Wildcard certs

ansible/roles/aas/templates/aas.conf.j2

@@ -10,9 +10,9 @@ server {
 
   server_name ~^(aas|webhooks)\.{{ canonical_hostname | regex_escape() }};
 
-  ssl_certificate         /etc/letsencrypt/live/aas.{{ canonical_hostname }}/fullchain.pem;
-  ssl_certificate_key     /etc/letsencrypt/live/aas.{{ canonical_hostname }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/aas.{{ canonical_hostname}}/chain.pem;
+  ssl_certificate         /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname}}/chain.pem;
 
   include includes/security-headers.conf;
 

ansible/roles/certbot/tasks/main.yml

@@ -1,8 +1,10 @@
 ---
 
-- name: "install certbot"
+- name: "install certbot and digital ocean plugin"
   apt:
-    name: "certbot"
+    name:
+      - "certbot"
+      - "python3-certbot-dns-digitalocean"
     state: "latest"
 
 # This directory will be used to validate all websites that need a certificate
@@ -39,8 +41,14 @@
     - "certbot.timer.d/override.conf"
   notify: "systemctl daemon-reload"
 
-- name: "make sure nginx is reloaded if needed"
-  meta: "flush_handlers"
+- name: "place digital ocean credentials file"
+  template:
+    src: "certbot-creds.ini.j2"
+    dest: "/etc/letsencrypt/certbot-creds.ini"
+    mode: "600"
+
+# To make sure nginx is reloaded if needed
+- meta: "flush_handlers"
 
 - name: "request certificates"
   # --non-interactive makes sure command never waits for user input
@@ -58,22 +66,15 @@
     --agree-tos
     --email "[email protected]"
     --keep-until-expiring
-    --cert-name {{ item.name }}
-    --webroot
-    --webroot-path /var/www/acme-challenges
-    --domain {{ item.name }}
-    {% if 'staging' not in group_names %}
-    {% for hostname in item.alternative_names %}
-    --domain {{ hostname }}
-    {% endfor %}
-    {% endif %}
+    --cert-name {{ item }}
+    --dns-digitalocean
+    --dns-digitalocean-credentials /etc/letsencrypt/certbot-creds.ini
+    --domain "*.{% if 'staging' in group_names %}dev.{% endif %}{{ item }}"
+    --domain "{% if 'staging' in group_names %}dev.{% endif %}{{ item }}"
     --deploy-hook "systemctl reload nginx"
-  with_items: "{{ websites }}"
+  with_items: "{{ domains }}"
   register: "certbot_output"
   changed_when: "'no action taken' not in certbot_output.stdout"
-  when: item.state == "present"
-  loop_control:
-    label: "{{ item.name }}"
 
 - name: "ensure certbot timer is started"
   service:

ansible/roles/certbot/templates/certbot-creds.ini.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+dns_digitalocean_token = {{ vault_secret_digital_ocean.dns_token }}

ansible/roles/certbot/vars/main.yml

@@ -0,0 +1,11 @@
+---
+domains:
+  - "svsticky.nl"
+  - "stickyutrecht.nl"
+  - "studieverenigingsticky.nl"
+  - "stichtingsticky.nl"
+  - "intro-cs.nl"
+  - "savadaba.nl"
+  - "dgdarc.com"
+  - "execut.nl"
+  - "execute.nl"

ansible/roles/digidecs/templates/digidecs.conf.j2

@@ -9,9 +9,9 @@ server {
     declaraties.{{ canonical_hostname }}
     declareren.{{ canonical_hostname }};
 
-  ssl_certificate      /etc/letsencrypt/live/digidecs.{{ canonical_hostname }}/fullchain.pem;
-  ssl_certificate_key  /etc/letsencrypt/live/digidecs.{{ canonical_hostname }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/digidecs.{{ canonical_hostname }}/chain.pem;
+  ssl_certificate      /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key  /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem;
 
   root /var/www/commit/digidecs.{{ canonical_hostname }};
 

ansible/roles/doorgeefluik/templates/doorgeefluik.conf.j2

@@ -5,9 +5,9 @@ server {
   listen [::]:443 ssl http2;
   server_name doorgeefluik.{{ canonical_hostname }};
 
-  ssl_certificate /etc/letsencrypt/live/doorgeefluik.{{ canonical_hostname }}/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/doorgeefluik.{{ canonical_hostname }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/doorgeefluik.{{ canonical_hostname }}/chain.pem;
+  ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem;
 
   include includes/block-cert-validation-path.conf;
   add_header Referrer-Policy same-origin;

ansible/roles/execut/templates/nginx.conf.j2

@@ -4,9 +4,9 @@ server {
   listen [::]:443 ssl http2;
   server_name execut-2021.{{ canonical_hostname }} execut-2022.{{ canonical_hostname }} www.execut.nl execute.nl www.execute.nl;
 
-  ssl_certificate /etc/letsencrypt/live/execut-2021.{{ canonical_hostname }}/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/execut-2021.{{ canonical_hostname }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/execut-2021.{{ canonical_hostname }}/chain.pem;
+  ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem;
 
   include includes/block-cert-validation-path.conf;
   add_header Referrer-Policy same-origin;
@@ -31,9 +31,9 @@ server {
   listen [::]:443 ssl http2;
   server_name execut.nl 2021.execut.nl 2022.execut.nl;
 
-  ssl_certificate /etc/letsencrypt/live/execut-2021.{{ canonical_hostname }}/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/execut-2021.{{ canonical_hostname }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/execut-2021.{{ canonical_hostname }}/chain.pem;
+  ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem;
 
   include includes/block-cert-validation-path.conf;
   add_header Referrer-Policy same-origin;
@@ -64,9 +64,9 @@ server {
   listen [::]:443 ssl http2;
   server_name execut.dev.svsticky.nl;
 
-  ssl_certificate /etc/letsencrypt/live/execut.{{ canonical_hostname }}/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/execut.{{ canonical_hostname }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/execut.{{ canonical_hostname }}/chain.pem;
+  ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem;
 
   include includes/block-cert-validation-path.conf;
   add_header Referrer-Policy same-origin;

ansible/roles/files_website/templates/files.conf.j2

@@ -6,9 +6,9 @@ server {
 
   server_name files.{{ canonical_hostname }};
 
-  ssl_certificate      /etc/letsencrypt/live/files.{{ canonical_hostname }}/fullchain.pem;
-  ssl_certificate_key  /etc/letsencrypt/live/files.{{ canonical_hostname }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/files.{{ canonical_hostname }}/chain.pem;
+  ssl_certificate      /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key  /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem;
 
   include includes/security-headers.conf;
 

ansible/roles/freight/templates/nginx.conf.j2

@@ -7,9 +7,9 @@ server {
   server_name
     packages.{{ canonical_hostname }};
 
-  ssl_certificate      /etc/letsencrypt/live/packages.{{ canonical_hostname }}/fullchain.pem;
-  ssl_certificate_key  /etc/letsencrypt/live/packages.{{ canonical_hostname }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/packages.{{ canonical_hostname }}/chain.pem;
+  ssl_certificate      /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key  /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem;
 
   root /var/lib/freight/var/cache;
 

ansible/roles/koala/templates/nginx.conf.j2

@@ -9,9 +9,9 @@ server {
 	listen [::]:443 ssl http2;
 	server_name ~^(koala|leden|intro|members)\.{{ canonical_hostname }};
 
-	ssl_certificate /etc/letsencrypt/live/koala.{{ canonical_hostname }}/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/koala.{{ canonical_hostname }}/privkey.pem;
-        ssl_trusted_certificate /etc/letsencrypt/live/koala.{{ canonical_hostname }}/chain.pem;
+	ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem;
 
 	# Security headers already enforced in Rails
 	include includes/block-cert-validation-path.conf;

ansible/roles/mongoose/templates/mongoose.conf.j2

@@ -5,9 +5,9 @@ server {
   listen [::]:443 ssl http2;
   server_name mongoose.{{ canonical_hostname }};
 
-  ssl_certificate /etc/letsencrypt/live/mongoose.{{ canonical_hostname }}/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/mongoose.{{ canonical_hostname }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/mongoose.{{ canonical_hostname }}/chain.pem;
+  ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem;
 
   include includes/block-cert-validation-path.conf;
   add_header Referrer-Policy same-origin;

ansible/roles/monitoring/templates/metrics.conf.j2

@@ -11,9 +11,9 @@ server {
 
   server_name ~^(metrics|status)\.{{ canonical_hostname }};
 
-  ssl_certificate      /etc/letsencrypt/live/metrics.{{ canonical_hostname }}/fullchain.pem;
-  ssl_certificate_key  /etc/letsencrypt/live/metrics.{{ canonical_hostname }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/metrics.{{ canonical_hostname}}/chain.pem;
+  ssl_certificate      /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key  /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname}}/chain.pem;
 
   include includes/security-headers.conf;
 

ansible/roles/outline/templates/outline.conf.j2

@@ -3,9 +3,9 @@ server {
   listen [::]:443 ssl http2;
   server_name ~^(compendium|stickypedia|wiki)\.{{ canonical_hostname }};
 
-  ssl_certificate /etc/letsencrypt/live/compendium.{{ canonical_hostname }}/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/compendium.{{ canonical_hostname }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/compendium.{{ canonical_hostname }}/chain.pem;
+  ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem;
 
   location / {
     proxy_pass http://localhost:4568/;

ansible/roles/pretix/templates/pretix.conf.j2

@@ -5,9 +5,9 @@ server {
   listen [::]:443 ssl http2;
   server_name ~^(pretix|tickets)\.{{ canonical_hostname }} tickets.execut.nl;
 
-  ssl_certificate /etc/letsencrypt/live/pretix.{{ canonical_hostname }}/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/pretix.{{ canonical_hostname }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/pretix.{{ canonical_hostname }}/chain.pem;
+  ssl_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem;
 
   include includes/block-cert-validation-path.conf;
   add_header Referrer-Policy same-origin;

ansible/roles/public_files/templates/public.conf.j2

@@ -6,9 +6,9 @@ server {
 
   server_name public.{{ canonical_hostname }};
 
-  ssl_certificate      /etc/letsencrypt/live/public.{{ canonical_hostname }}/fullchain.pem;
-  ssl_certificate_key  /etc/letsencrypt/live/public.{{ canonical_hostname }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/public.{{ canonical_hostname }}/chain.pem;
+  ssl_certificate      /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key  /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem;
 
   include includes/security-headers.conf;
 

ansible/roles/radio/templates/radio.conf.j2

@@ -7,9 +7,9 @@ server {
   server_name
     radio.{{ canonical_hostname }};
 
-  ssl_certificate      /etc/letsencrypt/live/radio.{{ canonical_hostname }}/fullchain.pem;
-  ssl_certificate_key  /etc/letsencrypt/live/radio.{{ canonical_hostname }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/radio.{{ canonical_hostname }}/chain.pem;
+  ssl_certificate      /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key  /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem;
 
   root /var/www/radio/radio.{{ canonical_hostname }};
 

ansible/roles/websites/templates/dgdarc.conf.j2

@@ -6,9 +6,9 @@ server {
 
   server_name dgdarc.{{ canonical_hostname }} ~^(www\.)?dgdarc\.(com|nl)$;
 
-  ssl_certificate      /etc/letsencrypt/live/dgdarc.{{ canonical_hostname }}/fullchain.pem;
-  ssl_certificate_key  /etc/letsencrypt/live/dgdarc.{{ canonical_hostname }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/dgdarc.{{ canonical_hostname }}/chain.pem;
+  ssl_certificate      /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key  /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem;
 
   include includes/security-headers.conf;
 

ansible/roles/websites/templates/intro-cs.conf.j2

@@ -9,9 +9,9 @@ server {
     www.intro-cs.nl
     intro-cs.{{ canonical_hostname }};
 
-  ssl_certificate      /etc/letsencrypt/live/intro-cs.{{ canonical_hostname }}/fullchain.pem;
-  ssl_certificate_key  /etc/letsencrypt/live/intro-cs.{{ canonical_hostname }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/intro-cs.{{ canonical_hostname }}/chain.pem;
+  ssl_certificate      /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key  /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem;
 
   root /var/www/commit/intro-cs.{{ canonical_hostname }};
 

ansible/roles/websites/templates/savadaba.conf.j2

@@ -6,9 +6,9 @@ server {
 
   server_name ~^((www\.)?savadaba.nl|savadaba.{{ canonical_hostname }});
 
-  ssl_certificate      /etc/letsencrypt/live/savadaba.{{ canonical_hostname }}/fullchain.pem;
-  ssl_certificate_key  /etc/letsencrypt/live/savadaba.{{ canonical_hostname }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/savadaba.{{ canonical_hostname }}/chain.pem;
+  ssl_certificate      /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key  /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem;
 
   include includes/security-headers.conf;
 

ansible/roles/websites/templates/website.conf.j2

@@ -9,9 +9,9 @@ server {
 
     {{ hostname }}{% endfor %};
 
-  ssl_certificate      /etc/letsencrypt/live/{{ item.name }}/fullchain.pem;
-  ssl_certificate_key  /etc/letsencrypt/live/{{ item.name }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/{{ item.name }}/chain.pem;
+  ssl_certificate         /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem;
 
   root /var/www/{% if item.user is defined %}{{ item.user }}/{% endif %}{{
 item.name }};

ansible/roles/websites/templates/wintersport.conf.j2

@@ -6,9 +6,9 @@ server {
 
   server_name wintersport.{{ canonical_hostname }};
 
-  ssl_certificate      /etc/letsencrypt/live/wintersport.{{ canonical_hostname }}/fullchain.pem;
-  ssl_certificate_key  /etc/letsencrypt/live/wintersport.{{ canonical_hostname }}/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/wintersport.{{ canonical_hostname }}/chain.pem;
+  ssl_certificate      /etc/letsencrypt/live/{{ canonical_hostname }}/fullchain.pem;
+  ssl_certificate_key  /etc/letsencrypt/live/{{ canonical_hostname }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ canonical_hostname }}/chain.pem;
 
   include includes/security-headers.conf;