Merge pull request #279 from louim/add-snake-oil-certs

Allow auto-generation of self signed SSL certificate.

README.md

@@ -93,7 +93,7 @@ Before using Trellis, you must configure your WordPress sites. The `group_vars`
 * `repo` - URL of the Git repo of your Bedrock project (required, used when deploying)
 * `branch` - the branch name, tag name, or commit SHA1 you want to deploy (default: `master`)
 * `ssl` - enable SSL and set paths
-  * `enabled` - `true` or `false` (required, set to `false`)
+  * `enabled` - `true` or `false` (required, set to `false`. Set to `true` without the `key` and `cert` options [to generate a *self-signed* certificate](https://github.com/roots/trellis/wiki/SSL) )
   * `key` - local relative path to private key
   * `cert` - local relative path to certificate
 * `site_install` - whether to install WordPress or not (*development* only, required)
@@ -127,7 +127,7 @@ Outgoing mail is handled by sSMTP. Configure credentials in `group_vars/all`.  S
 
 ## SSL
 
-Full SSL support is available for your WordPress sites. Our HTTPS implementation has all the best practices for performance and security. (Note: default configuration is HTTPS **only**.) See the [SSL wiki](https://github.com/roots/trellis/wiki/SSL).
+Full SSL support is available for your WordPress sites. Trellis will also *auto-generate* self-signed certificates for development purposes. Our HTTPS implementation has all the best practices for performance and security. (Note: default configuration is HTTPS **only**.) See the [SSL wiki](https://github.com/roots/trellis/wiki/SSL).
 
 ## Caching
 

roles/wordpress-setup/tasks/main.yml

@@ -1,5 +1,6 @@
 ---
 - include: database.yml
+- include: self-signed-certificate.yml
 - include: nginx.yml
 
 - name: Create web root

roles/wordpress-setup/tasks/nginx.yml

@@ -2,12 +2,12 @@
 - name: Copy SSL cert
   copy: src="{{ item.value.ssl.cert }}" dest=/etc/nginx/ssl/{{ item.value.ssl.cert | basename }} mode=0640
   with_dict: wordpress_sites
-  when: item.value.ssl.enabled | default(False)
+  when: item.value.ssl.enabled and item.value.ssl.cert is defined | default(False)
 
 - name: Copy SSL key
   copy: src="{{ item.value.ssl.key }}" dest=/etc/nginx/ssl/{{ item.value.ssl.key | basename }} mode=0600
   with_dict: wordpress_sites
-  when: item.value.ssl.enabled | default(False)
+  when: item.value.ssl.enabled and item.value.ssl.key is defined | default(False)
 
 - name: Create includes.d directories
   file: path="/etc/nginx/includes.d/{{ item.key }}" state=directory mode=0755

roles/wordpress-setup/tasks/self-signed-certificate.yml

@@ -0,0 +1,28 @@
+---
+- name: Get existing self-signed certificates
+  shell: find . -name "*_self_signed.pem"
+  args:
+    chdir: /etc/nginx/ssl/
+  register: self_signed_certs
+  changed_when: false
+
+- name: Get self-signed certificates domains
+  shell: openssl x509 -noout -subject -in {{ item | quote }} | sed -n "/^subject/s/^.*CN=//p"
+  register: self_signed_domains
+  args:
+    chdir: /etc/nginx/ssl/
+  with_items: self_signed_certs.stdout_lines
+  changed_when: false
+
+- name: Generate self-signed certificates
+  shell: >
+    openssl req -subj "/CN={{ item.value.site_hosts | first }}" -new
+    -newkey rsa:2048 -days 3650 -nodes -x509 -sha256
+    -keyout {{ item.key }}_self_signed.key -out {{ item.key }}_self_signed.pem
+  args:
+    chdir: /etc/nginx/ssl/
+  with_dict: wordpress_sites
+  when: >
+    item.value.ssl.enabled and item.value.site_hosts | first
+    not in self_signed_domains.results | default([]) | map(attribute='stdout') | list
+  notify: reload nginx

roles/wordpress-setup/templates/wordpress-site.conf.j2

@@ -37,9 +37,16 @@ server {
   add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
   add_header X-Frame-Options SAMEORIGIN;
 
+  {% if item.value.ssl.cert is defined and item.value.ssl.key is defined %}
   ssl_certificate         /etc/nginx/ssl/{{ item.value.ssl.cert | basename }};
   ssl_trusted_certificate /etc/nginx/ssl/{{ item.value.ssl.cert | basename }};
   ssl_certificate_key     /etc/nginx/ssl/{{ item.value.ssl.key | basename }};
+  {% else %}
+  ssl_certificate         /etc/nginx/ssl/{{ item.key }}_self_signed.pem;
+  ssl_trusted_certificate /etc/nginx/ssl/{{ item.key }}_self_signed.pem;
+  ssl_certificate_key     /etc/nginx/ssl/{{ item.key }}_self_signed.key;
+  {% endif %}
+
   {% endif %}
 
   include includes.d/{{ item.key }}/*.conf;