Add support for 2 more SSL certificate retrieval methods

Adds support for managing certificates manually and for having the playbook generate self-signed certificates for you. With this, Let's Encrypt usage is no longer required. Fixes Github issue #50.
2018-12-23 11:00:12 +02:00
parent bfcba5256e
commit d28bdb3258
21 changed files with 296 additions and 86 deletions
--- a/roles/matrix-server/tasks/setup/ssl/main.yml
+++ b/roles/matrix-server/tasks/setup/ssl/main.yml
@ -0,0 +1,38 @@
+---
+
+- name: Fail if using unsupported SSL certificate retrieval method
+  fail:
+    msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value"
+  when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed']"
+
+
+# Common tasks, required by any method below.
+
+- name: Determine domains that we require certificates for (Matrix)
+  set_fact:
+    domains_requiring_certificates: "['{{ hostname_matrix }}']"
+
+- name: Determine domains that we require certificates for (Riot)
+  set_fact:
+    domains_requiring_certificates: "{{ domains_requiring_certificates + [hostname_riot] }}"
+  when: "matrix_riot_web_enabled"
+
+- name: Ensure SSL certificate paths exists
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0770
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  with_items:
+    - "{{ matrix_ssl_log_dir_path }}"
+    - "{{ matrix_ssl_config_dir_path }}"
+
+
+# Method specific tasks follow
+
+- include: tasks/setup/ssl/setup_ssl_lets_encrypt.yml
+
+- include: tasks/setup/ssl/setup_ssl_self_signed.yml
+
+- include: tasks/setup/ssl/setup_ssl_manually_managed.yml
--- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml
+++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml
@ -0,0 +1,61 @@
+---
+
+#
+# Tasks related to setting up Let's Encrypt's management of certificates
+#
+
+- name: (Deprecation) Fail if using outdated configuration
+  fail:
+    msg: "You're using the `host_specific_matrix_ssl_support_email` variable, which has been superseded by `host_specific_matrix_ssl_lets_encrypt_support_email`. Please change your configuration to use the new name!"
+  when: "matrix_ssl_retrieval_method == 'lets-encrypt' and host_specific_matrix_ssl_support_email is defined"
+
+- name: Allow access to HTTP/HTTPS in firewalld
+  firewalld:
+    service: "{{ item }}"
+    state: enabled
+    immediate: yes
+    permanent: yes
+  with_items:
+    - http
+    - https
+  when: "matrix_ssl_retrieval_method == 'lets-encrypt' and ansible_os_family == 'RedHat'"
+
+- name: Ensure certbot Docker image is pulled
+  docker_image:
+    name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
+  when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
+
+- name: Obtain certificates
+  include_tasks: "tasks/setup/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
+  with_items: "{{ domains_requiring_certificates }}"
+  loop_control:
+    loop_var: domain_name
+  when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
+
+- name: Ensure SSL renewal script installed
+  template:
+    src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-certificates-renew.j2"
+    dest: "/usr/local/bin/matrix-ssl-certificates-renew"
+    mode: 0750
+  when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
+
+- name: Ensure periodic SSL renewal cronjob configured
+  template:
+    src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2"
+    dest: "/etc/cron.d/matrix-ssl-certificate-renewal"
+    mode: 0600
+  when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
+
+
+#
+# Tasks related to getting rid of Let's Encrypt's management of certificates
+#
+
+- name: Ensure Let's Encrypt SSL certificate management files removed
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /usr/local/bin/matrix-ssl-certificates-renew
+    - /etc/cron.d/matrix-ssl-certificate-renewal
+  when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
--- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
+++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
@ -0,0 +1,70 @@
+- debug:
+    msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}"
+
+- set_fact:
+    domain_name_certificate_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/cert.pem"
+
+- name: Check if a certificate for the domain already exists
+  stat:
+    path: "{{ domain_name_certificate_path }}"
+  register: domain_name_certificate_path_stat
+
+- set_fact:
+    domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}"
+
+# This will fail if there is something running on port 80 (like matrix-nginx-proxy).
+# We suppress the error, as we'll try another method below.
+- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
+  shell: >-
+    /usr/bin/docker run
+    --rm
+    --name=matrix-certbot
+    --net=host
+    -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
+    -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
+    {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
+    certonly
+    --non-interactive
+    {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
+    --standalone
+    --preferred-challenges http
+    --agree-tos
+    --email={{ matrix_ssl_lets_encrypt_support_email }}
+    -d {{ domain_name }}
+  when: "domain_name_needs_cert"
+  register: result_certbot_direct
+  ignore_errors: true
+
+# If matrix-nginx-proxy is configured from a previous run of this playbook,
+# and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`.
+- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
+  shell: >-
+    /usr/bin/docker run
+    --rm
+    --name=matrix-certbot
+    -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:80
+    --network={{ matrix_docker_network }}
+    -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
+    -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
+    {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
+    certonly
+    --non-interactive
+    {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
+    --standalone
+    --preferred-challenges http
+    --agree-tos
+    --email={{ matrix_ssl_lets_encrypt_support_email }}
+    -d {{ domain_name }}
+  when: "domain_name_needs_cert and result_certbot_direct.failed"
+  register: result_certbot_proxy
+  ignore_errors: true
+
+- name: Fail if all SSL certificate retrieval attempts failed
+  fail:
+    msg: |
+      Failed to obtain a certificate directly (by listening on port 80)
+      and also failed to obtain by relying on the server at port 80 to proxy the request.
+      See above for details.
+      You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }} or,
+      more easily, stop the server on port 80 while this playbook runs.
+  when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed"
--- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed.yml
+++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed.yml
@ -0,0 +1,8 @@
+---
+
+- name: Verify certificates
+  include_tasks: "tasks/setup/ssl/setup_ssl_manually_managed_verify_for_domain.yml"
+  with_items: "{{ domains_requiring_certificates }}"
+  loop_control:
+    loop_var: domain_name
+  when: "matrix_ssl_retrieval_method == 'manually-managed'"
--- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed_verify_for_domain.yml
+++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed_verify_for_domain.yml
@ -0,0 +1,23 @@
+---
+
+- set_fact:
+    matrix_ssl_certificate_verification_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
+    matrix_ssl_certificate_verification_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"
+
+- name: Check if SSL certificate file exists
+  stat:
+    path: "{{ matrix_ssl_certificate_verification_cert_path }}"
+  register: matrix_ssl_certificate_verification_cert_path_stat_result
+
+- fail:
+    msg: "Failed finding a certificate file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_path }}`"
+  when: "not matrix_ssl_certificate_verification_cert_path_stat_result.stat.exists"
+
+- name: Check if SSL certificate key file exists
+  stat:
+    path: "{{ matrix_ssl_certificate_verification_cert_key_path }}"
+  register: matrix_ssl_certificate_verification_cert_key_path_stat_result
+
+- fail:
+    msg: "Failed finding a certificate key file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_key_path }}`"
+  when: "not matrix_ssl_certificate_verification_cert_key_path_stat_result.stat.exists"
--- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml
+++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml
@ -0,0 +1,24 @@
+---
+
+- name: Ensure OpenSSL installed (RedHat)
+  yum:
+    name:
+      - openssl
+    state: present
+    update_cache: no
+  when: ansible_os_family == 'RedHat'
+
+- name: Ensure APT usage dependencies are installed (Debian)
+  apt:
+    name:
+      - openssl
+    state: present
+    update_cache: no
+  when: ansible_os_family == 'Debian'
+
+- name: Obtain certificates
+  include_tasks: "tasks/setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml"
+  with_items: "{{ domains_requiring_certificates }}"
+  loop_control:
+    loop_var: domain_name
+  when: "matrix_ssl_retrieval_method == 'self-signed'"
--- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml
+++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml
@ -0,0 +1,40 @@
+---
+
+- set_fact:
+    matrix_ssl_certificate_csr_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/csr.csr"
+    matrix_ssl_certificate_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
+    matrix_ssl_certificate_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"
+
+- name: Check if SSL certificate file exists
+  stat:
+    path: "{{ matrix_ssl_certificate_cert_path }}"
+  register: matrix_ssl_certificate_cert_path_stat_result
+
+# In order to do any sort of generation (below), we need to ensure the directory exists first
+- name: Ensure SSL certificate directory exists
+  file:
+    path: "{{ matrix_ssl_certificate_csr_path|dirname }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"
+
+# The proper way to do this is by using a sequence of
+# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`.
+#
+# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work,
+# which is not available on CentOS 7 (at least).
+#
+# We'll do it in a more manual way.
+- name: Generate SSL certificate
+  command: |
+    openssl req -x509 \
+    -sha256 \
+    -newkey rsa:4096 \
+    -nodes \
+    -subj "/CN={{ domain_name }}" \
+    -keyout {{ matrix_ssl_certificate_cert_key_path }} \
+    -out {{ matrix_ssl_certificate_cert_path }} \
+    -days 3650
+  when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"