Commit 64a3dbcf authored by Jocelyn Delalande's avatar Jocelyn Delalande

nginx: Fallback to snakeoil certs if needed

Typically : when LE cert is not present yet.

Thanks to CapsLock for the trick (and part of the code)
parent c4d73b5e
...@@ -13,19 +13,32 @@ ...@@ -13,19 +13,32 @@
with_items: with_items:
- /etc/nginx/sites-enabled/default - /etc/nginx/sites-enabled/default
- name: snakeoil certificates are in place (used when LE certificates have not been generated yet)
command: openssl req -x509 -nodes -subj '/CN=localhost' -newkey rsa:4096 -keyout snakeoil.key -out snakeoil.crt -days 4096
args:
chdir: /etc/nginx
creates: /etc/nginx/snakeoil.crt
notify: Restart nginx
- name: checking if letsencrypt certificates are available for our vhosts
stat: path="/etc/letsencrypt/live/{{ item.domain }}"
with_items: "{{ nginx_vhosts }}"
when: item.type == "https"
register: letsencrypt_certificate_folders_exist
- name: Install vhosts settings - name: Install vhosts settings
template: template:
src: vhost.j2 src: vhost.j2
dest: "/etc/nginx/sites-available/{{ item.nick|default(item.domain) }}-{{ item.type }}" dest: "/etc/nginx/sites-available/{{ item.item.nick|default(item.item.domain) }}-{{ item.item.type }}"
with_items: '{{ nginx_vhosts }}' with_items: "{{ letsencrypt_certificate_folders_exist.results }}"
notify: Restart nginx notify: Restart nginx
- name: Enable vhosts - name: Enable vhosts
file: file:
src: "/etc/nginx/sites-available/{{ item.nick|default(item.domain) }}-{{ item.type }}" src: "/etc/nginx/sites-available/{{ item.item.nick|default(item.item.domain) }}-{{ item.item.type }}"
dest: "/etc/nginx/sites-enabled/{{ item.nick|default(item.domain) }}-{{ item.type }}" dest: "/etc/nginx/sites-enabled/{{ item.item.nick|default(item.item.domain) }}-{{ item.item.type }}"
state: link state: link
with_items: '{{ nginx_vhosts }}' with_items: "{{ letsencrypt_certificate_folders_exist.results }}"
notify: Restart nginx notify: Restart nginx
- name: Start nginx - name: Start nginx
......
# {{ ansible_managed }} # {{ ansible_managed }}
server { server {
{% if item.type == 'http' %} {% if item.item.type == 'http' %}
listen [::]:80; listen [::]:80;
{% elif item.type == 'https' %} {% elif item.item.type == 'https' %}
listen [::]:443; listen [::]:443;
{% endif %} {% endif %}
server_name {{ item.domain }}; server_name {{ item.item.domain }};
{% if item.type == 'https' %} {% if item.item.type == 'https' %}
ssl on; ssl on;
ssl_certificate /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem; {% if item.stat.exists %}
ssl_certificate_key /etc/letsencrypt/live/{{ item.domain }}/privkey.pem; ssl_certificate /etc/letsencrypt/live/{{ item.item.domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ item.item.domain }}/privkey.pem;
{% else %}
ssl_certificate /etc/nginx/snakeoil.crt;
ssl_certificate_key /etc/nginx/snakeoil.key;
{% endif %}
{% endif %} {% endif %}
access_log /var/log/nginx/{{ item.nick|default(item.domain) }}-{{ item.type }}.access.log; access_log /var/log/nginx/{{ item.item.nick|default(item.item.domain) }}-{{ item.item.type }}.access.log;
{% if ansible_lsb.codename != "wheezy" %} {% if ansible_lsb.codename != "wheezy" %}
error_log /var/log/nginx/{{ item.nick|default(item.domain) }}-{{ item.type }}.error.log; error_log /var/log/nginx/{{ item.item.nick|default(item.item.domain) }}-{{ item.item.type }}.error.log;
{% endif %} {% endif %}
{% if item.features is defined %} {% if item.item.features is defined %}
{% if 'no-robots' in item.features %} {% if 'no-robots' in item.item.features %}
location /robots.txt { location /robots.txt {
return 200 "User-agent: *\nDisallow: /"; return 200 "User-agent: *\nDisallow: /";
} }
{% endif %} {% endif %}
{% if 'letsencrypt-check' in item.features %} {% if 'letsencrypt-check' in item.item.features %}
location /.well-known/acme-challenge { location /.well-known/acme-challenge {
root /var/www/letsencrypt_webroot; root /var/www/letsencrypt_webroot;
} }
{% endif %} {% endif %}
{% if 'ssl-redirection' in item.features %} {% if 'ssl-redirection' in item.item.features %}
location / { location / {
rewrite ^ https://$http_host$request_uri? permanent; rewrite ^ https://$http_host$request_uri? permanent;
...@@ -44,20 +49,20 @@ server { ...@@ -44,20 +49,20 @@ server {
{% endif %} {% endif %}
{% for k,v in item.vars|default([]) %} {% for k,v in item.item.vars|default([]) %}
{{ k }} {{ v }}; {{ k }} {{ v }};
{% endfor %} {% endfor %}
{% for location in item.locations|default([]) %} {% for location in item.item.locations|default([]) %}
location {{ location.path }} { location {{ location.path }} {
{% if location.type == 'fastcgi' %} {% if location.type == 'fastcgi' %}
fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param HTTP_SCHEME {{ item.type }}; fastcgi_param HTTP_SCHEME {{ item.item.type }};
fastcgi_param HTTPS {% if item.type == 'https' %}True{% else %}False{% endif %}; fastcgi_param HTTPS {% if item.item.type == 'https' %}True{% else %}False{% endif %};
fastcgi_param PATH_INFO $fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string; fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method; fastcgi_param REQUEST_METHOD $request_method;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment