r/apache: Use variables for HTTPS cert/key content
Using files for certificates and private keys is less than ideal. The only way to "share" a certificate between multiple hosts is with symbolic links, which means the configuration policy has to be prepared for each managed system. As we're moving toward a much more dynamic environment, this becomes problematic; the host-provisioner will never be able to copy a certificate to a new host that was just created. Further, I have never really liked the idea of storing certificates and private keys in Git anyway, even if it is in a submodule with limited access.
This commit is contained in:
@@ -20,35 +20,40 @@
|
||||
|
||||
- name: ensure tls private key exists
|
||||
copy:
|
||||
src={{ item }}
|
||||
dest={{ apache_ssl_certificate_key }}
|
||||
mode=0400
|
||||
setype=cert_t
|
||||
with_fileglob:
|
||||
- '{{ inventory_hostname }}.key'
|
||||
content: >-
|
||||
{{ apache_ssl_certificate_key_data }}
|
||||
dest: >-
|
||||
{{ apache_ssl_certificate_key }}
|
||||
mode: u=r,go=
|
||||
setype: cert_t
|
||||
diff: false
|
||||
when: apache_ssl_certificate_key_data is defined
|
||||
notify: reload httpd
|
||||
tags:
|
||||
- cert
|
||||
- name: ensure tls certificate exists
|
||||
copy:
|
||||
src={{ item }}
|
||||
dest={{ apache_ssl_certificate }}
|
||||
mode=0644
|
||||
setype=cert_t
|
||||
with_fileglob:
|
||||
- '{{ inventory_hostname }}.cer'
|
||||
content: >-
|
||||
{{ apache_ssl_certificate_data }}
|
||||
dest: >-
|
||||
{{ apache_ssl_certificate }}
|
||||
mode: u=rw,go=r
|
||||
setype: cert_t
|
||||
when: apache_ssl_certificate_data is defined
|
||||
tags:
|
||||
- cert
|
||||
notify: reload httpd
|
||||
- name: ensure tls ca certificate exists
|
||||
copy:
|
||||
src={{ item }}
|
||||
dest={{ apache_ssl_ca_certificate }}
|
||||
mode=0644
|
||||
setype=cert_t
|
||||
when: apache_ssl_ca_certificate is defined
|
||||
with_fileglob:
|
||||
- '{{ inventory_hostname }}-ca.crt'
|
||||
content: >-
|
||||
{{ apache_ssl_ca_certificate_data }}
|
||||
dest: >-
|
||||
{{ apache_ssl_ca_certificate }}
|
||||
mode: u=rw,go=r
|
||||
setype: cert_t
|
||||
when:
|
||||
apache_ssl_ca_certificate is defined and
|
||||
apache_ssl_ca_certificate_data is defined
|
||||
notify: reload httpd
|
||||
tags:
|
||||
- cert
|
||||
|
||||
Reference in New Issue
Block a user