blob: 724a4a33e6932b74cdc185005a66ac6fa15a8189 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
First go at a certbot/letsencrypt role for Fedora Infra
To use it:
1) Include the role in your playbook. This will install certbot and put a
tiny bit of Apache config in place, along with a monthly cron to attempt to
renew certificates.
2) Add the following lines to your Apache virthost:
RewriteEngine on
RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
2) ssh to the relevant box
# TODO: Fix selinux stuff - the cron won't work until it's fixed either.
service httpd graceful
setenforce 0
certbot certonly --manual-public-ip-logging-ok --webroot -w \
/srv/web/acme-challenge/ -d YOURINSTANCE.fedorainfracloud.org
setenforce 1
3) Add your SSL VirtualHost. An Ansible template with something like this
should possibly work:
<VirtualHost {{public_ip}}:443 _default_:443>
ServerName YOURINSTANCE.fedorainfracloud.org
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/YOURINSTANCE.fedorainfracloud.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/YOURINSTANCE.fedorainfracloud.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/YOURINSTANCE.fedorainfracloud.org/fullchain.pem
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
SSLProtocol ALL -SSLv2
<!-- Your actual config goes here! -->
</VirtualHost>
|
