Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ansible 2.8 support: Generate self-signed certificates #1110

Merged
merged 1 commit into from
Oct 7, 2019
Merged

Ansible 2.8 support: Generate self-signed certificates #1110

merged 1 commit into from
Oct 7, 2019

Conversation

tangrufus
Copy link
Member

@tangrufus tangrufus commented Oct 5, 2019
edited
Loading

Follow up #1103

trellis/roles/wordpress-setup/tasks/self-signed-certificate.yml

Lines 3 to 16 in a36eb26

shell: "openssl req -new -newkey rsa:2048 \
-days 3650 -nodes -x509 -sha256 \
-extensions req_ext -config <( \
cat <<' EOF'\n
[req]\n
prompt = no\n
distinguished_name = req_dn\n
[req_dn]\n
commonName = {{ item.value.site_hosts[0].canonical }}\n
[req_ext]\n
subjectAltName = {{ site_hosts | union(multisite_subdomains_wildcards) | map('regex_replace', '(.*)', 'DNS:\\1') | join(',') }}\n
EOF\n
) \
-keyout {{ item.key | quote }}.key -out {{ item.key | quote }}.cert"
behaves differently since ansible 2.8

Ansible 2.7.13:

"cmd": "openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -sha256 -extensions req_ext -config <( cat <<' EOF'\n [req]\n prompt = no\n distinguished_name = req_dn\n [req_dn]\n commonName = typist.test\n [req_ext]\n subjectAltName = DNS:typist.test,DNS:www.typist.test\n EOF\n ) -keyout typist.tech.key -out typist.tech.cert",

Ansible 2.8.5:

"cmd": "openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -sha256 -extensions req_ext -config <( cat <<' EOF'\n[req]\nprompt = no\ndistinguished_name = req_dn\n[req_dn]\ncommonName = typist.test\n[req_ext]\nsubjectAltName = DNS:typist.test,DNS:www.typist.test\nEOF\n) -keyout typist.tech.key -out typist.tech.cert",

This pull request template the config files to {{ nginx_ssl_path }}/self-signed-openssl-configs/ temporarily instead of inlining cat.

Note: This pull request needs testing!

See:

@swalkinshaw
Copy link
Member

Just to confirm, the difference was in spacing after newlines? And the lack of spacing broke something?

@swalkinshaw
Copy link
Member

Tested and it generated the SSL cert 👍

@tangrufus
Copy link
Member Author

Just to confirm, the difference was in spacing after newlines? And the lack of spacing broke something?

Yes and yes.

Besides templating to a temporary file, there are alertnatives: https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
(Note: I didn't try these alertnatives)

@swalkinshaw
Copy link
Member

A real template like this PR is much better than the complex/brittle shell script anyway I think 👍

@tangrufus
Copy link
Member Author

Tested on some of my sites. Looks good to me.

Anything I have to do to get it merged?

@swalkinshaw swalkinshaw merged commit b53f5e6 into roots:master Oct 7, 2019
@tangrufus tangrufus deleted the self-signed-ansible-28 branch October 7, 2019 12:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tangrufus @swalkinshaw