From 327610bad876a6c9ba4a7dbbb760ecfacb857c95 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Fri, 18 May 2018 16:10:00 +0300
Subject: Change: allow .well-known dir be outside webroot

---
 roles/apache_server/tasks/main.yml                     |  6 ++++--
 roles/apache_server/templates/deploy_static_site_certs |  4 +++-
 roles/apache_server/templates/virtualhost.conf.tmpl    | 17 +++++++++++------
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/roles/apache_server/tasks/main.yml b/roles/apache_server/tasks/main.yml
index b1de7e2..808d8e9 100644
--- a/roles/apache_server/tasks/main.yml
+++ b/roles/apache_server/tasks/main.yml
@@ -24,11 +24,13 @@
 
 - name: "create list of domains for static sites to get Let's Encrypt certs for"
   shell: |
+    listdir="/etc/letsencrypt/static_sites"
+    wellknown="/srv/letsencrypt"
+    mkdir -p "$listdir" "$wellknown"
     if [ "{{ item.letsencrypt|default(false) }}" = True ]
     then
-        listdir="/etc/letsencrypt/static_sites"
-        mkdir -p "$listdir"
         touch "$listdir/{{ item.domain }}"
+        mkdir -p "$wellknown/{{ item.domain }}"
     fi
   with_items: "{{ static_sites }}"
   when: letsencrypt
diff --git a/roles/apache_server/templates/deploy_static_site_certs b/roles/apache_server/templates/deploy_static_site_certs
index 32ace4e..3521651 100644
--- a/roles/apache_server/templates/deploy_static_site_certs
+++ b/roles/apache_server/templates/deploy_static_site_certs
@@ -14,7 +14,8 @@ opts()
 {
     for domain in $(domains)
     do
-        echo -w "/srv/http/$domain" -d "$domain"
+        echo -w "/srv/http/$domain" -d "$domain" \
+             --webroot-path "/srv/letsencrypt/$domain"
     done
 }
 
@@ -24,4 +25,5 @@ certbot certonly \
         --email "{{ letsencrypt_email }}" \
         --agree-tos \
         --expand \
+        --cert-name static_sites \
         --webroot $(opts)
diff --git a/roles/apache_server/templates/virtualhost.conf.tmpl b/roles/apache_server/templates/virtualhost.conf.tmpl
index 5d06f0e..fd6bb51 100644
--- a/roles/apache_server/templates/virtualhost.conf.tmpl
+++ b/roles/apache_server/templates/virtualhost.conf.tmpl
@@ -7,11 +7,10 @@
     DocumentRoot /srv/http/{{ item.domain }}
     ErrorLog /var/log/apache2/{{ item.domain }}/error.log
     CustomLog /var/log/apache2/{{ item.domain }}/access.log combined
+    <Directory /srv/http/{{ item.domain }}>
 {% if item.letsencrypt|default(false) %}
-    Redirect permanent / "https://{{ item.domain }}/"
+        Redirect permanent / "https://{{ item.domain }}/"
 {% else %}
-    <Directory /srv/http/{{ item.domain }}>
-
         Options +SymlinksIfOwnerMatch +Indexes +MultiViews
 {% if item.htpasswd is defined %}
         AuthType Basic
@@ -22,8 +21,14 @@
         AllowOverride AuthConfig
         Require all granted
 {% endif %}
-    </Directory>
 {% endif %}
+    </Directory>
+
+    Alias /.well-known/ /srv/letsencrypt/{{ item.domain }}/
+    <Directory /srv/letsencrypt/{{ item.domain }}>
+        Require all granted
+    </Directory>
+
 </VirtualHost>
 
 
@@ -51,7 +56,7 @@
     </Directory>
 
     SSLEngine on
-    SSLCertificateFile	"/etc/letsencrypt/live/{{ letsencrypt_main_domain }}/fullchain.pem"
-    SSLCertificateKeyFile "/etc/letsencrypt/live/{{ letsencrypt_main_domain }}/privkey.pem"
+    SSLCertificateFile	"/etc/letsencrypt/live/static_sites/fullchain.pem"
+    SSLCertificateKeyFile "/etc/letsencrypt/live/static_sites/privkey.pem"
 </VirtualHost>
 {% endif %}
-- 
cgit v1.2.1