diff options
| author | Lars Wirzenius <liw@liw.fi> | 2018-05-18 16:10:00 +0300 |
|---|---|---|
| committer | Lars Wirzenius <liw@liw.fi> | 2018-05-18 16:10:00 +0300 |
| commit | 327610bad876a6c9ba4a7dbbb760ecfacb857c95 (patch) | |
| tree | 1117fd4c1b9a4b8f027fb0e564c8ce9c1cdb35a8 | |
| parent | de0e510a15edb7a44028389f40687c4297bdadad (diff) | |
| download | debian-ansible-327610bad876a6c9ba4a7dbbb760ecfacb857c95.tar.gz | |
Change: allow .well-known dir be outside webroot
| -rw-r--r-- | roles/apache_server/tasks/main.yml | 6 | ||||
| -rw-r--r-- | roles/apache_server/templates/deploy_static_site_certs | 4 | ||||
| -rw-r--r-- | roles/apache_server/templates/virtualhost.conf.tmpl | 17 |
3 files changed, 18 insertions, 9 deletions
diff --git a/roles/apache_server/tasks/main.yml b/roles/apache_server/tasks/main.yml index b1de7e2..808d8e9 100644 --- a/roles/apache_server/tasks/main.yml +++ b/roles/apache_server/tasks/main.yml @@ -24,11 +24,13 @@ - name: "create list of domains for static sites to get Let's Encrypt certs for" shell: | + listdir="/etc/letsencrypt/static_sites" + wellknown="/srv/letsencrypt" + mkdir -p "$listdir" "$wellknown" if [ "{{ item.letsencrypt|default(false) }}" = True ] then - listdir="/etc/letsencrypt/static_sites" - mkdir -p "$listdir" touch "$listdir/{{ item.domain }}" + mkdir -p "$wellknown/{{ item.domain }}" fi with_items: "{{ static_sites }}" when: letsencrypt diff --git a/roles/apache_server/templates/deploy_static_site_certs b/roles/apache_server/templates/deploy_static_site_certs index 32ace4e..3521651 100644 --- a/roles/apache_server/templates/deploy_static_site_certs +++ b/roles/apache_server/templates/deploy_static_site_certs @@ -14,7 +14,8 @@ opts() { for domain in $(domains) do - echo -w "/srv/http/$domain" -d "$domain" + echo -w "/srv/http/$domain" -d "$domain" \ + --webroot-path "/srv/letsencrypt/$domain" done } @@ -24,4 +25,5 @@ certbot certonly \ --email "{{ letsencrypt_email }}" \ --agree-tos \ --expand \ + --cert-name static_sites \ --webroot $(opts) diff --git a/roles/apache_server/templates/virtualhost.conf.tmpl b/roles/apache_server/templates/virtualhost.conf.tmpl index 5d06f0e..fd6bb51 100644 --- a/roles/apache_server/templates/virtualhost.conf.tmpl +++ b/roles/apache_server/templates/virtualhost.conf.tmpl @@ -7,11 +7,10 @@ DocumentRoot /srv/http/{{ item.domain }} ErrorLog /var/log/apache2/{{ item.domain }}/error.log CustomLog /var/log/apache2/{{ item.domain }}/access.log combined + <Directory /srv/http/{{ item.domain }}> {% if item.letsencrypt|default(false) %} - Redirect permanent / "https://{{ item.domain }}/" + Redirect permanent / "https://{{ item.domain }}/" {% else %} - <Directory /srv/http/{{ item.domain }}> - Options +SymlinksIfOwnerMatch +Indexes +MultiViews {% if item.htpasswd is defined %} AuthType Basic @@ -22,8 +21,14 @@ AllowOverride AuthConfig Require all granted {% endif %} - </Directory> {% endif %} + </Directory> + + Alias /.well-known/ /srv/letsencrypt/{{ item.domain }}/ + <Directory /srv/letsencrypt/{{ item.domain }}> + Require all granted + </Directory> + </VirtualHost> @@ -51,7 +56,7 @@ </Directory> SSLEngine on - SSLCertificateFile "/etc/letsencrypt/live/{{ letsencrypt_main_domain }}/fullchain.pem" - SSLCertificateKeyFile "/etc/letsencrypt/live/{{ letsencrypt_main_domain }}/privkey.pem" + SSLCertificateFile "/etc/letsencrypt/live/static_sites/fullchain.pem" + SSLCertificateKeyFile "/etc/letsencrypt/live/static_sites/privkey.pem" </VirtualHost> {% endif %} |