create dhparam

2017-07-15 23:01:47 +02:00 · 2017-07-15 23:01:47 +02:00 · 8c1db6d5c5
commit 8c1db6d5c5
parent 232964e6d7
3 changed files with 15 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -5,3 +5,6 @@ nginx_open_ports:
 ssl_priv_key: ""
 ssl_intermediate_cert: ""
 ssl_chained_cert: ""
+
+dhparam_size: '4069'
+dhparam_file: '/etc/pki/tls/certs/dhparam-{{dhparam_size}}.pem'
--- a/tasks/config.yml
+++ b/tasks/config.yml
@ -111,6 +111,17 @@
  notify:
    - nginx_reload

+- name: register dhparam file
+  stat:
+    path: "{{ dhparam_file }}"
+  register: dh_file
+
+- name: Generate Diffie-Hellman parameter file
+  shell: "/usr/bin/openssl dhparam -out '{{ dhparam_file }}' {{ dhparam_size }}"
+  async: 3600
+  poll: 60
+  when: dh_file.stat.isfile is not defined
+
 - name: Open ports in iptables
  iptables_raw:
    name: allow_nginx_ports
--- a/templates/etc/nginx/conf.d/tls.conf.j2
+++ b/templates/etc/nginx/conf.d/tls.conf.j2
@ -13,4 +13,4 @@ ssl_stapling_verify on;
 ssl_trusted_certificate /etc/pki/tls/certs/my-intermediate.crt;

 ssl_prefer_server_ciphers on;
-ssl_dhparam /etc/nginx/cert/dhparam.pem;
+ssl_dhparam {{ dhparam_file }};