-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Ensure old ssl certs not copied in nginx role (#149)
Fixes #145 Checks if ssl certificates exist on server and in cache and copies ssl certificates based on existence and expiry dates: - Copy from cache to server if ssl cert doesn't exist on server - Copy from server to cache if ssl cert doesn't exist in cache - Copy from cache to server if ssl cert on server expires sooner - Copy from server to cache if ssl cert in cache expires sooner --------- Co-authored-by: ruaridhg <[email protected]> Co-authored-by: Paul Smith <[email protected]> Co-authored-by: Daniel Matthews <[email protected]>
- Loading branch information
1 parent
6142b32
commit f37d01f
Showing
18 changed files
with
196 additions
and
56 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
35 changes: 34 additions & 1 deletion
35
roles/nginx/molecule/resources/inventory/group_vars/all.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,39 @@ | ||
--- | ||
nginx_owner: root | ||
nginx_group: root | ||
|
||
nginx_server_name: molecule.instance.local | ||
nginx_proxy_port: 8000 | ||
nginx_diffie_helman_size_bits: 2048 | ||
nginx_root: /home/ | ||
nginx_use_ssl: false | ||
|
||
nginx_use_ssl: true | ||
nginx_certs_dir: /etc/nginx/ssl | ||
nginx_ssl_cert_file: /etc/nginx/ssl/server.cert | ||
nginx_ssl_key_file: /etc/nginx/ssl/server.key | ||
nginx_server_cert_cache: /etc/ssl/certs/server.cert | ||
nginx_server_key_cache: /etc//ssl/certs/server.key | ||
|
||
nginx_old_ssl_certificate: | ||
owner: "{{ nginx_owner }}" | ||
group: "{{ nginx_group }}" | ||
certificate_directory: /etc/ssl/certs | ||
privatekey_filename: "{{ nginx_server_key_cache }}" | ||
use_pk8: false | ||
csr_filename: /etc/ssl/certs/server.csr" | ||
csr_common_name: "{{ nginx_server_name }}" | ||
certificate_filename: "{{ nginx_server_cert_cache }}" | ||
provider: selfsigned | ||
selfsigned_not_after: +365d | ||
|
||
nginx_new_ssl_certificate: | ||
owner: "{{ nginx_owner }}" | ||
group: "{{ nginx_group }}" | ||
certificate_directory: "{{ nginx_certs_dir }}" | ||
privatekey_filename: "{{ nginx_ssl_key_file }}" | ||
use_pk8: false | ||
csr_filename: "{{ nginx_certs_dir }}/server.csr" | ||
csr_common_name: "{{ nginx_server_name }}" | ||
certificate_filename: "{{ nginx_ssl_cert_file }}" | ||
provider: selfsigned | ||
selfsigned_not_after: +3650d |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -31,4 +31,4 @@ platforms: | |
- 443 | ||
- 8000 | ||
published_ports: | ||
- 127.0.0.1:8080:80 | ||
- 127.0.0.1:8080:443 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
--- | ||
- name: Copy certificate to new location | ||
ansible.builtin.copy: | ||
remote_src: true | ||
src: "{{ item.src }}" | ||
dest: "{{ item.dest }}" | ||
owner: "{{ nginx_owner }}" | ||
group: "{{ nginx_group }}" | ||
mode: "0600" | ||
backup: true # Preserve overwritten certificates and keys for rollback | ||
with_items: "{{ items }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
--- | ||
- name: Ensure nginx certs directory exists | ||
ansible.builtin.file: | ||
path: "{{ nginx_certs_dir }}" | ||
owner: "{{ nginx_owner }}" | ||
group: "{{ nginx_group }}" | ||
state: directory | ||
mode: "0700" | ||
|
||
- name: Stat current SSL certificate | ||
ansible.builtin.stat: | ||
path: "{{ nginx_ssl_cert_file }}" | ||
register: current_cert | ||
|
||
- name: Stat cached SSL certificate | ||
ansible.builtin.stat: | ||
path: "{{ nginx_server_cert_cache }}" | ||
register: cached_cert | ||
|
||
- name: Check whether the certs exist | ||
ansible.builtin.debug: | ||
msg: | ||
- "Cached nginx cert exists at {{ nginx_server_cert_cache }}: {{ | ||
cached_cert.stat.exists }}." | ||
- "nginx cert exists at {{ nginx_ssl_cert_file }}: {{ | ||
current_cert.stat.exists }}." | ||
failed_when: (not cached_cert.stat.exists) and (not current_cert.stat.exists) | ||
|
||
- name: Get current SSL certificate info | ||
community.crypto.x509_certificate_info: | ||
path: "{{ nginx_ssl_cert_file }}" | ||
when: current_cert.stat.exists | ||
register: current_cert_info | ||
|
||
- name: Get cached SSL certificate info | ||
community.crypto.x509_certificate_info: | ||
path: "{{ nginx_server_cert_cache }}" | ||
when: cached_cert.stat.exists | ||
register: cached_cert_info | ||
|
||
- name: Copy server certificates from cache if the nginx cert doesn't exist | ||
ansible.builtin.include_tasks: copy_certificates.yml | ||
vars: | ||
items: | ||
- src: "{{ nginx_server_cert_cache }}" | ||
dest: "{{ nginx_ssl_cert_file }}" | ||
- src: "{{ nginx_server_key_cache }}" | ||
dest: "{{ nginx_ssl_key_file }}" | ||
when: | ||
- not current_cert.stat.exists | ||
- cached_cert.stat.exists | ||
|
||
- name: Copy server certificates to cache if the cache cert doesn't exist | ||
ansible.builtin.include_tasks: copy_certificates.yml | ||
vars: | ||
items: | ||
- src: "{{ nginx_ssl_cert_file }}" | ||
dest: "{{ nginx_server_cert_cache }}" | ||
- src: "{{ nginx_ssl_key_file }}" | ||
dest: "{{ nginx_server_key_cache }}" | ||
when: | ||
- current_cert.stat.exists | ||
- not cached_cert.stat.exists | ||
|
||
- name: Copy server certificates from cache if the nginx cert expires sooner | ||
ansible.builtin.include_tasks: copy_certificates.yml | ||
vars: | ||
items: | ||
- src: "{{ nginx_server_cert_cache }}" | ||
dest: "{{ nginx_ssl_cert_file }}" | ||
- src: "{{ nginx_server_key_cache }}" | ||
dest: "{{ nginx_ssl_key_file }}" | ||
when: | ||
- current_cert.stat.exists | ||
- cached_cert.stat.exists | ||
- current_cert_info.not_after | to_datetime('%Y%m%d%H%M%SZ') < | ||
cached_cert_info.not_after | to_datetime('%Y%m%d%H%M%SZ') | ||
|
||
- name: Copy server certificates to cache if the cache cert expires sooner | ||
ansible.builtin.include_tasks: copy_certificates.yml | ||
vars: | ||
items: | ||
- src: "{{ nginx_ssl_cert_file }}" | ||
dest: "{{ nginx_server_cert_cache }}" | ||
- src: "{{ nginx_ssl_key_file }}" | ||
dest: "{{ nginx_server_key_cache }}" | ||
when: | ||
- current_cert.stat.exists | ||
- cached_cert.stat.exists | ||
- current_cert_info.not_after | to_datetime('%Y%m%d%H%M%SZ') > | ||
cached_cert_info.not_after | to_datetime('%Y%m%d%H%M%SZ') | ||
|
||
- name: | ||
Generate Diffie-Hellman (DH) parameters. Number of {{ | ||
nginx_diffie_helman_size_bits }}. | ||
community.crypto.openssl_dhparam: | ||
path: "{{ nginx_dh_params_file }}" | ||
size: "{{ nginx_diffie_helman_size_bits }}" | ||
notify: Reload nginx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters