Improve certificate generation
1. Generate root CA 2. Generate wildcard CSR 3. Sign wildcard CSR with root CA 4. Install root CA system-wide
This commit is contained in:
parent
b5140b9e81
commit
d9bd3ac145
|
@ -8,6 +8,7 @@ homelab.
|
||||||
* completely managed by Ansible
|
* completely managed by Ansible
|
||||||
* containerised
|
* containerised
|
||||||
* configurable
|
* configurable
|
||||||
|
* automatic SSL certificates via `openssl`
|
||||||
|
|
||||||
=== Containers
|
=== Containers
|
||||||
|
|
||||||
|
|
|
@ -5,20 +5,51 @@
|
||||||
mode: '0755'
|
mode: '0755'
|
||||||
loop:
|
loop:
|
||||||
- "{{ nginx_confd_folder }}"
|
- "{{ nginx_confd_folder }}"
|
||||||
- name: generate certificates
|
- name: generate root ca
|
||||||
command: openssl req \
|
command: openssl req \
|
||||||
-x509 \
|
-x509 \
|
||||||
-sha256 \
|
-new \
|
||||||
-newkey rsa:2048 \
|
|
||||||
-keyout "{{ data_folder }}/nginx/{{ base_domain }}".key \
|
|
||||||
-subj "/C=CZ/L=Prague/CN=*.{{ base_domain }}/emailAddress={{ admin_email }}"
|
|
||||||
-out "{{ data_folder }}/nginx/{{ base_domain }}".crt \
|
|
||||||
-days 3650 \
|
|
||||||
-nodes \
|
-nodes \
|
||||||
|
-newkey rsa:2048 \
|
||||||
|
-keyout "{{ data_folder }}/nginx/rootca.key" \
|
||||||
|
-out "{{ data_folder }}/nginx/rootca.pem" \
|
||||||
|
-sha256 \
|
||||||
|
-days 3650 \
|
||||||
|
-subj "/C=CZ/L=Prague/CN=Homelab/emailAddress={{ admin_email }}"
|
||||||
|
args:
|
||||||
|
creates: rootca.*
|
||||||
|
- name: generate wildcard csr
|
||||||
|
command: openssl req \
|
||||||
|
-new \
|
||||||
|
-nodes \
|
||||||
|
-newkey rsa:2048 \
|
||||||
|
-keyout "{{ data_folder }}/nginx/{{ base_domain }}.key" \
|
||||||
|
-out "{{ data_folder }}/nginx/{{ base_domain }}.csr" \
|
||||||
|
-subj "/C=CZ/L=Prague/CN=*.{{ base_domain }}/emailAddress={{ admin_email }}"
|
||||||
|
args:
|
||||||
|
creates: "{{ data_folder }}/nginx/{{ base_domain }}.*"
|
||||||
|
- name: sign wildcard csr with root ca
|
||||||
|
command: openssl x509 \
|
||||||
|
-req \
|
||||||
|
-in "{{ data_folder }}/nginx/{{ base_domain }}.csr" \
|
||||||
|
-CA "{{ data_folder }}/nginx/rootca.pem" \
|
||||||
|
-CAkey "{{ data_folder }}/nginx/rootca.key" \
|
||||||
|
-CAcreateserial \
|
||||||
|
-out "{{ data_folder }}/nginx/{{ base_domain }}.crt" \
|
||||||
|
-days 3650 \
|
||||||
|
-sha256
|
||||||
|
args:
|
||||||
|
creates: "{{ data_folder }}/nginx/{{ base_domain }}.crt"
|
||||||
|
- name: install root ca
|
||||||
|
command: trust anchor "{{ data_folder }}/nginx/rootca.pem"
|
||||||
|
args:
|
||||||
|
creates: /etc/ca-certificates/extracted/cadir/Homelab*
|
||||||
|
become: yes
|
||||||
- name: copy certificates
|
- name: copy certificates
|
||||||
copy:
|
copy:
|
||||||
src: "{{ item }}"
|
src: "{{ item }}"
|
||||||
dest: "{{ data_folder }}/nginx"
|
dest: "{{ data_folder }}/nginx"
|
||||||
|
mode: '0755'
|
||||||
loop:
|
loop:
|
||||||
- "{{ data_folder }}/nginx/{{ base_domain }}.key"
|
- "{{ data_folder }}/nginx/{{ base_domain }}.key"
|
||||||
- "{{ data_folder }}/nginx/{{ base_domain }}.crt"
|
- "{{ data_folder }}/nginx/{{ base_domain }}.crt"
|
||||||
|
|
Loading…
Reference in New Issue