.png)
*.rasp.example.com및 에 대해 Ansible을 사용하여 SSL 인증서를 생성하려고 합니다 rasp.example.com.
이미 "작동하는" 솔루션(배포 시 오류 없음)이 있지만 이를 certbot과 비교하려고 하면 일부가 있는 csr반면 crtcertbot key은 2개의 pem파일(키 및 인증서)만 반환합니다.
브라우저의 경우 몇 가지 문제가 있습니다. 예를 들어 대체 DNS 이름을 추가해도 https는 작동 rasp.example.com하지만 작동하지 않습니다 .*.rasp.example.com
나의 역할 :
- name: Certificate - set facts
ansible.builtin.set_fact:
account_key_path: /etc/ssl/private/account.key
key_path: /etc/ssl/private/rasp.example.com.key
crt_path: /etc/ssl/certs/rasp.example.com.crt
crt_fullchain_path: /etc/ssl/certs/rasp.example.com-fullchain.crt
csr_path: /etc/ssl/certs/rasp.example.com.csr
acme_directory: https://acme-v02.api.letsencrypt.org/directory
acme_challenge_type: dns-01
acme_version: 2
acme_email: [email protected]
zone: example.com
subdomain: rasp
- name: Generate let's encrypt account key
community.crypto.openssl_privatekey:
path: "{{ account_key_path }}"
- name: Create private key (RSA, 4096 bits)
community.crypto.openssl_privatekey:
path: "{{ key_path }}"
- name: Generate an OpenSSL Certificate Signing Request
community.crypto.openssl_csr:
path: "{{ csr_path }}"
privatekey_path: "{{ key_path }}"
common_name: "*.{{ subdomain }}.{{ zone }}"
subject_alt_name: "DNS:{{ subdomain + '.' + zone }}" # for rasp.example.com
- name: Make sure account exists and has given contacts. We agree to TOS.
community.crypto.acme_account:
account_key_src: "{{ account_key_path }}"
acme_directory: "{{ acme_directory }}"
acme_version: "{{ acme_version }}"
state: present
terms_agreed: true
contact:
- mailto:[email protected]
- name: Create a challenge using a account key file.
community.crypto.acme_certificate:
account_key_src: "{{ account_key_path }}"
account_email: "{{ acme_email }}"
src: "{{ csr_path }}"
fullchain_dest: "{{ crt_fullchain_path }}"
challenge: dns-01
acme_directory: "{{ acme_directory }}"
acme_version: 2
terms_agreed: true
remaining_days: 60
force: true
register: challenge
- name: Certificate does not exists or needs to be renewed
when: challenge["challenge_data"] is defined and (challenge["challenge_data"] | length > 0)
block:
- name: Set challenge data
ansible.builtin.set_fact:
challenge: "{{ challenge }}"
- name: Upload OVH credentials
ansible.builtin.template:
src: ovh.conf.j2
dest: /root/.ovh.conf
owner: root
group: root
mode: 0600
- name: Create DNS challenge record on OVH
ansible.builtin.script:
cmd: "dns.py create {{ zone }} TXT -t {{ item.value['dns-01'].resource_value }} -s {{ item.value['dns-01'].resource }}.{{ subdomain }}"
args:
executable: python3
chdir: /root
with_dict: "{{ challenge['challenge_data'] }}"
- name: Let the challenge be validated and retrieve the cert and intermediate certificate
community.crypto.acme_certificate:
account_key_src: "{{ account_key_path }}"
account_email: "{{ acme_email }}"
src: "{{ csr_path }}"
dest: "{{ crt_path }}"
fullchain_dest: "{{ crt_fullchain_path }}"
challenge: dns-01
acme_directory: "{{ acme_directory }}"
acme_version: 2
terms_agreed: true
remaining_days: 60
data: "{{ challenge }}"
notify:
- Delete DNS challenge record on OVH
OVH를 DNS로 사용하고 .pyTXT 레코드를 추가/삭제하는 간단한 스크립트를 만들었습니다.
또한 NGINX를 웹 서버로 사용합니다.
listen 443 ssl;
ssl_certificate /etc/ssl/certs/rasp.example.com.crt;
ssl_certificate_key /etc/ssl/private/rasp.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
내가 여기서 뭔가 잘못하고 있는 걸까요?
답변1
에는 와일드카드 인증서를 사용하고 있지만 *.rasp.example.com에는 사용하지 않습니다. rasp.example.com주체 대체 이름에 와일드카드와 기본 도메인을 모두 포함해야 합니다.
openssl_csr다음과 같이 작업을 업데이트하세요 Ansible.
- name: Generate an OpenSSL Certificate Signing Request
community.crypto.openssl_csr:
path: "{{ csr_path }}"
privatekey_path: "{{ key_path }}"
common_name: "*.{{ subdomain }}.{{ zone }}"
subject_alt_name:
- "DNS:*.{{ subdomain }}.{{ zone }}"
- "DNS:{{ subdomain }}.{{ zone }}" # for rasp.example.com
그러면 Nginx구성에서 인증서 대신 전체 체인 인증서를 사용하는 것이 더 좋습니다.
listen 443 ssl;
ssl_certificate /etc/ssl/certs/rasp.example.com-fullchain.crt;
ssl_certificate_key /etc/ssl/private/rasp.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;