From 15b672c62037016d5138adbe10f28a7a207740f4 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 28 Aug 2020 23:41:49 +0200 Subject: proper certs for legacy webservices --- chaos-at-home/ch-http-proxy.yml | 54 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 50 insertions(+), 4 deletions(-) (limited to 'chaos-at-home') diff --git a/chaos-at-home/ch-http-proxy.yml b/chaos-at-home/ch-http-proxy.yml index 627343e6..f90939d0 100644 --- a/chaos-at-home/ch-http-proxy.yml +++ b/chaos-at-home/ch-http-proxy.yml @@ -123,7 +123,51 @@ name: nginx/vhost - #### webmail.chaos-at-home.org + #### webmail.chaos-at-home.org and webdav.chaos-at-home.org + - name: create directory for prometheus-old ca cert + file: + path: /etc/ssl/prometheus-old-ca + state: directory + + - name: install prometheus-old ca cert + copy: + dest: /etc/ssl/prometheus-old-ca/ca.pem + content: | + -----BEGIN CERTIFICATE----- + MIIF6jCCA9KgAwIBAgIUXDQZo0d3tcTa4oilKki+E9md8GIwDQYJKoZIhvcNAQEN + BQAwgYwxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcTBEdy + YXoxFjAUBgNVBAoTDWNoYW9zLWF0LWhvbWUxFzAVBgNVBAsTDnByb21ldGhldXMt + b2xkMSwwKgYDVQQDEyNjaGFvcy1hdC1ob21lIENBIGZvciBwcm9tZXRoZXVzLW9s + ZDAeFw0yMDA4MjgyMTMwMDBaFw0yNTA4MjcyMTMwMDBaMIGMMQswCQYDVQQGEwJB + VDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQKEw1jaGFv + cy1hdC1ob21lMRcwFQYDVQQLEw5wcm9tZXRoZXVzLW9sZDEsMCoGA1UEAxMjY2hh + b3MtYXQtaG9tZSBDQSBmb3IgcHJvbWV0aGV1cy1vbGQwggIiMA0GCSqGSIb3DQEB + AQUAA4ICDwAwggIKAoICAQDS1hSM5E7mhsv1c3S+cPmjxWAFz8N9xqSGk4JjRNxR + wsM7o2aS18FZus+w/Ikp3sTfyNiK017lrnD1iwkTV+yHV9FFNq5FC7Jry3kZcjhH + HirmRFJhXvsimsK6Ir/9ZuQ1EqhRv7HEnnG1W19UyQuk0VpTfcis4jNtMOuEcqG2 + arXah/8OOKpcsvIK03XWpLjw0UzNhemka66BC1W+Sg0iB3PmYOSUjJfxSulfZYN8 + YAP8QPhXCCrOw39EKiW4KcGnKhNQD8lulpk8kCZlr0Hd8bgxBzrQ+bDhMGEkbxnS + 7VaSSTLZIKUWT/4IzCMOrLFbL0k7e0DcOL0+D9lgGjqgDSKKxOi7U3BavilTRJvU + 9mq1B+7qrYrx3UfELNgYjUhF575iJmRRH+XKf4b/LGqyrAymRPpwnrubg7KUwGPa + zScuGI4QakOVc5/zU6XML9msyz7p2IXmKqkAi/cxrH6VLK49r63Q8OPbLp17vaDp + 9TJaMyQ2QQDVaBulEfwIb1vSKiG+e+8frlXKBf7rtVbZxTda3VmUMFw56hbnT1vn + zvnWwbTWj2in4BhCMbjyvA+HgPd5CAvXkQff4rX5+quLa6hqP/GbslDxtceDSrN0 + +GLRcFbBwxFSJhPmAyspUBDgKI6TaBwsaQIp54UF4wtmPOSmx7iRkYWELh7Jrfib + YQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV + HQ4EFgQUTSq7rSadFGLpZQMEOpI9Mt6ViM0wDQYJKoZIhvcNAQENBQADggIBAKeZ + FH+eabDb1JU41hIYrboPbL3N6G8IW9VxfAIQ/W3jYEHz+gLf7CAOZIqbZCrexajs + +hqamNAZ+eXQ+9o9IcGXHx5ifDDWLDVl0i/7qQ1cl+oXQ4Ua6jSN/I1UghPkV+Pt + X3Rptl+HLGtTjUcP8Sd78ugBnhM1T8oB9i/xkP9idP7H95C/JKnBER+uH8u67LVe + gYRZS6R+tI3vX1CrjdI0zps0TDWU9sixsu2BF8HHc6AJ6t+1oAVtvpNQcwl1Kll5 + XtSUp+rdc5SHQ2Omq+S4WZ8nW88IrT+VG6WflYvg2F1Wzk9D1KYcAl1vox/nqKg5 + iqy0BlygrwTLJGS1uNSbIPTHFPgIX7VVQc+u3TLwqFaexXwG5382jD3n4uAr65SM + zP2O8JWZMukdWSP2cAFkKCNUCpYNiA0cyCtdtNw+vWqXXFdc0uvnILROB/dQ6RJA + MviUhGFMdtcoW/bMXDlpJTVFQhhFwJmMatvPIAq9Z+OkvV+T/y87NfE/KUDKB+Hy + oFx9xgax8wsZUNEZMyDMVGcV1oLn1/dsKhHShYVQsDoJcc1egkL+Di8TtT7SwNxg + zT1Rzi1tmVUMLM+CeyP1bbf4YPrH4ulk1Evj2ZHzF6hwKxavvm8hHidmd82FVcik + ePVA2hh60RUIGEAKyJS23SWUdaFe5+hxxYFQ3qAB + -----END CERTIFICATE----- + - name: configure vhost for webmail.chaos-at-home.org vars: nginx_vhost: @@ -135,6 +179,8 @@ client_max_body_size: "200M" proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/" proxy_ssl: + verify: "on" + trusted_certificate: /etc/ssl/prometheus-old-ca/ca.pem protocols: TLSv1 ciphers: "DEFAULT@SECLEVEL=1" acmetool_cert_config: @@ -144,8 +190,6 @@ include_role: name: nginx/vhost - - #### webdav.chaos-at-home.org - name: configure vhost for webdav.chaos-at-home.org vars: nginx_vhost: @@ -156,6 +200,8 @@ - webdav.chaos-at-home.org proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/" proxy_ssl: + verify: "on" + trusted_certificate: /etc/ssl/prometheus-old-ca/ca.pem protocols: TLSv1 ciphers: "DEFAULT@SECLEVEL=1" acmetool_cert_config: @@ -166,7 +212,7 @@ name: nginx/vhost - #### imap.chaos-at-home.or + #### imap.chaos-at-home.org - name: configure vhost for imap.chaos-at-home.org vars: nginx_vhost: -- cgit v1.2.3