From e672e5d75c9f5b829436bf8c2852bc68b641a922 Mon Sep 17 00:00:00 2001 From: Tobias Huste Date: Tue, 6 Oct 2020 09:59:31 +0200 Subject: [PATCH 1/3] Allow to use SSL keypair given by path only This change allows to configure SSH keypair that already exists on the machine. E.g. it could have been created in a previous role via Let's Encrypt. So far, the created key would have been overwritten by this role. --- defaults/main.yml | 3 --- tasks/ssl.yml | 2 ++ 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d526f18..73b1556 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,9 +7,6 @@ zammad_nginx_config_path: "/etc/nginx/sites-available/zammad.conf" zammad_ssl_cert_path: "/etc/ssl/certs/zammad_cert.pem" zammad_ssl_key_path: "/etc/ssl/private/zammad_key.pem" -zammad_ssl_key: -zammad_ssl_cert: - zammad_nginx_additional_server_configs: [] elasticsearch_url: "http://localhost:9200" diff --git a/tasks/ssl.yml b/tasks/ssl.yml index 5ee991d..53ced7f 100644 --- a/tasks/ssl.yml +++ b/tasks/ssl.yml @@ -9,6 +9,7 @@ mode: 0640 owner: root group: root + when: zammad_ssl_key is undefined or zammad_ssl_key|length > 0 - name: SSL | Insert certificate blockinfile: @@ -19,6 +20,7 @@ mode: 0644 owner: root group: root + when: zammad_ssl_cert is undefined or zammad_ssl_cert|length > 0 - name: SSL | Check if certificate is still valid, ignoring failures openssl_certificate_info: From 1df45015704388576ffa9769d7781d76018369b2 Mon Sep 17 00:00:00 2001 From: Tobias Huste Date: Tue, 6 Oct 2020 12:19:40 +0200 Subject: [PATCH 2/3] Add information about handling existing ssl pairs into the README --- README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4eb57cc..885f08b 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,12 @@ Content of SSL/TLS certificate (**required**). ```yaml zammad_ssl_key: ``` -Content of SSL/TLS private key (**required**). +Content of SSL/TLS private key (**required**). +**Please note:** In the special case, that you previously put an SSL keypair +on the host, e.g. via Let's Encrypt, you must not configure the variables +`zammad_ssl_cert` and `zammad_ssl_key`. Nevertheless, in each case the role will +alidate, if the SSL key pair given under the paths `zammad_ssl_key_path` and +`zammad_ssl_cert_path` are valid. ```yaml zammad_nginx_additional_server_configs: From 9b6e7953ae68123ffb14ab9fb8308b95c5552900 Mon Sep 17 00:00:00 2001 From: Tobias Huste Date: Tue, 6 Oct 2020 13:32:03 +0200 Subject: [PATCH 3/3] Apply suggestion from code review Co-authored-by: Christian Hueser <55481699+christianhueserhzdr@users.noreply.github.com> --- README.md | 2 +- tasks/ssl.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 885f08b..421ee4c 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ Content of SSL/TLS private key (**required**). **Please note:** In the special case, that you previously put an SSL keypair on the host, e.g. via Let's Encrypt, you must not configure the variables `zammad_ssl_cert` and `zammad_ssl_key`. Nevertheless, in each case the role will -alidate, if the SSL key pair given under the paths `zammad_ssl_key_path` and +validate, if the SSL key pair is given under the paths `zammad_ssl_key_path` and `zammad_ssl_cert_path` are valid. ```yaml diff --git a/tasks/ssl.yml b/tasks/ssl.yml index 53ced7f..ab4af97 100644 --- a/tasks/ssl.yml +++ b/tasks/ssl.yml @@ -9,7 +9,7 @@ mode: 0640 owner: root group: root - when: zammad_ssl_key is undefined or zammad_ssl_key|length > 0 + when: zammad_ssl_key is defined or zammad_ssl_key|length > 0 - name: SSL | Insert certificate blockinfile: @@ -20,7 +20,7 @@ mode: 0644 owner: root group: root - when: zammad_ssl_cert is undefined or zammad_ssl_cert|length > 0 + when: zammad_ssl_cert is defined or zammad_ssl_cert|length > 0 - name: SSL | Check if certificate is still valid, ignoring failures openssl_certificate_info: