Copy over SSL configs after certification, fix using the wrong keys

2020-02-05 22:59:14 -06:00 · 2020-02-05 22:59:14 -06:00 · 6612541a7b
commit 6612541a7b
parent 230d8a2a92
3 changed files with 41 additions and 20 deletions
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@ -34,7 +34,7 @@
      - { src: "php-cgi.ini", dest: "/etc/php/7.2/cgi/php.ini", mode: "0644" }
  - name: Set up Apache
    block:
-      - name: Configure virtual host
+      - name: Configure insecure virtual host
        template:
          src: apache2-vhost.conf
          dest: "/etc/apache2/sites-enabled/{{ nextcloud_url }}.conf"
@ -140,10 +140,20 @@
        when: com_challenge is changed
      - name: Create certificate
        acme_certificate:
-          account_key: /etc/pki/cert/private/account.key
+          account_key: /etc/pki/cert/private/{{ nextcloud_url }}.key
          csr: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
          dest: "/etc/pki/cert/crt/{{ nextcloud_url }}.crt"
          fullchain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-fullchain.crt"
          chain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-intermediate.crt"
          data: "{{ com_challenge }}"
+  - name: Secure Apache
+    block:
+      - name: Copy over secure configs
+        template:
+          src: apache2-vhost-ssl.conf
+          dest: "/etc/apache2/sites-enabled/{{ nextcloud_url }}.conf"
+      - name: Reload Apache
+        service:
+          name: apache2
+          state: reloaded
  become: yes
--- a/roles/nextcloud/templates/apache2-vhost-ssl.conf
+++ b/roles/nextcloud/templates/apache2-vhost-ssl.conf
@ -0,0 +1,29 @@
+# Configuration for {{ nextcloud_url }}
+# vim:ft=apache:
+
+# Listen for virtual host requests
+NameVirtualHost *:443
+# Accept connections from non-SNI clients
+SSLStrictSNIVHostCheck off
+
+# Website configuration
+<VirtualHost *:80>
+	ServerName {{ nextcloud_url }}
+	# Uncomment me for HTTPS redirection
+	# Leaving it off for now for testing
+	#Redirect permanent / https://{{ nextcloud_url }}
+	DocumentRoot {{ nextcloud_webroot }}
+</VirtualHost>
+<VirtualHost *:443>
+	SSLEngine on
+	SSLCertificateFile /etc/pki/cert/crt/{{ nextcloud_url }}.crt
+	SSLCertificateKeyFile /etc/pki/cert/private/{{ nextcloud_url }}.key
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">\
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory /usr/lib/cgi-bin>
+		SSLOptions +StdEnvVars
+	</Directory>
+	ServerName {{ nextcloud_url }}
+	DocumentRoot {{ nextcloud_webroot }}
+</VirtualHost>
--- a/roles/nextcloud/templates/apache2-vhost.conf
+++ b/roles/nextcloud/templates/apache2-vhost.conf
@ -1,11 +1,6 @@
 # Configuration for {{ nextcloud_url }}
 # vim:ft=apache:

-# Listen for virtual host requests
-NameVirtualHost *:443
-# Accept connections from non-SNI clients
-SSLStrictSNIVHostCheck off
-
 # Website configuration
 <VirtualHost *:80>
 	ServerName {{ nextcloud_url }}
@ -14,16 +9,3 @@ SSLStrictSNIVHostCheck off
 	#Redirect permanent / https://{{ nextcloud_url }}
 	DocumentRoot {{ nextcloud_webroot }}
 </VirtualHost>
-<VirtualHost *:443>
-	SSLEngine on
-	SSLCertificateFile /etc/pki/cert/crt/{{ nextcloud_url }}.crt
-	SSLCertificateKeyFile /etc/pki/cert/private/{{ nextcloud_url }}.key
-	<FilesMatch "\.(cgi|shtml|phtml|php)$">\
-		SSLOptions +StdEnvVars
-	</FilesMatch>
-	<Directory /usr/lib/cgi-bin>
-		SSLOptions +StdEnvVars
-	</Directory>
-	ServerName {{ nextcloud_url }}
-	DocumentRoot {{ nextcloud_webroot }}
-</VirtualHost>