taoeffect · taoeffect · Nov 22, 2014 · Nov 15, 2014 · Nov 22, 2014 · taoeffect
diff --git a/README.md b/README.md
@@ -112,13 +112,10 @@ Lastly, test your certificate:
 
 #### Self-signed TLS certificate
 
-Self-signed certs are free, easy, but are not yet authenticated by TLS (but [will be](https://github.com/okTurtles/dnschain)).
-
-To create a self-signed TLS cert, run the following commands:
+If you don't purchase or set up an existing certificate, empress will generate
+one for you on the server.
 
-    openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -out mycert.csr
-    openssl x509 -req -days 365 -in mycert.csr -signkey roles/common/files/wildcard_private.key -out roles/common/files/wildcard_public_cert.crt
-    cp roles/common/files/wildcard_public_cert.crt roles/common/files/wildcard_ca.pem
+Self-signed certs are free, easy, but are not yet authenticated by TLS (but [will be](https://github.com/okTurtles/dnschain)).
 
 ### 2. Get a Tarsnap machine key
 

diff --git a/roles/common/files/wildcard_ca.pem b/roles/common/files/wildcard_ca.pem
diff --git a/roles/common/files/wildcard_private.key b/roles/common/files/wildcard_private.key
diff --git a/roles/common/files/wildcard_public_cert.crt b/roles/common/files/wildcard_public_cert.crt
diff --git a/roles/common/tasks/ssl.yml b/roles/common/tasks/ssl.yml
@@ -1,15 +1,82 @@
+# https://github.com/ansible/ansible/issues/3107
+- name: Find existing SSL keys
+  sudo: no
+  local_action: command test -e roles/common/files/wildcard_private.key
+  register: custom_cert
+  ignore_errors: yes
+
+### Use an existing (valid?) cert, provided by the user ########################
+
 - name: Copy SSL private key into place
-  copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=ssl-cert owner=root mode=640
+  copy: >
+    src=wildcard_private.key
+    dest=/etc/ssl/private/wildcard_private.key
+    group=ssl-cert owner=root mode=640
+  when: custom_cert|success
 
 - name: Copy SSL public certificate into place
-  copy: src=wildcard_public_cert.crt dest=/etc/ssl/certs/wildcard_public_cert.crt group=root owner=root mode=644
+  copy: >
+    src=wildcard_public_cert.crt
+    dest=/etc/ssl/certs/wildcard_public_cert.crt
+    group=root owner=root mode=644
+  when: custom_cert|success
 
 - name: Copy CA combined certificate into place
-  copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root mode=644
+  copy: >
+    src=wildcard_ca.pem
+    dest=/etc/ssl/certs/wildcard_ca.pem
+    group=root owner=root mode=644
+  when: custom_cert|success
 
 - name: Create a combined version of the public cert with intermediate and root CAs
-  shell: cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem >
-    /etc/ssl/certs/wildcard_combined.pem creates=/etc/ssl/certs/wildcard_combined.pem
+  shell: >
+    umask 022;
+    cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem >
+    /etc/ssl/certs/wildcard_combined.pem
+  args:
+    creates: /etc/ssl/certs/wildcard_combined.pem
+  when: custom_cert|success
+
+### If the user didn't provide one, make a self-signed cert ####################
+
+- name: Copy openssl.cnf
+  template: >
+    src=openssl.cnf.j2
+    dest=/etc/ssl/private/openssl.cnf
+    group=root owner=root mode=644
+  when: custom_cert|failed
+
+- name: Generate a private key and CSR
+  shell: >
+    umask 027;
+    openssl req -nodes -newkey rsa:2048
+    -config /etc/ssl/private/openssl.cnf
+    -keyout /etc/ssl/private/wildcard_private.key
+    -out /etc/ssl/private/wildcard.csr
+  args:
+    creates: /etc/ssl/private/wildcard_private.key
+  when: custom_cert|failed
+
+- name: Set SSL private key permissions
+  file: >
+    path=/etc/ssl/private/wildcard_private.key
+    group=ssl-cert owner=root mode=640
+  when: custom_cert|failed
+
+- name: Generate a self-signed SSL public key
+  shell: >
+    umask 022;
+    openssl x509 -req -days 3650
+    -in /etc/ssl/private/wildcard.csr
+    -signkey /etc/ssl/private/wildcard_private.key
+    -out /etc/ssl/certs/wildcard_public_cert.crt
+  args:
+    creates: /etc/ssl/certs/wildcard_public_cert.crt
+  when: custom_cert|failed
 
-- name: Set permissions on combined public cert
-  file: name=/etc/ssl/certs/wildcard_combined.pem mode=644
+- name: Link public cert to the combined location
+  file: >
+    src=/etc/ssl/certs/wildcard_public_cert.crt
+    dest=/etc/ssl/certs/wildcard_combined.pem
+    state=link
+  when: custom_cert|failed
diff --git a/roles/common/templates/openssl.cnf.j2 b/roles/common/templates/openssl.cnf.j2
@@ -0,0 +1,45 @@
+[ ca ]
+default_ca       = CA_default    # The default ca section
+name_opt         = ca_default    # Subject Name options
+cert_opt         = ca_default    # Certificate field options
+default_days     = 3650          # how long to certify for
+default_crl_days = 30            # how long before next CRL
+default_md       = default       # use public key default MD
+preserve         = no            # keep passed DN ordering
+policy           = policy_anything
+
+[ req ]
+prompt             = no
+default_bits       = 2048
+distinguished_name = req_distinguished_name
+attributes         = req_attributes
+x509_extensions    = v3_ca # The extensions to add to the self signed cert
+string_mask        = utf8only
+req_extensions     = v3_req
+
+[ req_attributes ]
+unstructuredName  = self-signed
+
+[ req_distinguished_name ]
+countryName            = US
+stateOrProvinceName    = self-signed
+localityName           = doesn't matter
+0.organizationName     = filler values
+organizationalUnitName = go here
+commonName             = *.{{ domain }}
+emailAddress           = {{ admin_email }}
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage         = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName   = @alt_names
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = CA:true
+
+[ alt_names ]
+{% for dn in mail_virtual_domains %}
+DNS.{{ loop.index }} = *.{{ dn }}
+{% endfor %}