finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add support for 2 more SSL certificate retrieval methods

Browse Source 
Adds support for managing certificates manually and for
having the playbook generate self-signed certificates for you.

With this, Let's Encrypt usage is no longer required.

Fixes Github issue #50.
This commit is contained in:
Slavi Pantaleev
2018-12-23 11:00:12 +02:00
parent bfcba5256e
commit d28bdb3258
21 changed files with 296 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/configuring-playbook-own-webserver.md
View File

@ -24,6 +24,6 @@ matrix_nginx_proxy_enabled: false
- ensure you set up (separate) vhosts that proxy for both Riot (`localhost:8765`) and Matrix Synapse (`localhost:8008`)
- ensure that the `/.well-known/acme-challenge` location for each "port=80 vhost" gets proxied to `http://localhost:2402` (controlled by `matrix_ssl_certbot_standalone_http_port`) for automated SSL renewal to work
- ensure that the `/.well-known/acme-challenge` location for each "port=80 vhost" gets proxied to `http://localhost:2402` (controlled by `matrix_ssl_lets_encrypt_certbot_standalone_http_port`) for automated SSL renewal to work
- ensure that you restart/reload your webserver once in a while, so that renewed SSL certificates would take effect (once a month should be enough)
- ensure that you restart/reload your webserver once in a while, so that renewed SSL certificates would take effect (once a month should be enough)

32
docs/configuring-playbook-ssl-certificates.md Normal file
View File

@ -0,0 +1,32 @@
# Adjusting SSL certificate retrieval (optional, advanced)
By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/).
If that's alright, you can skip this.
## Using self-signed SSL certificates
For private deployments (not publicly accessible from the internet), you may not be able to use Let's Encrypt certificates.
If self-signed certificates are alright with you, you can ask the playbook to generate such for you with the following configuration:
```yaml
matrix_ssl_retrieval_method: self-signed
```
## Using your own SSL certificates
If you'd like to manage SSL certificates by yourself and have the playbook use your certificate files, you can use the following configuration:
```yaml
matrix_ssl_retrieval_method: manually-managed
```
With such a configuration, the playbook would expect you to drop the SSL certificate files in the directory specified by `matrix_ssl_config_dir_path` (`/matrix/ssl/config` by default) obeying the following hierarchy:
- `<matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem`
- `<matrix_ssl_config_dir_path>/live/<domain>/privkey.pem`
where `<domain>` refers to the domains that you need (usually `matrix.<your-domain>` and `riot.<your-domain>`).

2
docs/configuring-playbook.md
View File

@ -35,6 +35,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
- [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md) (optional)
- [Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) (optional, advanced)
- [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional, advanced)
- [Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (optional, advanced)