Add support for certbot and Let's Encrypt certificates

HISTORY.txt

@@ -1,3 +1,14 @@
+Unreleased
+
+- Add support for certbot and Let's Encrypt certficates.
+  [stevepiercy]
+
+- Allow Bearer Authorization headers to be used for JWT Token authentication used by plone.restapi.
+  [fulv]
+
+- Fix version compare and align with ansible.plone_server.
+  [stevepiercy]
+
 1.3.7 2019-07-24
 
 - Set up the multiserver sample with 4.3, 5.1 and 5.2 for a thorough example and test.

docs/webserver.rst

@@ -90,6 +90,61 @@ To use files that already exist on the controlled server, use:
           crt: /etc/ssl/certs/ssl-cert-snakeoil.pem
 
 
+Let's Encrypt Certificates and certbot
+--------------------------------------
+
+An optional playbook ``geerlingguy.certbot.yml`` is provided that uses free Let's Encrypt certificates and certbot to generate and renew them via a cron job.
+Review and change any variables in this file, specifically ``certbot_admin_email``.
+
+To use this playbook, first install the role.
+
+.. code-block:: bash
+
+    cd ansible-playbook
+    git clone https://github.com/geerlingguy/ansible-role-certbot.git geerlingguy.certbot
+
+Run the playbook.
+
+.. code-block:: bash
+
+    ansible-playbook geerlingguy.certbot.yml
+
+Next configure your playbook ``local-configure.yml``.
+The following example configures ``geerlingguy.certbot`` to also perform a redirection of all traffic from http to https with the ``extra`` key.
+You will need to specify a correct IP address.
+Also verify that the location of the private key and certificate files installed by ``geerlingguy.certbot`` is correct for your system.
+
+.. code-block:: yaml
+
+    webserver_virtualhosts:
+      - hostname: "{{ inventory_hostname }}"
+        port: 80
+        protocol: http
+        extra: return 301 https://$server_name$request_uri;
+      - hostname: "{{ inventory_hostname }}"
+        default_server: yes
+        zodb_path: /Plone
+        address: 1.1.1.1
+        port: 443
+        protocol: https
+        certificate:
+          key: /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem
+          crt: /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
+
+.. note::
+
+    The playbook will only *add* new web server configuration files.
+    It does not update existing web server configuration files.
+    If you have previously configured your web server, then you must SSH in to your server, and delete the existing configuration files (for nginx on Debian/Ubuntu, ``/etc/nginx/sites-enabled/``).
+    Then you can run the playbook to add the new configuration files.
+
+    To avoid the previous step, you can run the ``geerlingguy.certbot`` playbook before the Plone playbook.
+
+.. seealso::
+
+    `Documentation for geerlingguy.certbot <https://github.com/geerlingguy/ansible-role-certbot>`_.
+
+
 Redirections, etc.
 ~~~~~~~~~~~~~~~~~~
 

geerlingguy.certbot.yml

@@ -0,0 +1,48 @@
+---
+
+# Documentation:
+# https://github.com/geerlingguy/ansible-role-certbot
+
+
+- hosts: all
+  become: yes
+  gather_facts: yes
+
+  vars:
+    certbot_auto_renew_user: root
+    certbot_create_if_missing: true
+    certbot_admin_email: [email protected]
+    certbot_auto_renew_options: '--quiet --no-self-upgrade
+    --pre-hook "service nginx stop" --post-hook "service nginx start"'
+    certbot_create_standalone_stop_services: []
+
+    certbot_certs:
+      - domains:
+        - "{{ inventory_hostname }}"
+
+  tasks:
+  - name: Include vars from local-configure.yml if found
+    include_vars: "{{ item }}"
+    with_first_found:
+     - local-configure.yml
+     - null.yml
+
+  pre_tasks:
+    - name: Update apt cache.
+      apt: update_cache=yes cache_valid_time=600
+      when: ansible_os_family == 'Debian'
+      changed_when: false
+
+    - name: Install dependencies (RedHat).
+      yum: name={{ item }} state=present
+      when: ansible_os_family == 'RedHat'
+      with_items:
+        - cronie
+        - epel-release
+
+    - name: Install cron (Debian).
+      apt: name=cron state=present
+      when: ansible_os_family == 'Debian'
+
+  roles:
+    - geerlingguy.certbot

playbook.yml

@@ -10,7 +10,7 @@
 
     - name: Fail if Ansible is old
       fail: msg="We need updates in Ansible 2.5.0. Please update your kit. 'pip install -U Ansible'"
-      when: ansible_version is version('2.5.0', 'lt')
+      when: ansible_version.full is version('2.5.0', '<')
       tags:
         - always
 

roles/nginx/templates/host.j2

@@ -31,7 +31,7 @@ server {
 {% else %}
    set $vh_protocol "http";
    set $vh_port "{{ item.port|default('80') }}";
- {% endif %}
+{% endif %}
 
 {% if item.get('extra') != None %}
   {{ item.extra }}

roles/varnish/templates/default.vcl.j2

@@ -74,7 +74,7 @@ sub vcl_recv {
 {%if proxy_cache_block_basic_auth|default(True) %}
     # Don't allow basic auth via this route.
     # If you want to login at the Zope root, use an ssh tunnel.
-    if (req.http.Authorization) {
+    if (req.http.Authorization && req.http.Authorization !~ 'Bearer') {
         unset req.http.Authorization;
     }
 {% endif %}

roles/varnish/templates/default.vcl4.j2

@@ -64,7 +64,7 @@ sub vcl_recv {
 {%if proxy_cache_block_basic_auth|default(True) %}
     # Don't allow basic auth via this route.
     # If you want to login at the Zope root, use an ssh tunnel.
-    if (req.http.Authorization) {
+    if (req.http.Authorization && req.http.Authorization !~ 'Bearer') {
         unset req.http.Authorization;
     }
 {% endif %}