1:24 p.m.
Hi,
i am making my first steps with debops and try to setup a nextcloud.
I provided an external certificate in
ansible/secret/pki/realms/by-host/cloud.<dom.main>/
I can see those files end up on the tar in
/etc/pki/realms/domain
on the target. No when the apache role runs it fails because there is
no /etc/pkg/realms/domain/default.crt
I would have expected a default.crt/default.key to be symlinks to
the files in external.
root@cloud:/etc/pki/realms/domain# ls -la
total 32
drwxr-xr-x 8 root root 4096 Mar 9 12:46 .
drwxr-xr-x 3 root root 4096 Mar 9 11:31 ..
drwxr-x--- 2 root pki-acme 4096 Mar 9 11:31 acme
lrwxrwxrwx 1 root root 18 Mar 9 11:31 CA.crt -> public/trusted.pem
drwxr-xr-x 2 root root 4096 Mar 9 11:31 config
lrwxrwxrwx 1 root root 15 Mar 9 11:31 default.key -> private/key.pem
drwxr-xr-x 2 root root 4096 Mar 9 11:31 external
drwxr-xr-x 2 root root 4096 Mar 9 11:31 internal
drwxr-x--- 2 root ssl-cert 4096 Mar 9 11:31 private
drwxr-xr-x 2 root root 4096 Mar 9 11:31 public
lrwxrwxrwx 1 root root 18 Mar 9 11:31 trusted.crt -> public/trusted.pem
I am a bit puzzled on what little config detail i missed. I have
no inventory variables mentioning the external certificate. From
what i understand from the documentation its enough to drop it
into the hosts directory. OTOH the hostname matches the
debops.owncloud owncloud__fqdn.
Flo
--
Florian Lohoff f(a)zz.de
Any sufficiently advanced technology is indistinguishable from magic.
12:16 a.m.
On mar 09, Florian Lohoff wrote:
Hi,
Hello and welcome to the mailing list. :-)
i am making my first steps with debops and try to setup a nextcloud.
I provided an external certificate in
ansible/secret/pki/realms/by-host/cloud.<dom.main>/
Just to be sure, does the host have 'cloud.dom.ain' as its FQDN? This will be
used by the 'pki' role to copy over the relevant files.
I can see those files end up on the tar in
/etc/pki/realms/domain
on the target.
Hmm, that shouldn't happen. What files are we talking about, specifically?
Show the output of the 'tree /etc/pki/realms/domain' command.
In any case, if you want to provide external certificates to a specific host,
you need to put them in the:
ansible/secret/pki/relams/by-host/cloud.example.org/domain/external/
(cert.pem, intermediate.pem, root.pem)
ansible/secret/pki/relams/by-host/cloud.example.org/domain/private/
(key.pem)
But the 'domain' PKI realm is meant more for the internal services in the
cluster managed by DebOps. I would suggest to create a separate
'cloud.example.org' PKI realm and use it for public-facing services on that
host. To do that, create a file in the inventory:
---
# ansible/inventory/host_vars/cloud.example.org/pki.yml
pki_realms:
- name: 'cloud.example.org'
acme: False
This realm will provide external certificates, so we disable the ACME support.
Now, put the files in these directories:
ansible/secret/pki/relams/by-host/cloud.example.org/cloud.example.org/ext...
(cert.pem, intermediate.pem, root.pem)
ansible/secret/pki/relams/by-host/cloud.example.org/cloud.example.org/pri...
(key.pem)
When you re-apply the 'service/pki' role on the host, it should create a new
PKI realm and populate it with the external key and certs you provided.
Afterwards if you re-run the 'service/nginx' role, it should detect a new
realm 'cloud.example.org', and if you use a server configuration with the same
name, it should automatically switch to the new PKI realm and use the provided
private key and certificates. The 'apache' role should behave similarly.
No when the apache role runs it fails because there is
no /etc/pkg/realms/domain/default.crt
I would have expected a default.crt/default.key to be symlinks to
the files in external.
root@cloud:/etc/pki/realms/domain# ls -la
total 32
drwxr-xr-x 8 root root 4096 Mar 9 12:46 .
drwxr-xr-x 3 root root 4096 Mar 9 11:31 ..
drwxr-x--- 2 root pki-acme 4096 Mar 9 11:31 acme
lrwxrwxrwx 1 root root 18 Mar 9 11:31 CA.crt -> public/trusted.pem
drwxr-xr-x 2 root root 4096 Mar 9 11:31 config
lrwxrwxrwx 1 root root 15 Mar 9 11:31 default.key -> private/key.pem
drwxr-xr-x 2 root root 4096 Mar 9 11:31 external
drwxr-xr-x 2 root root 4096 Mar 9 11:31 internal
drwxr-x--- 2 root ssl-cert 4096 Mar 9 11:31 private
drwxr-xr-x 2 root root 4096 Mar 9 11:31 public
lrwxrwxrwx 1 root root 18 Mar 9 11:31 trusted.crt -> public/trusted.pem
I am a bit puzzled on what little config detail i missed. I have
no inventory variables mentioning the external certificate. From
what i understand from the documentation its enough to drop it
into the hosts directory. OTOH the hostname matches the
debops.owncloud owncloud__fqdn.
The 'pki' role expects the key and certificate/intermediate certificate files
with specific file names. I'm not sure what happened here, 'ls -la' does not
show the entire directory structure. You can use 'tree' command to have
a better view.
Anyhow, let me know if the instructions above helped. Keep in mind that the
'pki' role will not try and modify an existing PKI realm, you need to remove
it from the host first to re-create it.
Cheers,
Maciej
1383
days inactive
1383
days old
1 comments
2 participants
participants (2)
-
Florian Lohoff -
Maciej Delmanowski