From 0d06d4feae729ec0cffe899fdd6b804998ab3023 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Tue, 26 Oct 2021 00:12:43 -0500 Subject: [PATCH] First working mod_md with Lets Encrypt Staging --- defaults/main.yml | 4 +- .../Fedora/34/etc/httpd/conf.d/vhost.conf | 75 ++++--------------- 2 files changed, 18 insertions(+), 61 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e40e378..baf6991 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,4 @@ --- -# defaults file for ensure_apache \ No newline at end of file +# defaults file for ensure_apache +lets_encrypt_admin: 'root@example.com' +lets_encrypt_url: 'https://acme-v02.api.letsencrypt.org/directory' diff --git a/templates/Fedora/34/etc/httpd/conf.d/vhost.conf b/templates/Fedora/34/etc/httpd/conf.d/vhost.conf index ca9211c..31481f1 100644 --- a/templates/Fedora/34/etc/httpd/conf.d/vhost.conf +++ b/templates/Fedora/34/etc/httpd/conf.d/vhost.conf @@ -1,16 +1,9 @@ MDBaseServer on -MDCertificateProtocol ACME -MDCAChallenges http-01 -MDDriveMode auto -MDPrivateKeys RSA 4096 -MDRenewWindow 33% -MDStoreDir md -# MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory -# We want staging for now... -MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory -# MDCertificateAgreementhttps://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -# https://httpd.apache.org/docs/trunk/mod/mod_md.html says the below works... MDCertificateAgreement accepted +MDCertificateAuthority {{ lets_encrypt_url }} +MDContactEmail {{ lets_encrypt_admin }} +MDPrivateKeys secp384r1 secp256r1 RSA 4096 +MDRequireHttps temporary AllowOverride None @@ -24,54 +17,17 @@ MDCertificateAgreement accepted Require all granted -{% endfor %} -{% for item in http_vhost %} -{% if item.aliases is defined %} -{% for item_alias in item.aliases %} - - ServerName {{ item_alias }} - ServerAdmin webmaster@firedragonenterprises.com - DocumentRoot /srv/http/{{ item.fqdn }} - RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0 - - -{% endfor %} -{% endif %} ServerName {{ item.fqdn }} - ServerAdmin webmaster@firedragonenterprises.com - DocumentRoot /srv/http/{{ item.fqdn }} - RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0 - - {% if item.aliases is defined %} {% for item_alias in item.aliases %} - - SSLEngine on - SSLProtocol all -TLSv1.1 - SSLProxyProtocol all -TLSv1.1 - SSLHonorCipherOrder on - SSLCipherSuite PROFILE=SYSTEM - SSLProxyCipherSuite PROFILE=SYSTEM - SSLCertificateFile /etc/pki/tls/certs/localhost.crt - SSLCertificateKeyFile /etc/pki/tls/private/localhost.key - ServerName {{ item_alias }} - ServerAdmin webmaster@firedragonenterprises.com - DocumentRoot /srv/http/{{ item.fqdn }} - RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0 - - Require all denied - - - Require all denied - - - Require all denied - - - + ServerAlias {{ item_alias }} {% endfor %} {% endif %} + ServerAdmin webmaster@{{ item.fqdn }} + DocumentRoot /srv/http/{{ item.fqdn }} + + MDomain {{ item.fqdn }} @@ -81,14 +37,13 @@ MDomain {{ item.fqdn }} SSLHonorCipherOrder on SSLCipherSuite PROFILE=SYSTEM SSLProxyCipherSuite PROFILE=SYSTEM - # original - # SSLCertificateFile /etc/pki/tls/certs/localhost.crt - # SSLCertificateKeyFile /etc/pki/tls/private/localhost.key - # mod_md should change hte default value to this - # SSLCertificateFile /etc/httpd/md/domains/{{ item.fqdn }}/pubcert.pem - # SSLCertificateKeyFile /etc/httpd/md/domains/{{ item.fqdn }}/privkey.pem ServerName {{ item.fqdn }} - ServerAdmin webmaster@firedragonenterprises.com +{% if item.aliases is defined %} +{% for item_alias in item.aliases %} + ServerAlias {{ item_alias }} +{% endfor %} +{% endif %} + ServerAdmin webmaster@{{ item.fqdn }} DocumentRoot /srv/http/{{ item.fqdn }} Alias /error/ "/var/www/error/" {% if item.proxy is defined %}