Dustin
ffe972d79b
The *samba-cert* role configures `lego` and HAProxy to obtain an X.509 certificate via the ACME HTTP-01 challenge. HAProxy is necessary because LDAP server certificates need to have the apex domain in their SAN field, and the ACME server may contact *any* domain controller server with an A record for that name. HAProxy will forward the challenge request on to the first available host on port 5000, where `lego` is listening to provide validation. Issuing certificates this way has a couple of advantages: 1. No need for the wildcard certificate for the *pyrocufflink.blue* domain any more 2. Renewals are automatic and handled by the server itself rather than Ansible via scheduled Jenkins job Item (2) is particularly interesting because it avoids the bi-monthly issue where replacing the LDAP server certificate and restarting Samba causes the Jenkins job to fail. Naturally, for this to work correctly, all LDAP client applications need to trust the certificates issued by the ACME server, in this case *DCH Root CA R2*. |
||
|---|---|---|
| .. | ||
| handlers | ||
| meta | ||
| tasks | ||
| templates | ||