Fix enterprisemediawiki#748 Add Certbot

Various updates to Certbot/Haproxy Detect email setting for certbot Remove any pre-existing meza.pem and key files Concatenate all certificates into pem files for haproxy Remove code to generate self-signed meza.pem Remove redundant notify Remove commented code
freephile · Apr 16, 2020 · dc2b7d6 · dc2b7d6
1 parent f224b84
commit dc2b7d6
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 119 deletions.
diff --git a/src/roles/certbot/tasks/main.yml b/src/roles/certbot/tasks/main.yml
@@ -1,5 +1,14 @@
 ---
 # Role to install Let's Encrypt's Certbot, install certificate(s) and automate renewals
+- assert:
+    that:
+      - "m_httpd_server_admin is defined"
+      - "m_httpd_server_admin != 'admin@example.com'"
+    fail_msg: >
+      "To use certbot, you must supply a valid email for 'm_httpd_server_admin' in your public.yml
+      For example, add a line like this to /opt/conf-meza/public/public.yml
+      m_httpd_server_admin: me@gmail.com"
+
 - name: Ensure firewall port 54321 OPEN when certbot ENABLED
   include_role:
     name: firewall_port
@@ -12,6 +21,19 @@
     - enable_certbot
     - (docker_skip_tasks is not defined or not docker_skip_tasks)
 
+- name: Remove Meza cert files when certbot ENABLED
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /etc/haproxy/certs/meza.pem
+    - /etc/haproxy/certs/meza.crt
+    - /etc/haproxy/certs/meza.key
+
+  when:
+    - enable_certbot
+    - (docker_skip_tasks is not defined or not docker_skip_tasks)
+
 - name: Ensure Certbot installed 
   package:
     name: certbot
@@ -26,9 +48,13 @@
   run_once: True
 
 - name: Concatenate certificate files for HAproxy
-  shell: >
-    cat /etc/letsencrypt/live/{{ wiki_app_fqdn }}/fullchain.pem
-    /etc/letsencrypt/live/{{ wiki_app_fqdn }}/privkey.pem >
-    /etc/haproxy/certs/{{ wiki_app_fqdn }}.pem
-  notify:
-    - restart haproxy
+  shell: |
+    for SITE in $(find /etc/letsencrypt/live/ -maxdepth 1 -mindepth 1 -type d -exec basename {} \;)
+    do
+      cd /etc/letsencrypt/live/$SITE
+      cat fullchain.pem privkey.pem > /etc/haproxy/certs/$SITE.pem
+    done
+  args:
+    executable: /bin/bash
+  # notify:
+  #   - restart haproxy
diff --git a/src/roles/haproxy/tasks/main.yml b/src/roles/haproxy/tasks/main.yml
@@ -1,11 +1,4 @@
 ---
-# FIXME #748: Eventually add the ability to get SSL cert from letsencrypt
-#     ref: https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-centos-7
-# Other refs:
-#     https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Load_Balancer_Administration/install_haproxy_example1.html
-#     https://gist.github.com/thisismitch/7c91e9b2b63f837a0c4b
-#     https://www.unixmen.com/configure-high-available-load-balancer-haproxy-keepalived/
-
 
 - name: Set fact if this load balancer will handle external connections (80/443)
   set_fact:
@@ -75,107 +68,14 @@
     # owner/group/mode?
 
 #
-# 1. If cert/key don't exist ON CONTROLLER, generate self-signed ON CONTROLLER
-# 2. Ensure cert and key in /etc/haproxy/certs
-# 3. Ensure cert and key assembled into pem file at /etc/haproxy/certs/meza.pem
+# 1. If cert/key don't exist ON CONTROLLER, install certbot and create certs ON CONTROLLER
+# 2. Ensure certs assembled in /etc/haproxy/certs
 #
-- name: Check if secret config on CONTROLLER has SSL keys
-  stat:
-    path: "{{ m_local_secret }}/{{ env }}/ssl/meza.key"
-  register: ssl_cert_stat_result
-  delegate_to: localhost
-  run_once: True
-
-- name: Ensure config SSL directory exists
-  file:
-    path: "{{ m_local_secret }}/{{ env }}/ssl"
-    state: directory
-    owner: root
-    group: root
-    mode: 0755
-  delegate_to: localhost
-  run_once: True
-
-# FIXME: Better would be "if not exists setup letsencrypt"
 
 - name: Use Certbot for SSL
   include_role:
     name: certbot
 
-# - name: If not exists, create self-signed SSL cert on CONTROLLER
-#   command: |
-#     openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \
-#       -subj "/C=US/ST=TX/L=Houston/O=EnterpriseMediaWiki/CN={{ wiki_app_fqdn}}" \
-#       -keyout {{ m_local_secret }}/{{ env }}/ssl/meza.key \
-#       -out {{ m_local_secret }}/{{ env }}/ssl/meza.crt
-#   when: ssl_cert_stat_result.stat.exists == False
-#   delegate_to: localhost
-#   run_once: True
-
-# - name: Ensure SSL cert and key are encrypted
-#   shell: >
-#     ansible-vault encrypt
-#     {{ item }}
-#     --vault-password-file {{ m_home }}/meza-ansible/.vault-pass-{{ env }}.txt
-#   failed_when: False
-#   delegate_to: localhost
-#   run_once: True
-#   with_items:
-#     - "{{ m_local_secret }}/{{ env }}/ssl/meza.key"
-#     - "{{ m_local_secret }}/{{ env }}/ssl/meza.crt"
-
-# - name: Read SSL key into variable
-#   shell: >
-#     ansible-vault view
-#     /opt/conf-meza/secret/{{ env }}/ssl/meza.key
-#     --vault-password-file {{ m_home }}/meza-ansible/.vault-pass-{{ env }}.txt
-#   register: decrypted_key
-#   delegate_to: localhost
-#   run_once: True
-
-# - name: Read SSL cert into variable
-#   shell: >
-#     ansible-vault view
-#     /opt/conf-meza/secret/{{ env }}/ssl/meza.crt
-#     --vault-password-file {{ m_home }}/meza-ansible/.vault-pass-{{ env }}.txt
-#   register: decrypted_cert
-#   delegate_to: localhost
-#   run_once: True
-
-# # - name: Ensure cert and key on load balancers
-# #   copy:
-# #     src: "{{ m_local_secret }}/{{ env }}/ssl/{{ item }}"
-# #     dest: "/etc/haproxy/certs/{{ item }}"
-# #   with_items:
-# #     - meza.key
-# #     - meza.crt
-# #   notify:
-# #     - restart haproxy
-
-# - name: Ensure SSL cert on load balancers
-#   copy:
-#     content: "{{ decrypted_cert.stdout }}"
-#     dest: "/etc/haproxy/certs/meza.crt"
-#   notify:
-#     - restart haproxy
-
-# - name: Ensure SSL key on load balancers
-#   copy:
-#     content: "{{ decrypted_key.stdout }}"
-#     dest: "/etc/haproxy/certs/meza.key"
-#   notify:
-#     - restart haproxy
-
-# - name: Ensure cert and key assembled into into pem file
-#   copy:
-#     content: |
-#       {{ decrypted_cert.stdout }}
-#       {{ decrypted_key.stdout }}
-#     dest: /etc/haproxy/certs/meza.pem
-#   notify:
-#     - restart haproxy
-
-
 - name: Ensure haproxy certs have secure permissions
   file:
     path: /etc/haproxy/certs
@@ -184,8 +84,6 @@
     owner: root
     group: root
     mode: 0600
-  notify:
-    - restart haproxy
 
 - name: write the haproxy config file
   template:
@@ -194,15 +92,6 @@
   notify:
     - restart haproxy
 
-# - name: Ensure haproxy socket directory exists
-#   file:
-#     path: /run/haproxy
-#     state: directory
-#     owner: root
-#     group: root
-#     mode: 0660
-
-
 - name: Ensure error files directory in place
   file:
     path: /etc/haproxy/errors