Add feature Letsencrypt SSL certification
- installs certbot-auto - generates and validates ssl cert - installs cert in haproxy settings - renew cert with cron Change-Id: Iea59ec2893a988b184ca8bc70e1d273ac071551e
This commit is contained in:
parent
937fa0168d
commit
4fb2059a3b
|
@ -71,6 +71,15 @@ haproxy_ssl_ca_cert: /etc/ssl/certs/haproxy-ca.pem
|
|||
haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
|
||||
haproxy_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
|
||||
haproxy_ssl_bind_options: "force-tlsv12"
|
||||
# activate letsencrypt option
|
||||
haproxy_ssl_letsencrypt_enable: false
|
||||
haproxy_ssl_letsencrypt_email: "example@example.com"
|
||||
haproxy_ssl_letsencrypt_download_url: "https://dl.eff.org/certbot-auto"
|
||||
haproxy_ssl_letsencrypt_config_path: "/etc/letsencrypt/live"
|
||||
haproxy_ssl_letsencrypt_install_path: "/opt/letsencrypt"
|
||||
haproxy_ssl_letsencrypt_cron_minute: "0"
|
||||
haproxy_ssl_letsencrypt_cron_hour: "0"
|
||||
haproxy_ssl_letsencrypt_cron_weekday: "0"
|
||||
|
||||
# hatop extra package URL and checksum
|
||||
haproxy_hatop_download_url: "https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/hatop/hatop-0.7.7.tar.gz"
|
||||
|
|
|
@ -143,6 +143,25 @@ be folded and formatted at 64 characters long. Single line certificates
|
|||
will not be accepted by HAProxy and will result in SSL validation failures.
|
||||
Please have a look here for information on `converting your certificate to
|
||||
various formats <https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=SO26449>`_.
|
||||
If you want to use `LetsEncrypt SSL Service <https://letsencrypt.org/>`_
|
||||
you can activate the feature by providing the following configuration in
|
||||
``/etc/openstack_deploy/user_variables.yml``. Note that this requires
|
||||
that ``external_lb_vip_address`` in
|
||||
``/etc/openstack_deploy/openstack_user_config.yml`` is set to the
|
||||
external DNS address.
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
haproxy_ssl_letsencrypt_enable: true
|
||||
haproxy_ssl_letsencrypt_email: example@example.com
|
||||
|
||||
.. warning::
|
||||
|
||||
There is no certificate distribution implementation at this time, so
|
||||
this will only work for a single haproxy-server environment. The
|
||||
renewal is automatically handled via CRON and currently will shut
|
||||
down haproxy briefly during the certificate renewal. The
|
||||
haproxy shutdown/restart will result in a brief service interruption.
|
||||
|
||||
.. _Securing services with SSL certificates: http://docs.openstack.org/project-deploy-guide/openstack-ansible/draft/app-advanced-config-sslcertificates.html
|
||||
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
If Horizon dashboard of OSA installation has a public FQDN, is it
|
||||
now possible to use LetsEncrypt certification service. Certificate
|
||||
will be generated within HAProxy installation and a cron entry to
|
||||
renew the certificate daily will be setup.
|
||||
Note that there is no certificate distribution implementation at
|
||||
this time, so this will only work for a single haproxy-server
|
||||
environment.
|
|
@ -23,6 +23,13 @@
|
|||
- include_tasks: haproxy_ssl_self_signed.yml
|
||||
when:
|
||||
- haproxy_ssl | bool
|
||||
- not haproxy_ssl_letsencrypt_enable | bool
|
||||
- haproxy_user_ssl_cert is not defined or haproxy_user_ssl_key is not defined
|
||||
|
||||
- include_tasks: haproxy_ssl_letsencrypt.yml
|
||||
when:
|
||||
- haproxy_ssl | bool
|
||||
- haproxy_ssl_letsencrypt_enable | bool
|
||||
- haproxy_user_ssl_cert is not defined or haproxy_user_ssl_key is not defined
|
||||
|
||||
- include_tasks: haproxy_ssl_user_provided.yml
|
||||
|
|
|
@ -0,0 +1,79 @@
|
|||
---
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Ensure haproxy_ssl_letsencrypt_install_path exists
|
||||
file:
|
||||
path: "{{ haproxy_ssl_letsencrypt_install_path }}"
|
||||
state: directory
|
||||
|
||||
- name: Download certbot
|
||||
get_url:
|
||||
url: "{{ haproxy_ssl_letsencrypt_download_url }}"
|
||||
dest: "{{ haproxy_ssl_letsencrypt_install_path }}"
|
||||
mode: 0755
|
||||
register: fetch_url
|
||||
until: fetch_url is success
|
||||
retries: 3
|
||||
delay: 10
|
||||
|
||||
- name: Ensure file permissions certbot-auto
|
||||
file:
|
||||
path: "{{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }}"
|
||||
|
||||
- name: Register Letsencrypt data dir
|
||||
stat:
|
||||
path: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}"
|
||||
register: lcdatadir
|
||||
|
||||
- name: Stop haproxy for certbot activity
|
||||
service:
|
||||
name: "haproxy"
|
||||
state: "stopped"
|
||||
when: lcdatadir.stat.exists == False
|
||||
|
||||
- name: Create ssl cert with certbot
|
||||
command: >
|
||||
{{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }} certonly
|
||||
--standalone
|
||||
--agree-tos
|
||||
--non-interactive
|
||||
--text
|
||||
--rsa-key-size 4096
|
||||
--email {{ haproxy_ssl_letsencrypt_email }}
|
||||
--domains {{ external_lb_vip_address }}
|
||||
creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem"
|
||||
|
||||
- name: Create new pem file for haproxy
|
||||
assemble:
|
||||
src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}"
|
||||
dest: "/etc/ssl/private/haproxy.pem"
|
||||
regexp: '(privkey|fullchain).pem$'
|
||||
notify:
|
||||
- Restart haproxy
|
||||
|
||||
- name: Create letsencrypt_renew file
|
||||
template:
|
||||
src: letsencrypt_renew.j2
|
||||
dest: /usr/local/bin/letsencrypt_renew
|
||||
mode: 0755
|
||||
force: yes
|
||||
|
||||
- name: Renew Letsencrypt Cert Cron
|
||||
cron:
|
||||
name: "Renew Letsencrypt Cert"
|
||||
minute: "{{ haproxy_ssl_letsencrypt_cron_minute }}"
|
||||
hour: "{{ haproxy_ssl_letsencrypt_cron_hour }}"
|
||||
weekday: "{{ haproxy_ssl_letsencrypt_cron_weekday }}"
|
||||
job: "/usr/local/bin/letsencrypt_renew"
|
||||
user: "root"
|
||||
state: present
|
|
@ -0,0 +1,11 @@
|
|||
#!/bin/bash
|
||||
# renew cert if required and copy to haproxy destination
|
||||
|
||||
certbot renew \
|
||||
--standalone \
|
||||
--pre-hook "systemctl stop haproxy" \
|
||||
|
||||
cat /etc/letsencrypt/live/{{ external_lb_vip_address }}-0001/{fullchain,privkey}.pem \
|
||||
> /etc/ssl/private/haproxy.pem
|
||||
|
||||
systemctl restart haproxy
|
Loading…
Reference in New Issue