.png)
Estoy intentando generar un certificado SSL con Ansible para *.rasp.example.comy rasp.example.com.
Ya tengo una solución "funcional" (sin errores al implementar), pero cuando intento compararla con certbot, tengo algunos csr, crtmientras keyque certbot solo devuelve 2 pemarchivos (clave y certificado).
Cuando se trata del navegador, tengo algún problema, por ejemplo, https funciona rasp.example.compero no *.rasp.example.comincluso si agrego un nombre DNS alternativo.
Mi papel :
- name: Certificate - set facts
ansible.builtin.set_fact:
account_key_path: /etc/ssl/private/account.key
key_path: /etc/ssl/private/rasp.example.com.key
crt_path: /etc/ssl/certs/rasp.example.com.crt
crt_fullchain_path: /etc/ssl/certs/rasp.example.com-fullchain.crt
csr_path: /etc/ssl/certs/rasp.example.com.csr
acme_directory: https://acme-v02.api.letsencrypt.org/directory
acme_challenge_type: dns-01
acme_version: 2
acme_email: [email protected]
zone: example.com
subdomain: rasp
- name: Generate let's encrypt account key
community.crypto.openssl_privatekey:
path: "{{ account_key_path }}"
- name: Create private key (RSA, 4096 bits)
community.crypto.openssl_privatekey:
path: "{{ key_path }}"
- name: Generate an OpenSSL Certificate Signing Request
community.crypto.openssl_csr:
path: "{{ csr_path }}"
privatekey_path: "{{ key_path }}"
common_name: "*.{{ subdomain }}.{{ zone }}"
subject_alt_name: "DNS:{{ subdomain + '.' + zone }}" # for rasp.example.com
- name: Make sure account exists and has given contacts. We agree to TOS.
community.crypto.acme_account:
account_key_src: "{{ account_key_path }}"
acme_directory: "{{ acme_directory }}"
acme_version: "{{ acme_version }}"
state: present
terms_agreed: true
contact:
- mailto:[email protected]
- name: Create a challenge using a account key file.
community.crypto.acme_certificate:
account_key_src: "{{ account_key_path }}"
account_email: "{{ acme_email }}"
src: "{{ csr_path }}"
fullchain_dest: "{{ crt_fullchain_path }}"
challenge: dns-01
acme_directory: "{{ acme_directory }}"
acme_version: 2
terms_agreed: true
remaining_days: 60
force: true
register: challenge
- name: Certificate does not exists or needs to be renewed
when: challenge["challenge_data"] is defined and (challenge["challenge_data"] | length > 0)
block:
- name: Set challenge data
ansible.builtin.set_fact:
challenge: "{{ challenge }}"
- name: Upload OVH credentials
ansible.builtin.template:
src: ovh.conf.j2
dest: /root/.ovh.conf
owner: root
group: root
mode: 0600
- name: Create DNS challenge record on OVH
ansible.builtin.script:
cmd: "dns.py create {{ zone }} TXT -t {{ item.value['dns-01'].resource_value }} -s {{ item.value['dns-01'].resource }}.{{ subdomain }}"
args:
executable: python3
chdir: /root
with_dict: "{{ challenge['challenge_data'] }}"
- name: Let the challenge be validated and retrieve the cert and intermediate certificate
community.crypto.acme_certificate:
account_key_src: "{{ account_key_path }}"
account_email: "{{ acme_email }}"
src: "{{ csr_path }}"
dest: "{{ crt_path }}"
fullchain_dest: "{{ crt_fullchain_path }}"
challenge: dns-01
acme_directory: "{{ acme_directory }}"
acme_version: 2
terms_agreed: true
remaining_days: 60
data: "{{ challenge }}"
notify:
- Delete DNS challenge record on OVH
Utilizo OVH como DNS, creé un .pyscript simple que agrega/elimina un registro TXT.
Además, uso NGINX como servidor web:
listen 443 ssl;
ssl_certificate /etc/ssl/certs/rasp.example.com.crt;
ssl_certificate_key /etc/ssl/private/rasp.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
¿Estoy haciendo algo mal aquí?
Respuesta1
Está utilizando el certificado comodín para *.rasp.example.com, pero no para. rasp.example.comDebe incluir tanto el comodín como el dominio base en los nombres alternativos del asunto.
Actualizar openssl_csrla tarea Ansibleasí:
- name: Generate an OpenSSL Certificate Signing Request
community.crypto.openssl_csr:
path: "{{ csr_path }}"
privatekey_path: "{{ key_path }}"
common_name: "*.{{ subdomain }}.{{ zone }}"
subject_alt_name:
- "DNS:*.{{ subdomain }}.{{ zone }}"
- "DNS:{{ subdomain }}.{{ zone }}" # for rasp.example.com
entonces en tu Nginxconfiguración es mejor usar el certificado de cadena completa en lugar de solo el certificado:
listen 443 ssl;
ssl_certificate /etc/ssl/certs/rasp.example.com-fullchain.crt;
ssl_certificate_key /etc/ssl/private/rasp.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;