Use the Root letsencrypt CA certificate. See https://support.d4science.org/issues/12443#note-16

This commit is contained in:
Andrea Dell'Amico 2018-09-25 20:05:53 +02:00
parent 6cfef59871
commit 1f5f775ae2
3 changed files with 7 additions and 8 deletions

View File

@ -49,6 +49,7 @@ mongodb_storage_engine: wiredTiger
mongodb_ssl_enabled: False mongodb_ssl_enabled: False
mongodb_ssl_letsencrypt_managed: True mongodb_ssl_letsencrypt_managed: True
mongodb_letsencrypt_download_ca_file: False
mongodb_ssl_letsencrypt_ca_url: 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt' mongodb_ssl_letsencrypt_ca_url: 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt'
mongodb_ssl_letsencrypt_ca_dir: '{{ mongodb_ssl_cert_dir }}' mongodb_ssl_letsencrypt_ca_dir: '{{ mongodb_ssl_cert_dir }}'
mongodb_ssl_letsencrypt_ca_filename: lets-encrypt-x3-cross-signed.pem mongodb_ssl_letsencrypt_ca_filename: lets-encrypt-x3-cross-signed.pem
@ -56,7 +57,8 @@ mongodb_ssl_letsencrypt_ca_filename: lets-encrypt-x3-cross-signed.pem
mongodb_ssl_mode: requireSSL mongodb_ssl_mode: requireSSL
mongodb_ssl_cert_dir: /etc/pki/mongodb mongodb_ssl_cert_dir: /etc/pki/mongodb
mongodb_ssl_certkey_file: '{{ mongodb_ssl_cert_dir }}/mongodb.pem' mongodb_ssl_certkey_file: '{{ mongodb_ssl_cert_dir }}/mongodb.pem'
mongodb_ssl_CA_file: '{{ mongodb_ssl_letsencrypt_ca_dir }}/{{ mongodb_ssl_letsencrypt_ca_filename }}' # mongodb_ssl_CA_file: '{{ mongodb_ssl_letsencrypt_ca_dir }}/{{ mongodb_ssl_letsencrypt_ca_filename }}'
mongodb_ssl_CA_file: '/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt'
mongodb_ssl_allowConnectionsWithoutCertificates: 'true' mongodb_ssl_allowConnectionsWithoutCertificates: 'true'
mongodb_ssl_disabled_protocols: 'TLS1_0,TLS1_1' mongodb_ssl_disabled_protocols: 'TLS1_0,TLS1_1'

View File

@ -9,8 +9,9 @@
- name: Create the mongodb certificate directory - name: Create the mongodb certificate directory
file: dest={{ mongodb_ssl_cert_dir }} state=directory owner=root group=mongodb mode=0750 file: dest={{ mongodb_ssl_cert_dir }} state=directory owner=root group=mongodb mode=0750
- name: Get the Letsencrypt CA file - name: Get the Letsencrypt CA file if there is no local copy yet
get_url: url={{ mongodb_ssl_letsencrypt_ca_url }} dest={{ mongodb_ssl_cert_dir }}/{{ mongodb_ssl_letsencrypt_ca_filename }} get_url: url={{ mongodb_ssl_letsencrypt_ca_url }} dest={{ mongodb_ssl_cert_dir }}/{{ mongodb_ssl_letsencrypt_ca_filename }}
when: mongodb_letsencrypt_download_ca_file
- name: Verify if the mongodb pem file exists - name: Verify if the mongodb pem file exists
stat: path={{ mongodb_ssl_certkey_file }} stat: path={{ mongodb_ssl_certkey_file }}

View File

@ -41,17 +41,13 @@
- block: - block:
- name: Install/Update the mongodb configuration - name: Install/Update the mongodb configuration
template: src=mongod-{{ mongodb_version }}.conf.j2 dest=/etc/mongod.conf owner=root group=root mode=0444 backup=yes template: src=mongod-{{ mongodb_version }}.conf.j2 dest=/etc/mongod.conf owner=root group=root mode=0444 backup=yes
when: mongodb_install_server or mongodb_install_conf or mongodb_update_conf when: mongodb_install_conf or mongodb_update_conf
notify: Restart mongodb notify: Restart mongodb
when: mongodb_install_server
tags: [ 'mongodb', 'mongodb_update_conf' ] tags: [ 'mongodb', 'mongodb_update_conf' ]
- block: - block:
# - name: Install the mongodb configuration
# template: src=mongod-{{ mongodb_version }}.conf.j2 dest=/etc/mongod.conf owner=root group=root mode=0444 backup=yes
# when: mongodb_install_conf
# notify: Restart mongodb
- name: We are upgrading, install the latest version of the mongodb packages - name: We are upgrading, install the latest version of the mongodb packages
apt: pkg={{ item }} state=latest update_cache=yes cache_valid_time=1800 apt: pkg={{ item }} state=latest update_cache=yes cache_valid_time=1800
with_items: '{{ mongodb_server_pkgs }}' with_items: '{{ mongodb_server_pkgs }}'