, 4 Apr 2022 22:07:40 +0200 Subject: [PATCH 2/4] Moved all certs to wildcard cert --- ansible/roles/aas/templates/aas.conf.j2 | 6 +++--- .../roles/digidecs/templates/digidecs.conf.j2 | 6 +++--- .../templates/doorgeefluik.conf.j2 | 6 +++--- ansible/roles/execut/templates/nginx.conf.j2 | 18 +++++++++--------- .../files_website/templates/files.conf.j2 | 6 +++--- ansible/roles/freight/templates/nginx.conf.j2 | 6 +++--- ansible/roles/koala/templates/nginx.conf.j2 | 6 +++--- .../roles/mongoose/templates/mongoose.conf.j2 | 6 +++--- .../roles/monitoring/templates/metrics.conf.j2 | 6 +++--- .../roles/outline/templates/outline.conf.j2 | 6 +++--- ansible/roles/pretix/templates/pretix.conf.j2 | 6 +++--- .../public_files/templates/public.conf.j2 | 6 +++--- ansible/roles/radio/templates/radio.conf.j2 | 6 +++--- .../roles/websites/templates/dgdarc.conf.j2 | 6 +++--- .../roles/websites/templates/intro-cs.conf.j2 | 6 +++--- .../roles/websites/templates/savadaba.conf.j2 | 6 +++--- .../roles/websites/templates/website.conf.j2 | 6 +++--- .../websites/templates/wintersport.conf.j2 | 6 +++--- 18 files changed, 60 insertions(+), 60 deletions(-) diff --git a/ansible/roles/aas/templates/aas.conf.j2 b/ansible/roles/aas/templates/aas.conf.j2 index 6ac27dcd4..a72d57223 100644 --- a/ansible/roles/aas/templates/aas.conf.j2 +++ b/ansible/roles/aas/templates/aas.conf.j2 @@ -10,9 +10,9 @@ server { server_name ~^(aas|webhooks)\.{{ canonical_hostname | regex_escape() }}; - ssl_certificate /etc/letsencrypt/live/aas.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/aas.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/aas.{{ canonical_hostname}}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname}}/chain.pem; include includes/security-headers.conf; diff --git a/ansible/roles/digidecs/templates/digidecs.conf.j2 b/ansible/roles/digidecs/templates/digidecs.conf.j2 index 503ad7cc4..30c8f87a0 100644 --- a/ansible/roles/digidecs/templates/digidecs.conf.j2 +++ b/ansible/roles/digidecs/templates/digidecs.conf.j2 @@ -9,9 +9,9 @@ server { declaraties.{{ canonical_hostname }} declareren.{{ canonical_hostname }}; - ssl_certificate /etc/letsencrypt/live/digidecs.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/digidecs.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/digidecs.{{ canonical_hostname }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem; root /var/www/commit/digidecs.{{ canonical_hostname }}; diff --git a/ansible/roles/doorgeefluik/templates/doorgeefluik.conf.j2 b/ansible/roles/doorgeefluik/templates/doorgeefluik.conf.j2 index 9c44bcaf0..eb25fd63f 100644 --- a/ansible/roles/doorgeefluik/templates/doorgeefluik.conf.j2 +++ b/ansible/roles/doorgeefluik/templates/doorgeefluik.conf.j2 @@ -5,9 +5,9 @@ server { listen [::]:443 ssl http2; server_name doorgeefluik.{{ canonical_hostname }}; - ssl_certificate /etc/letsencrypt/live/doorgeefluik.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/doorgeefluik.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/doorgeefluik.{{ canonical_hostname }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem; include includes/block-cert-validation-path.conf; add_header Referrer-Policy same-origin; diff --git a/ansible/roles/execut/templates/nginx.conf.j2 b/ansible/roles/execut/templates/nginx.conf.j2 index 32700ef34..e2a603c53 100644 --- a/ansible/roles/execut/templates/nginx.conf.j2 +++ b/ansible/roles/execut/templates/nginx.conf.j2 @@ -4,9 +4,9 @@ server { listen [::]:443 ssl http2; server_name execut-2021.{{ canonical_hostname }} execut-2022.{{ canonical_hostname }} www.execut.nl execute.nl www.execute.nl; - ssl_certificate /etc/letsencrypt/live/execut-2021.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/execut-2021.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/execut-2021.{{ canonical_hostname }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem; include includes/block-cert-validation-path.conf; add_header Referrer-Policy same-origin; @@ -31,9 +31,9 @@ server { listen [::]:443 ssl http2; server_name execut.nl 2021.execut.nl 2022.execut.nl; - ssl_certificate /etc/letsencrypt/live/execut-2021.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/execut-2021.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/execut-2021.{{ canonical_hostname }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem; include includes/block-cert-validation-path.conf; add_header Referrer-Policy same-origin; @@ -64,9 +64,9 @@ server { listen [::]:443 ssl http2; server_name execut.dev.svsticky.nl; - ssl_certificate /etc/letsencrypt/live/execut.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/execut.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/execut.{{ canonical_hostname }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem; include includes/block-cert-validation-path.conf; add_header Referrer-Policy same-origin; diff --git a/ansible/roles/files_website/templates/files.conf.j2 b/ansible/roles/files_website/templates/files.conf.j2 index dba9f3b46..b4ac8d44a 100644 --- a/ansible/roles/files_website/templates/files.conf.j2 +++ b/ansible/roles/files_website/templates/files.conf.j2 @@ -6,9 +6,9 @@ server { server_name files.{{ canonical_hostname }}; - ssl_certificate /etc/letsencrypt/live/files.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/files.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/files.{{ canonical_hostname }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem; include includes/security-headers.conf; diff --git a/ansible/roles/freight/templates/nginx.conf.j2 b/ansible/roles/freight/templates/nginx.conf.j2 index 38c33dd57..4e8b5181b 100644 --- a/ansible/roles/freight/templates/nginx.conf.j2 +++ b/ansible/roles/freight/templates/nginx.conf.j2 @@ -7,9 +7,9 @@ server { server_name packages.{{ canonical_hostname }}; - ssl_certificate /etc/letsencrypt/live/packages.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/packages.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/packages.{{ canonical_hostname }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem; root /var/lib/freight/var/cache; diff --git a/ansible/roles/koala/templates/nginx.conf.j2 b/ansible/roles/koala/templates/nginx.conf.j2 index e71a9efbb..419491b83 100644 --- a/ansible/roles/koala/templates/nginx.conf.j2 +++ b/ansible/roles/koala/templates/nginx.conf.j2 @@ -9,9 +9,9 @@ server { listen [::]:443 ssl http2; server_name ~^(koala|leden|intro|members)\.{{ canonical_hostname }}; - ssl_certificate /etc/letsencrypt/live/koala.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/koala.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/koala.{{ canonical_hostname }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem; # Security headers already enforced in Rails include includes/block-cert-validation-path.conf; diff --git a/ansible/roles/mongoose/templates/mongoose.conf.j2 b/ansible/roles/mongoose/templates/mongoose.conf.j2 index e447ab283..789782a6b 100644 --- a/ansible/roles/mongoose/templates/mongoose.conf.j2 +++ b/ansible/roles/mongoose/templates/mongoose.conf.j2 @@ -5,9 +5,9 @@ server { listen [::]:443 ssl http2; server_name mongoose.{{ canonical_hostname }}; - ssl_certificate /etc/letsencrypt/live/mongoose.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/mongoose.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/mongoose.{{ canonical_hostname }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem; include includes/block-cert-validation-path.conf; add_header Referrer-Policy same-origin; diff --git a/ansible/roles/monitoring/templates/metrics.conf.j2 b/ansible/roles/monitoring/templates/metrics.conf.j2 index e6778e16c..fbeb143ef 100644 --- a/ansible/roles/monitoring/templates/metrics.conf.j2 +++ b/ansible/roles/monitoring/templates/metrics.conf.j2 @@ -11,9 +11,9 @@ server { server_name ~^(metrics|status)\.{{ canonical_hostname }}; - ssl_certificate /etc/letsencrypt/live/metrics.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/metrics.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/metrics.{{ canonical_hostname}}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname}}/chain.pem; include includes/security-headers.conf; diff --git a/ansible/roles/outline/templates/outline.conf.j2 b/ansible/roles/outline/templates/outline.conf.j2 index d06a6b2a4..7b8da26df 100644 --- a/ansible/roles/outline/templates/outline.conf.j2 +++ b/ansible/roles/outline/templates/outline.conf.j2 @@ -3,9 +3,9 @@ server { listen [::]:443 ssl http2; server_name ~^(compendium|stickypedia|wiki)\.{{ canonical_hostname }}; - ssl_certificate /etc/letsencrypt/live/compendium.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/compendium.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/compendium.{{ canonical_hostname }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem; location / { proxy_pass http://localhost:4568/; diff --git a/ansible/roles/pretix/templates/pretix.conf.j2 b/ansible/roles/pretix/templates/pretix.conf.j2 index fd918c127..71645be20 100644 --- a/ansible/roles/pretix/templates/pretix.conf.j2 +++ b/ansible/roles/pretix/templates/pretix.conf.j2 @@ -5,9 +5,9 @@ server { listen [::]:443 ssl http2; server_name ~^(pretix|tickets)\.{{ canonical_hostname }} tickets.execut.nl; - ssl_certificate /etc/letsencrypt/live/pretix.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/pretix.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/pretix.{{ canonical_hostname }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem; include includes/block-cert-validation-path.conf; add_header Referrer-Policy same-origin; diff --git a/ansible/roles/public_files/templates/public.conf.j2 b/ansible/roles/public_files/templates/public.conf.j2 index 2ab72a7bf..d246c12d9 100644 --- a/ansible/roles/public_files/templates/public.conf.j2 +++ b/ansible/roles/public_files/templates/public.conf.j2 @@ -6,9 +6,9 @@ server { server_name public.{{ canonical_hostname }}; - ssl_certificate /etc/letsencrypt/live/public.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/public.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/public.{{ canonical_hostname }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem; include includes/security-headers.conf; diff --git a/ansible/roles/radio/templates/radio.conf.j2 b/ansible/roles/radio/templates/radio.conf.j2 index b68c12809..8336612c7 100644 --- a/ansible/roles/radio/templates/radio.conf.j2 +++ b/ansible/roles/radio/templates/radio.conf.j2 @@ -7,9 +7,9 @@ server { server_name radio.{{ canonical_hostname }}; - ssl_certificate /etc/letsencrypt/live/radio.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/radio.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/radio.{{ canonical_hostname }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem; root /var/www/radio/radio.{{ canonical_hostname }}; diff --git a/ansible/roles/websites/templates/dgdarc.conf.j2 b/ansible/roles/websites/templates/dgdarc.conf.j2 index 7a4fbe2a3..9615f3215 100644 --- a/ansible/roles/websites/templates/dgdarc.conf.j2 +++ b/ansible/roles/websites/templates/dgdarc.conf.j2 @@ -6,9 +6,9 @@ server { server_name dgdarc.{{ canonical_hostname }} ~^(www\.)?dgdarc\.(com|nl)$; - ssl_certificate /etc/letsencrypt/live/dgdarc.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/dgdarc.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/dgdarc.{{ canonical_hostname }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem; include includes/security-headers.conf; diff --git a/ansible/roles/websites/templates/intro-cs.conf.j2 b/ansible/roles/websites/templates/intro-cs.conf.j2 index 1bcc2f1d9..5b51361f9 100644 --- a/ansible/roles/websites/templates/intro-cs.conf.j2 +++ b/ansible/roles/websites/templates/intro-cs.conf.j2 @@ -9,9 +9,9 @@ server { www.intro-cs.nl intro-cs.{{ canonical_hostname }}; - ssl_certificate /etc/letsencrypt/live/intro-cs.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/intro-cs.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/intro-cs.{{ canonical_hostname }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem; root /var/www/commit/intro-cs.{{ canonical_hostname }}; diff --git a/ansible/roles/websites/templates/savadaba.conf.j2 b/ansible/roles/websites/templates/savadaba.conf.j2 index 606a8613a..5afa425ff 100644 --- a/ansible/roles/websites/templates/savadaba.conf.j2 +++ b/ansible/roles/websites/templates/savadaba.conf.j2 @@ -6,9 +6,9 @@ server { server_name ~^((www\.)?savadaba.nl|savadaba.{{ canonical_hostname }}); - ssl_certificate /etc/letsencrypt/live/savadaba.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/savadaba.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/savadaba.{{ canonical_hostname }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem; include includes/security-headers.conf; diff --git a/ansible/roles/websites/templates/website.conf.j2 b/ansible/roles/websites/templates/website.conf.j2 index c3f600980..d15465037 100644 --- a/ansible/roles/websites/templates/website.conf.j2 +++ b/ansible/roles/websites/templates/website.conf.j2 @@ -9,9 +9,9 @@ server { {{ hostname }}{% endfor %}; - ssl_certificate /etc/letsencrypt/live/{{ item.name }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ item.name }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/{{ item.name }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem; root /var/www/{% if item.user is defined %}{{ item.user }}/{% endif %}{{ item.name }}; diff --git a/ansible/roles/websites/templates/wintersport.conf.j2 b/ansible/roles/websites/templates/wintersport.conf.j2 index f6c33ce86..69f76c0cb 100644 --- a/ansible/roles/websites/templates/wintersport.conf.j2 +++ b/ansible/roles/websites/templates/wintersport.conf.j2 @@ -6,9 +6,9 @@ server { server_name wintersport.{{ canonical_hostname }}; - ssl_certificate /etc/letsencrypt/live/wintersport.{{ canonical_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/wintersport.{{ canonical_hostname }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/wintersport.{{ canonical_hostname }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem; include includes/security-headers.conf; From 797a41a63139c9f238088d5a5d881e39d150a9c9 Mon Sep 17 00:00:00 2001 From: Mstiekema Date: Wed, 6 Apr 2022 09:10:09 +0200 Subject: [PATCH 3/4] Hostname also gets the wildcard cert now --- ansible/roles/certbot/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ansible/roles/certbot/tasks/main.yml b/ansible/roles/certbot/tasks/main.yml index cf48585d3..ec06247f6 100644 --- a/ansible/roles/certbot/tasks/main.yml +++ b/ansible/roles/certbot/tasks/main.yml @@ -69,7 +69,8 @@ --cert-name {{ canonical_hostname }} --dns-digitalocean --dns-digitalocean-credentials /etc/letsencrypt/certbot-creds.ini - -d "*.{{ canonical_hostname }}" + --domain "*.{{ canonical_hostname }}" + --domain "{{ canonical_hostname }}" --deploy-hook "systemctl reload nginx" register: "certbot_output" changed_when: "'no action taken' not in certbot_output.stdout" From a3eb15998838546dab8892e7241ce90bfb076ba8 Mon Sep 17 00:00:00 2001 From: Mstiekema Date: Tue, 7 Jun 2022 20:02:45 +0200 Subject: [PATCH 4/4] Added domains to vars file & added staging certs --- ansible/roles/certbot/tasks/main.yml | 7 ++++--- ansible/roles/certbot/vars/main.yml | 11 +++++++++++ 2 files changed, 15 insertions(+), 3 deletions(-) create mode 100644 ansible/roles/certbot/vars/main.yml diff --git a/ansible/roles/certbot/tasks/main.yml b/ansible/roles/certbot/tasks/main.yml index ec06247f6..4d135556e 100644 --- a/ansible/roles/certbot/tasks/main.yml +++ b/ansible/roles/certbot/tasks/main.yml @@ -66,12 +66,13 @@ --agree-tos --email "domreg@svsticky.nl" --keep-until-expiring - --cert-name {{ canonical_hostname }} + --cert-name {{ item }} --dns-digitalocean --dns-digitalocean-credentials /etc/letsencrypt/certbot-creds.ini - --domain "*.{{ canonical_hostname }}" - --domain "{{ canonical_hostname }}" + --domain "*.{% if 'staging' in group_names %}dev.{% endif %}{{ item }}" + --domain "{% if 'staging' in group_names %}dev.{% endif %}{{ item }}" --deploy-hook "systemctl reload nginx" + with_items: "{{ domains }}" register: "certbot_output" changed_when: "'no action taken' not in certbot_output.stdout" diff --git a/ansible/roles/certbot/vars/main.yml b/ansible/roles/certbot/vars/main.yml new file mode 100644 index 000000000..fbbd2329c --- /dev/null +++ b/ansible/roles/certbot/vars/main.yml @@ -0,0 +1,11 @@ +--- +domains: + - "svsticky.nl" + - "stickyutrecht.nl" + - "studieverenigingsticky.nl" + - "stichtingsticky.nl" + - "intro-cs.nl" + - "savadaba.nl" + - "dgdarc.com" + - "execut.nl" + - "execute.nl"