add chaining intermediat in target crt

7 years ago · 6e9fc282cf
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -19,6 +19,8 @@ nginx_separate_logs_per_site: False

 letsencrypt_pause: false
 letsencrypt_account_key: "/etc/ssl/private/letsencrypt.key.pem"
 letsencrypt_intermediate_url: "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem"
 letsencrypt_intermediate_crt: "/etc/ssl/private/intermediatex3.crt"
 letsencrypt_challenge_webroot: "/var/www/html"
 letsencrypt_ssl_country: "IT"
 letsencrypt_ssl_state: "Italy"
--- a/roles/nginx/tasks/letsencrypt.yaml
+++ b/roles/nginx/tasks/letsencrypt.yaml
@ -12,7 +12,7 @@
      -out {{ item.letsencrypt.ssl_csr | default(item.server.ssl_certificate~".csr") }}
      -subj "/C={{ item.letsencrypt.ssl_country | default(letsencrypt_ssl_country)
      }}/ST={{ item.letsencrypt.ssl_state | default(letsencrypt_ssl_state)
      }}/L{{ item.letsencrypt.ssl_loc | default(letsencrypt_ssl_loc)
      }}/L={{ item.letsencrypt.ssl_loc | default(letsencrypt_ssl_loc)
      }}/O={{ item.letsencrypt.ssl_org | default(letsencrypt_ssl_org)
      }}/CN={{ item.letsencrypt.ssl_cn | default(item.server.server_name)
      }}/emailAddress={{ item.letsencrypt.ssl_email | default(letsencrypt_ssl_email) }}"
@ -43,3 +43,13 @@
    acme_directory: "{{ letsencrypt_acme_dir | default(omit) }}"
    data: "{{ letsencrypt_challenge }}"
  notify: restart nginx

 - name: download intermediate cert for chaining
  get_url:
    url: "{{ letsencrypt_intermediate_url }}"
    dest: "{{ letsencrypt_intermediate_crt }}"
  when: letsencrypt_challenge|changed

 - name: chaining intermediate certificate
  shell: "cat {{ letsencrypt_intermediate_crt }} >> {{ item.server.ssl_certificate }}"
  when: letsencrypt_challenge|changed