First working mod_md with Lets Encrypt Staging

2021-10-26 00:12:43 -05:00 · 2021-10-26 00:12:43 -05:00 · 0d06d4feae
commit 0d06d4feae
parent e10558c076
2 changed files with 18 additions and 61 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,2 +1,4 @@
 ---
-# defaults file for ensure_apache
+# defaults file for ensure_apache
+lets_encrypt_admin: 'root@example.com'
+lets_encrypt_url: 'https://acme-v02.api.letsencrypt.org/directory'
--- a/templates/Fedora/34/etc/httpd/conf.d/vhost.conf
+++ b/templates/Fedora/34/etc/httpd/conf.d/vhost.conf
@ -1,16 +1,9 @@
 MDBaseServer on
-MDCertificateProtocol ACME
-MDCAChallenges http-01
-MDDriveMode auto
-MDPrivateKeys RSA 4096
-MDRenewWindow 33%
-MDStoreDir md
-# MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory
-# We want staging for now...
-MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory
-# MDCertificateAgreementhttps://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
-# https://httpd.apache.org/docs/trunk/mod/mod_md.html says the below works...
 MDCertificateAgreement accepted
+MDCertificateAuthority {{ lets_encrypt_url }}
+MDContactEmail {{ lets_encrypt_admin }}
+MDPrivateKeys secp384r1 secp256r1 RSA 4096
+MDRequireHttps temporary

 <Directory "/srv/http">
    AllowOverride None
@ -24,54 +17,17 @@ MDCertificateAgreement accepted
    Require all granted
 </Directory>

-{% endfor %}
-{% for item in http_vhost %}
-{% if item.aliases is defined %}
-{% for item_alias in item.aliases %}
-<VirtualHost *:80>
-  ServerName {{ item_alias }}
-  ServerAdmin webmaster@firedragonenterprises.com
-  DocumentRoot /srv/http/{{ item.fqdn }}
-  RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0
-</VirtualHost>
-
-{% endfor %}
-{% endif %}
 <VirtualHost *:80>
  ServerName {{ item.fqdn }}
-  ServerAdmin webmaster@firedragonenterprises.com
-  DocumentRoot /srv/http/{{ item.fqdn }}
-  RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0
-</VirtualHost>
-
 {% if item.aliases is defined %}
 {% for item_alias in item.aliases %}
-<VirtualHost *:443>
-  SSLEngine on
-  SSLProtocol all -TLSv1.1
-  SSLProxyProtocol all -TLSv1.1
-  SSLHonorCipherOrder on
-  SSLCipherSuite PROFILE=SYSTEM
-  SSLProxyCipherSuite PROFILE=SYSTEM
-  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
-  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
-  ServerName {{ item_alias }}
-  ServerAdmin webmaster@firedragonenterprises.com
-  DocumentRoot /srv/http/{{ item.fqdn }}
-  RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0
-  <Location /.ansible>
-    Require all denied
-  </Location>
-  <Location /.config>
-    Require all denied
-  </Location>
-  <Location /.ssh>
-    Require all denied
-  </Location>
-</VirtualHost>
-
+  ServerAlias {{ item_alias }}
 {% endfor %}
 {% endif %}
+  ServerAdmin webmaster@{{ item.fqdn }}
+  DocumentRoot /srv/http/{{ item.fqdn }}
+</VirtualHost>
+
 MDomain {{ item.fqdn }}

 <VirtualHost *:443>
@ -81,14 +37,13 @@ MDomain {{ item.fqdn }}
  SSLHonorCipherOrder on
  SSLCipherSuite PROFILE=SYSTEM
  SSLProxyCipherSuite PROFILE=SYSTEM
-  # original
-  # SSLCertificateFile /etc/pki/tls/certs/localhost.crt
-  # SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
-  # mod_md should change hte default value to this
-  # SSLCertificateFile /etc/httpd/md/domains/{{ item.fqdn }}/pubcert.pem
-  # SSLCertificateKeyFile /etc/httpd/md/domains/{{ item.fqdn }}/privkey.pem
  ServerName {{ item.fqdn }}
-  ServerAdmin webmaster@firedragonenterprises.com
+{% if item.aliases is defined %}
+{% for item_alias in item.aliases %}
+  ServerAlias {{ item_alias }}
+{% endfor %}
+{% endif %}
+  ServerAdmin webmaster@{{ item.fqdn }}
  DocumentRoot /srv/http/{{ item.fqdn }}
  Alias /error/ "/var/www/error/"
 {% if item.proxy is defined %}