From 097ddd2eb46c2cd74142a1bf519486e15f4408ea Mon Sep 17 00:00:00 2001 From: Andreas Wolf Date: Sat, 16 Jan 2016 16:55:07 +0100 Subject: [PATCH] Only create vHosts if certificate exists --- README.md | 4 ++++ defaults/main.yml | 2 ++ tasks/configure-Debian.yml | 5 +++++ tasks/configure-RedHat.yml | 5 +++++ templates/vhosts-2.4.conf.j2 | 2 ++ 5 files changed, 18 insertions(+) diff --git a/README.md b/README.md index f173879..d9bf1b9 100644 --- a/README.md +++ b/README.md @@ -92,6 +92,10 @@ The list of packages to be installed. This defaults to a set of platform-specifi Set initial Apache daemon state to be enforced when this role is run. This should generally remain `started`, but you can set it to `stopped` if you need to fix the Apache config during a playbook run or otherwise would not like Apache started at the time this role is run. + apache_ignore_missing_ssl_certificate: true + +Create SSL vHosts regardless of whether their certificate exists or not. It might be handy to set this to `false` if you e.g. use Let’s encrypt, which triggers certificate generation with a running webserver. You might need to run your playbook multiple times to really get all SSL vHosts going if another part of your playbook takes care of certificate generation. (but OTOH Apache won’t complain about missing certificates anymore). + ## Dependencies None. diff --git a/defaults/main.yml b/defaults/main.yml index d827d1a..84f95a3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -28,6 +28,8 @@ apache_vhosts_ssl: [] # # Optional. # certificate_chain_file: "/path/to/certificate_chain.crt" +apache_ignore_missing_ssl_certificate: true + apache_ssl_protocol: "All -SSLv2 -SSLv3" apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH" diff --git a/tasks/configure-Debian.yml b/tasks/configure-Debian.yml index b39e191..8a3abfe 100644 --- a/tasks/configure-Debian.yml +++ b/tasks/configure-Debian.yml @@ -23,6 +23,11 @@ with_items: apache_mods_disabled notify: restart apache +- name: Check whether certificates defined in vhosts exist. + stat: path={{ item.certificate_file }} + register: apache_ssl_certificates + with_items: apache_vhosts_ssl + - name: Add apache vhosts configuration. template: src: "vhosts-{{ apache_vhosts_version }}.conf.j2" diff --git a/tasks/configure-RedHat.yml b/tasks/configure-RedHat.yml index 695a9cf..3df9692 100644 --- a/tasks/configure-RedHat.yml +++ b/tasks/configure-RedHat.yml @@ -8,6 +8,11 @@ with_items: apache_ports_configuration_items notify: restart apache +- name: Check whether certificates defined in vhosts exist. + stat: path={{ item.certificate_file }} + register: apache_ssl_certificates + with_items: apache_vhosts_ssl + - name: Add apache vhosts configuration. template: src: "vhosts-{{ apache_vhosts_version }}.conf.j2" diff --git a/templates/vhosts-2.4.conf.j2 b/templates/vhosts-2.4.conf.j2 index fe1b3b8..c120fc2 100644 --- a/templates/vhosts-2.4.conf.j2 +++ b/templates/vhosts-2.4.conf.j2 @@ -30,6 +30,7 @@ {# Set up SSL VirtualHosts #} {% for vhost in apache_vhosts_ssl %} +{% if apache_ignore_missing_ssl_certificate or apache_ssl_certificates.results[loop.index0].stat.exists %} ServerName {{ vhost.servername }} {% if vhost.serveralias is defined %} @@ -65,4 +66,5 @@ {% endif %} +{% endif %} {% endfor %}