From e05ee8d07e76fa8bda280d6cc55243f4c0b8ec76 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 26 Sep 2018 16:41:33 +0200 Subject: [PATCH] Add both the Root CA and the intermediate one into the mongodb CAfile. --- mongodb-org/defaults/main.yml | 5 ++--- mongodb-org/tasks/mongodb-letsencrypt-acmetool.yml | 6 +++++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/mongodb-org/defaults/main.yml b/mongodb-org/defaults/main.yml index 9d60eac..bb2851d 100644 --- a/mongodb-org/defaults/main.yml +++ b/mongodb-org/defaults/main.yml @@ -49,7 +49,6 @@ mongodb_storage_engine: wiredTiger mongodb_ssl_enabled: False mongodb_ssl_letsencrypt_managed: True -mongodb_letsencrypt_download_ca_file: False mongodb_ssl_letsencrypt_ca_url: 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt' mongodb_ssl_letsencrypt_ca_dir: '{{ mongodb_ssl_cert_dir }}' mongodb_ssl_letsencrypt_ca_filename: lets-encrypt-x3-cross-signed.pem @@ -57,8 +56,8 @@ mongodb_ssl_letsencrypt_ca_filename: lets-encrypt-x3-cross-signed.pem mongodb_ssl_mode: requireSSL mongodb_ssl_cert_dir: /etc/pki/mongodb mongodb_ssl_certkey_file: '{{ mongodb_ssl_cert_dir }}/mongodb.pem' -# mongodb_ssl_CA_file: '{{ mongodb_ssl_letsencrypt_ca_dir }}/{{ mongodb_ssl_letsencrypt_ca_filename }}' -mongodb_ssl_CA_file: '/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt' +mongodb_ssl_CA_file: '{{ mongodb_ssl_letsencrypt_ca_dir }}/{{ mongodb_ssl_letsencrypt_ca_filename }}' +mongodb_ssl_root_CA_file: '/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt' mongodb_ssl_allowConnectionsWithoutCertificates: 'true' mongodb_ssl_disabled_protocols: 'TLS1_0,TLS1_1' diff --git a/mongodb-org/tasks/mongodb-letsencrypt-acmetool.yml b/mongodb-org/tasks/mongodb-letsencrypt-acmetool.yml index 66f2f45..714e38a 100644 --- a/mongodb-org/tasks/mongodb-letsencrypt-acmetool.yml +++ b/mongodb-org/tasks/mongodb-letsencrypt-acmetool.yml @@ -11,7 +11,11 @@ - name: Get the Letsencrypt CA file if there is no local copy yet get_url: url={{ mongodb_ssl_letsencrypt_ca_url }} dest={{ mongodb_ssl_cert_dir }}/{{ mongodb_ssl_letsencrypt_ca_filename }} - when: mongodb_letsencrypt_download_ca_file + register: build_mongo_ca_file + + - name: Add the Root CA certificate to the mongodb CA file + command: cat {{ mongodb_ssl_root_CA_file }} >> {{ mongodb_ssl_cert_dir }}/{{ mongodb_ssl_letsencrypt_ca_filename }} + when: build_mongo_ca_file is changed - name: Verify if the mongodb pem file exists stat: path={{ mongodb_ssl_certkey_file }}