Unverified Commit 66ebfe27 authored by Jakub Klinkovský's avatar Jakub Klinkovský
Browse files

add mkcert role to provide HTTPS for local containers

parent 72d66e4a
......@@ -55,3 +55,26 @@ some services have to be modified to be accessible over plain HTTP.
cd local_infrastructure
ansible-playbook playbooks/<name>.yml
### SSL certificates for local containers
The Arch infrastructure uses the `certbot` role to automatically retrieve SSL
certificates from [Let's Encrypt](https://letsencrypt.org/). However, this
cannot work for _localhost_ or local containers. See [Certificates for
localhost](https://letsencrypt.org/docs/certificates-for-localhost/) for more
To provide HTTPS for local containers, we can use the tool [mkcert](
https://github.com/FiloSottile/mkcert) to create and install a local CA in the
system trust store, and to generate locally-trusted certificates which can be
installed by Ansible in the local containers. You can just replace the `certbot`
role with the `mkcert` role in your playbook and enjoy HTTPS in local
Before you run the playbook with the `mkcert` role, you need to manually install
a local CA. Make sure that the `mkcert` package is installed on the host and run
mkcert -install
Note that `mkcert` will [use sudo to change the system trust store](
Subproject commit 6cc70709a66f1ec47679434916b7cea2a4a7ae00
Subproject commit bd5ba16291fd45229243686c07e9f41850105306
......@@ -5,7 +5,7 @@ library = ../arch_infrastructure/library
remote_tmp = $HOME/.ansible/tmp
remote_user = root
nocows = 1
roles_path = ../arch_infrastructure/roles
roles_path = ../arch_infrastructure/roles:./roles
#vault_password_file = misc/get-vault-pass.sh
retry_files_enabled = False
callback_plugins = ../arch_infrastructure/plugins/callback
......@@ -9,7 +9,7 @@
- { role: firewalld }
- { role: sshd }
# - { role: root_ssh }
# - { role: certbot }
- { role: mkcert } # replacement for the certbot role
- { role: nginx }
- { role: mariadb, mariadb_innodb_buffer_pool_size: '64M', mariadb_table_open_cache: '256', mariadb_query_cache_type: '0',
mariadb_innodb_file_per_table: True }
- name: get local CAROOT path
command: mkcert -CAROOT
register: caroot
delegate_to: localhost
changed_when: false
# NOTE: this does not work, because mkcert asks for the sudo password
#- name: install the local CA in the host system trust store
# command:
# cmd: mkcert -install
# creates: "{{ caroot.stdout }}"
# delegate_to: localhost
- name: create a directory for SSL certificates
file: path=../certificates/{{ inventory_hostname }} state=directory recurse=yes
delegate_to: localhost
- name: create an SSL certificate for {{ inventory_hostname }}
cmd: mkcert -cert-file ../certificates/{{ inventory_hostname }}/cert.pem -key-file ../certificates/{{ inventory_hostname }}/privkey.pem {{ inventory_hostname }} localhost
creates: ../certificates/{{ inventory_hostname }}/privkey.pem
delegate_to: localhost
# create certificate chains for nginx, see references:
# - https://github.com/FiloSottile/mkcert/issues/214#issuecomment-552141000
# - https://nginx.org/en/docs/http/configuring_https_servers.html#chains
- name: create chain.pem
copy: src={{ caroot.stdout }}/rootCA.pem dest=../certificates/{{ inventory_hostname }}/chain.pem mode=0644
# creates: ../certificates/{{ inventory_hostname }}/chain.pem
delegate_to: localhost
- name: create fullchain.pem
cmd: |
cat cert.pem > fullchain.pem
cat chain.pem >> fullchain.pem
chmod 644 fullchain.pem
chdir: ../certificates/{{ inventory_hostname }}
creates: fullchain.pem
delegate_to: localhost
- name: create directory for SSL certificates on the remote host
file: path=/etc/letsencrypt/live/{{ inventory_hostname }} state=directory owner=root group=root mode=0755
- name: copy SSL certificates to the remote host
copy: src=../certificates/{{ inventory_hostname }}/{{ item }} dest=/etc/letsencrypt/live/{{ inventory_hostname }}/{{ item }} owner=root group=root mode=preserve
- chain.pem
- fullchain.pem
- privkey.pem
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment