senselab/ansible-role-dehydrated
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
No description
12 commits 1 branch 0 tags 41 KiB
  • Python 79.8%
  • Jinja 20.2%
Find a file
Exact
Konrad Mohrfeldt 5c9c4ccab0 fix: use custom TLS cert for ALPN 
The default snakeoil cert is not guaranteed to exist or to be readable.
Additionally, it shouldn’t be used, as it may actually be used to
encrypt real traffic.

We only need the key/cert to setup the initial TLS connection. Therefore
we can simply use any basic self-signed certificate.
2026-01-17 23:20:19 +01:00
defaults feat: füge ALPN support hinzu 2026-01-12 16:26:10 +01:00
files fix: use custom TLS cert for ALPN 2026-01-17 23:20:19 +01:00
handlers feat: füge ALPN support hinzu 2026-01-12 16:26:10 +01:00
meta Change author 2023-02-06 23:11:10 +01:00
tasks fix: use custom TLS cert for ALPN 2026-01-17 23:20:19 +01:00
templates feat: füge ALPN support hinzu 2026-01-12 16:26:10 +01:00
.gitignore Add gitignore file 2023-02-06 23:08:33 +01:00
README.md feat: füge ALPN support hinzu 2026-01-12 16:26:10 +01:00

README.md

Dehydrated

Setup and configure Dehydrated.

Features

  • Install dehydrated
  • Accept TOS
  • Create domains.txt and domain directory
  • Create cron job for certificate renewals
  • Configure TLS-ALPN-01 for domains with ALPN challenge

Variables

Name Default Descrition
dehydrated_cron_name Dehydrated certificate renewal Name of the cron job
dehydrated_cron_hour 01 Hour to run the cron job
dehydrated_cron_minute 08 Minute to run the cron job
dehydrated_cron_user root User to create the cron job for
dehydrated_alpn_domains [] Domains for which the ALPN challenge should be used
dehydrated_alpn_proxy_protocol true If incoming requests use PROXY protocol, the ALPN handler needs to know
dehydrated_alpn_upstream_cidr NONE CIDR of the upstream server that proxies requests to the host
dehydrated_alpn_listen_ip NONE IP address to listen on for ALPN requests

TLS-ALPN handler

This role comes with a simple TLS-ALPN handler that intercepts incoming requests, checks if they are an ALPN challenge and proxies them to the ALPN challenge handler.

If you use ALPN handling, your HTTP hosts need to listen on 127.0.0.1, because the ALPN handler will listen on the public IP address of the host (dehydrated_alpn_listen_ip) and will proxy requests to the internal IP address.

Please ensure that you set both dehydrated_alpn_listen_ip and dehydrated_alpn_upstream_cidr to the correct values, if you configured any domains under dehydrated_alpn_domains, so that incoming requests can be proxied correctly.