First working mod_md with Lets Encrypt Staging

2021-10-26 00:12:43 -05:00
parent e10558c076
commit 0d06d4feae
2 changed files with 18 additions and 61 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,2 +1,4 @@
 ---
 # defaults file for ensure_apache
 lets_encrypt_admin: 'root@example.com'
 lets_encrypt_url: 'https://acme-v02.api.letsencrypt.org/directory'
--- a/templates/Fedora/34/etc/httpd/conf.d/vhost.conf
+++ b/templates/Fedora/34/etc/httpd/conf.d/vhost.conf
@@ -1,16 +1,9 @@
 MDBaseServer on
 MDCertificateProtocol ACME
 MDCAChallenges http-01
 MDDriveMode auto
 MDPrivateKeys RSA 4096
 MDRenewWindow 33%
 MDStoreDir md
 # MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory
 # We want staging for now...
 MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory
 # MDCertificateAgreementhttps://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
 # https://httpd.apache.org/docs/trunk/mod/mod_md.html says the below works...
 MDCertificateAgreement accepted
 MDCertificateAuthority {{ lets_encrypt_url }}
 MDContactEmail {{ lets_encrypt_admin }}
 MDPrivateKeys secp384r1 secp256r1 RSA 4096
 MDRequireHttps temporary
 <Directory "/srv/http">
    AllowOverride None
@@ -24,54 +17,17 @@ MDCertificateAgreement accepted
    Require all granted
 </Directory>
 {% endfor %}
 {% for item in http_vhost %}
 {% if item.aliases is defined %}
 {% for item_alias in item.aliases %}
 <VirtualHost *:80>
  ServerName {{ item_alias }}
  ServerAdmin webmaster@firedragonenterprises.com
  DocumentRoot /srv/http/{{ item.fqdn }}
  RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0
 </VirtualHost>
 {% endfor %}
 {% endif %}
 <VirtualHost *:80>
  ServerName {{ item.fqdn }}
  ServerAdmin webmaster@firedragonenterprises.com
  DocumentRoot /srv/http/{{ item.fqdn }}
  RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0
 </VirtualHost>
 {% if item.aliases is defined %}
 {% for item_alias in item.aliases %}
-<VirtualHost *:443>
+  ServerAlias {{ item_alias }}
  SSLEngine on
  SSLProtocol all -TLSv1.1
  SSLProxyProtocol all -TLSv1.1
  SSLHonorCipherOrder on
  SSLCipherSuite PROFILE=SYSTEM
  SSLProxyCipherSuite PROFILE=SYSTEM
  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
  ServerName {{ item_alias }}
  ServerAdmin webmaster@firedragonenterprises.com
  DocumentRoot /srv/http/{{ item.fqdn }}
  RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0
  <Location /.ansible>
    Require all denied
  </Location>
  <Location /.config>
    Require all denied
  </Location>
  <Location /.ssh>
    Require all denied
  </Location>
 </VirtualHost>
 {% endfor %}
 {% endif %}
  ServerAdmin webmaster@{{ item.fqdn }}
  DocumentRoot /srv/http/{{ item.fqdn }}
 </VirtualHost>
 MDomain {{ item.fqdn }}
 <VirtualHost *:443>
@@ -81,14 +37,13 @@ MDomain {{ item.fqdn }}
  SSLHonorCipherOrder on
  SSLCipherSuite PROFILE=SYSTEM
  SSLProxyCipherSuite PROFILE=SYSTEM
  # original
  # SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  # SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
  # mod_md should change hte default value to this
  # SSLCertificateFile /etc/httpd/md/domains/{{ item.fqdn }}/pubcert.pem
  # SSLCertificateKeyFile /etc/httpd/md/domains/{{ item.fqdn }}/privkey.pem
  ServerName {{ item.fqdn }}
-  ServerAdmin webmaster@firedragonenterprises.com
+{% if item.aliases is defined %}
 {% for item_alias in item.aliases %}
  ServerAlias {{ item_alias }}
 {% endfor %}
 {% endif %}
  ServerAdmin webmaster@{{ item.fqdn }}
  DocumentRoot /srv/http/{{ item.fqdn }}
  Alias /error/ "/var/www/error/"
 {% if item.proxy is defined %}