*.rasp.example.com我正在尝试使用 Ansible 为和生成 SSL 证书rasp.example.com。
我已经有一个“有效”的解决方案(部署时没有错误),但是当我尝试将它与 certbot 进行比较时,我有一些,,csr而certbot 只返回 2 个文件(密钥和证书)。crtkeypem
当谈到浏览器时,我遇到了一些问题,例如,https 可以工作,但是即使我添加了 alt DNS 名称,rasp.example.com也不行。*.rasp.example.com
我的角色 :
- name: Certificate - set facts
ansible.builtin.set_fact:
account_key_path: /etc/ssl/private/account.key
key_path: /etc/ssl/private/rasp.example.com.key
crt_path: /etc/ssl/certs/rasp.example.com.crt
crt_fullchain_path: /etc/ssl/certs/rasp.example.com-fullchain.crt
csr_path: /etc/ssl/certs/rasp.example.com.csr
acme_directory: https://acme-v02.api.letsencrypt.org/directory
acme_challenge_type: dns-01
acme_version: 2
acme_email: [email protected]
zone: example.com
subdomain: rasp
- name: Generate let's encrypt account key
community.crypto.openssl_privatekey:
path: "{{ account_key_path }}"
- name: Create private key (RSA, 4096 bits)
community.crypto.openssl_privatekey:
path: "{{ key_path }}"
- name: Generate an OpenSSL Certificate Signing Request
community.crypto.openssl_csr:
path: "{{ csr_path }}"
privatekey_path: "{{ key_path }}"
common_name: "*.{{ subdomain }}.{{ zone }}"
subject_alt_name: "DNS:{{ subdomain + '.' + zone }}" # for rasp.example.com
- name: Make sure account exists and has given contacts. We agree to TOS.
community.crypto.acme_account:
account_key_src: "{{ account_key_path }}"
acme_directory: "{{ acme_directory }}"
acme_version: "{{ acme_version }}"
state: present
terms_agreed: true
contact:
- mailto:[email protected]
- name: Create a challenge using a account key file.
community.crypto.acme_certificate:
account_key_src: "{{ account_key_path }}"
account_email: "{{ acme_email }}"
src: "{{ csr_path }}"
fullchain_dest: "{{ crt_fullchain_path }}"
challenge: dns-01
acme_directory: "{{ acme_directory }}"
acme_version: 2
terms_agreed: true
remaining_days: 60
force: true
register: challenge
- name: Certificate does not exists or needs to be renewed
when: challenge["challenge_data"] is defined and (challenge["challenge_data"] | length > 0)
block:
- name: Set challenge data
ansible.builtin.set_fact:
challenge: "{{ challenge }}"
- name: Upload OVH credentials
ansible.builtin.template:
src: ovh.conf.j2
dest: /root/.ovh.conf
owner: root
group: root
mode: 0600
- name: Create DNS challenge record on OVH
ansible.builtin.script:
cmd: "dns.py create {{ zone }} TXT -t {{ item.value['dns-01'].resource_value }} -s {{ item.value['dns-01'].resource }}.{{ subdomain }}"
args:
executable: python3
chdir: /root
with_dict: "{{ challenge['challenge_data'] }}"
- name: Let the challenge be validated and retrieve the cert and intermediate certificate
community.crypto.acme_certificate:
account_key_src: "{{ account_key_path }}"
account_email: "{{ acme_email }}"
src: "{{ csr_path }}"
dest: "{{ crt_path }}"
fullchain_dest: "{{ crt_fullchain_path }}"
challenge: dns-01
acme_directory: "{{ acme_directory }}"
acme_version: 2
terms_agreed: true
remaining_days: 60
data: "{{ challenge }}"
notify:
- Delete DNS challenge record on OVH
我使用 OVH 作为 DNS,我创建了一个.py添加/删除 TXT 记录的简单脚本。
另外,我使用 NGINX 作为 Web 服务器:
listen 443 ssl;
ssl_certificate /etc/ssl/certs/rasp.example.com.crt;
ssl_certificate_key /etc/ssl/private/rasp.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
我在这里做错什么了吗?
答案1
您正在使用通配符证书*.rasp.example.com,但不适用于rasp.example.com您应该在主题备用名称中同时包含通配符和基本域。
像这样更新openssl_csr任务:Ansible
- name: Generate an OpenSSL Certificate Signing Request
community.crypto.openssl_csr:
path: "{{ csr_path }}"
privatekey_path: "{{ key_path }}"
common_name: "*.{{ subdomain }}.{{ zone }}"
subject_alt_name:
- "DNS:*.{{ subdomain }}.{{ zone }}"
- "DNS:{{ subdomain }}.{{ zone }}" # for rasp.example.com
那么在您的Nginx配置中最好使用全链证书而不是仅仅使用证书:
listen 443 ssl;
ssl_certificate /etc/ssl/certs/rasp.example.com-fullchain.crt;
ssl_certificate_key /etc/ssl/private/rasp.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;