WIP: Let's Encrypt support!

Resolves: #17
RocketChat · Sep 26, 2016 · c0eecf2 · c0eecf2
1 parent 4e98980
commit c0eecf2
Show file tree

Hide file tree

Showing 5 changed files with 82 additions and 6 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -40,3 +40,13 @@ rocket_chat_nginx_generate_pfs_key: true
 rocket_chat_nginx_pfs_key_numbits: 2048
 rocket_chat_nginx_pfs_key_path: /etc/nginx/rocket_chat.pem
 rocket_chat_nginx_pfs_file: ~
+
+# letsencrypt settings
+rocket_chat_include_letsencrypt: false
+rocket_chat_letsencrypt_email: ~
+rocket_chat_letsencrypt_account_key: /etc/nginx/acme-tiny_account.key
+rocket_chat_letsencrypt_csr: /etc/nginx/acme-tiny_{{ rocket_chat_service_host }}.csr
+rocket_chat_letsencrypt_domain: "{{ rocket_chat_service_host }}"
+rocket_chat_letsencrypt_acmetiny_path: /opt/acme-tiny
+rocket_chat_letsencrypt_wellknown_path: /var/www/letsencrypt
+rocket_chat_letsencrypt_ca_cert: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
diff --git a/tasks/letsencrypt.yml b/tasks/letsencrypt.yml
@@ -0,0 +1,56 @@
+---
+
+# possibly just copy the script into files and include it w/ the role?
+- name: Clone acme-tiny to /opt [Let's Encrypt!]
+  git:
+    dest: "{{ rocket_chat_letsencrypt_acmetiny_path }}"
+    repo: https://github.com/diafygi/acme-tiny.git
+    force: yes
+    update: yes
+
+- name: Ensure letsencrypt well-known dir exists [Let's Encrypt!]
+  file:
+    path: "{{ rocket_chat_letsencrypt_wellknown_path  }}"
+    state: directory
+    owner: "{{ rocket_chat_nginx_process_user }}"
+
+- name: Generate acme-tiny Let's Encrypt account key [Let's Encrypt!]
+  shell: >-
+    openssl genrsa -out {{ rocket_chat_letsencrypt_account_key }} 4096 >/dev/null
+  args:
+    creates: "{{ rocket_chat_letsencrypt_account_key }}"
+
+- name: Check if acme-tiny Let's Encrypt CSR exists [Let's Encrypt!]
+  stat:
+    path: "{{ rocket_chat_letsencrypt_csr }}"
+  register: csr_path
+
+- name: Generate acme-tiny Let's Encrypt CSR [Let's Encrypt!]
+  shell: >-
+    openssl req -new -sha256 -key {{ rocket_chat_ssl_key_path }}
+    -subj "/CN={{ rocket_chat_letsencrypt_domain | default(rocket_chat_service_host) }}"
+    -out {{ rocket_chat_letsencrypt_csr }}
+  when:
+    - (key_gen_result | changed) or
+      not csr_path.stat.exists
+  register: csr_gen_result
+
+- name: Setup script in cron.daily [Let's Encrypt!]
+  copy:
+    dest: /etc/cron.monthly/acme-tiny_renew.sh
+    mode: 0755
+    content: |
+      #!/bin/bash
+      python {{ rocket_chat_letsencrypt_acmetiny_path }}/acme_tiny.py \
+      --account-key {{ rocket_chat_letsencrypt_account_key }}  \
+      --csr {{ rocket_chat_letsencrypt_csr }}  \
+      --acme-dir {{ rocket_chat_letsencrypt_wellknown_path  }} \
+      > {{ rocket_chat_ssl_cert_path }} || exit
+      curl -s {{ rocket_chat_letsencrypt_ca_cert }} \
+      >> {{ rocket_chat_ssl_cert_path }} &&
+      nginx -t && nginx -s reload
+
+- name: Run acme-tiny_renew.sh (first run cert creation) [Let's Encrypt!]
+  shell: /etc/cron.monthly/acme-tiny_renew.sh
+  notify: Reload the Nginx service
+  when: csr_gen_result | changed
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -206,3 +206,7 @@
   - include: nginx.yml
     when: rocket_chat_include_nginx|bool
     tags: nginx
+
+  - include: letsencrypt.yml
+    when: rocket_chat_include_letsencrypt|bool
+    tags: letsencrypt
diff --git a/tasks/nginx.yml b/tasks/nginx.yml
@@ -36,16 +36,18 @@
 
   - name: Ensure SSL certs have been generated
     shell: >-
-      openssl req -x509 -newkey rsa:2048 -nodes
+      openssl req -x509 -newkey rsa:4096 -nodes
       -subj "/CN={{ rocket_chat_service_host }}/
       /C=NA/ST=NA/L=NA/O=NA/OU=NA"
       -keyout {{ rocket_chat_ssl_key_path }}
       -out {{ rocket_chat_ssl_cert_path }}
       -days 3650
-    when: rocket_chat_ssl_generate_certs|bool
+    when:
+      - rocket_chat_include_letsencrypt or rocket_chat_ssl_generate_certs|bool
     args:
       creates: "{{ rocket_chat_ssl_key_path }}"
     notify: Reload the Nginx service
+    register: key_gen_result
 
   - name: Ensure provided PFS key has been deployed
     copy:

diff --git a/templates/rocket_chat.conf.j2 b/templates/rocket_chat.conf.j2
@@ -4,10 +4,14 @@ upstream rocket_chat {
 server {
         listen  80;
         server_name  {{ rocket_chat_service_host }};
-
-        # tell users to go to SSL version this time
-        if ($ssl_protocol = "") {
-        rewrite     ^   https://$server_name$request_uri? permanent;
+{% if rocket_chat_include_letsencrypt|bool %}
+        location /.well-known/acme-challenge/ {
+                alias /var/www/letsencrypt/;
+                try_files $uri =404;
+        }
+{% endif %}
+        location / {
+                return 301 https://$host$request_uri;
         }
 }