r/mod_md: Configure Apache for ACME certificates
Apache supports fetching server certificates via ACME (e.g. from Let's Encrypt) using a new module called _mod_md_. Configuring the module is fairly straightforward, mostly consisting of `MDomain` directives that indicate what certificates to request. Unfortunately, there is one rather annoying quirk: the certificates it obtains are not immediately available to use, and the server must be reloaded in order to start using them. Fortunately, the module provides a notification mechanism via the `MDNotifyCmd` directive, which will run the specified command after obtaining a certificate. The command is executed with the privileges of the web server, which does not have permission to reload itself, so we have to build in some indirection in order to trigger the reload: the notification runs a script that creates an empty file in the server's state directory; systemd is watching for that file to be created, then starts another service unit to trigger the actual reload, then removes trigger file. Website roles, etc. that want to switch to using _mod_md_ to manage their certificates should depend on this role and add an `MDomain` directive to their Apache configuration file fragments.
This commit is contained in:
54
roles/mod_md/tasks/main.yml
Normal file
54
roles/mod_md/tasks/main.yml
Normal file
@@ -0,0 +1,54 @@
|
||||
- name: ensure mod_md is installed
|
||||
package:
|
||||
name: mod_md
|
||||
state: present
|
||||
tags:
|
||||
- install
|
||||
|
||||
- name: ensure mod_md is configured
|
||||
template:
|
||||
src: mod_md.conf.j2
|
||||
dest: /etc/httpd/conf.d/01-mod_md.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rw,go=r
|
||||
notify:
|
||||
- reload httpd
|
||||
tags:
|
||||
- config
|
||||
|
||||
- name: ensure mod_md notify script is installed
|
||||
copy:
|
||||
src: md-notify.sh
|
||||
dest: /usr/local/libexec/md-notify
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rwx,go=rx
|
||||
tags:
|
||||
- notify-script
|
||||
|
||||
- name: ensure httpd-reload systemd units are installed
|
||||
copy:
|
||||
src: '{{ item }}'
|
||||
dest: /etc/systemd/system/{{ item }}
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rw,go=r
|
||||
loop:
|
||||
- httpd-reload.path
|
||||
- httpd-reload.service
|
||||
notify: reload systemd
|
||||
tags:
|
||||
- systemd
|
||||
- name: ensure httpd-reload.path unit is enabled
|
||||
systemd:
|
||||
name: httpd-reload.path
|
||||
enabled: true
|
||||
tags:
|
||||
- service
|
||||
- name: ensure httpd-reload.path unit is active
|
||||
systemd:
|
||||
name: httpd-reload.path
|
||||
state: started
|
||||
tags:
|
||||
- service
|
||||
Reference in New Issue
Block a user