430 Role vbotka.freebsd.apache HTTPS

Use case

Use the role vbotka.freebsd.certificate to create SSL certificate. Use the role vbotka.freebsd.apache to configure Apache HTTP Server - SSL/TLS Strong Encryption. Use iocage property host_hostname to create a jail.

Tree

shell> tree .
.
├── ansible.cfg
├── hosts
├── host_vars
│   ├── iocage_04
│   │   └── ansible-client-apache.yml
│   └── www-2
│       ├── apache.yml
│       └── certificate.yml
├── iocage.ini
├── pb-apache.yml
└── pb-certificate.yml

Synopsis

• The playbook vbotka.freebsd.pb_iocage_ansible_clients.yml creates and starts one jail.

• The playbook pb-certificate.yml creates SSL certificate in the jail.

• The playbook pb-apache.yml uses the certificate and configures Apache HTTP Server in the jail.

Requirements

• Template ansible_client_apache created in 209 Create iocage pkglist file

Notes

• iocage option --name provides “NAME instead of a UUID for the new jail”.

• iocage property host_hostname provides “The hostname of the jail. Default: UUID”.

• Make sure DHCP and dynamic DNS are configured so that host_hostname and --name resolve.

See also

• FreeBSD Handbook 32.9. Apache HTTP Server

• FreeBSD Handbook 32.9.3.1. SSL support

• Apache HTTP Server

• Apache HTTP Server - SSL/TLS Strong Encryption

• man 8 iocage

ansible.cfg

[defaults]
gathering = explicit
callback_result_format = yaml
display_skipped_hosts = false
host_key_checking = false

[connection]
pipelining = true

Inventory iocage.ini

iocage_04 ansible_host=10.1.0.29

[iocage]
iocage_04

[iocage:vars]
ansible_user=admin
ansible_become=true
ansible_python_interpreter=auto_silent

host_vars

host_vars/iocage_04/ansible-client-apache.yml

properties:
  notes: "vmm={{ inventory_hostname }}"
  bpf: 1
  dhcp: 1
  vnet: 1

clones_host_hostname:
  www-2:
    template: ansible_client_apache

host_vars/www-2/apache.yml

apache_install: false
apache_confd: false
apache_servername: www-2
apache_serveradmin: admin@www-2

apache_ssl: true
apache_sslengine: 'on'
apache_sslcertificatekeyfile: "/usr/local/etc/ssl/private/{{ apache_servername }}.key"
apache_sslcertificatefile: "/usr/local/etc/ssl/certs/{{ apache_servername }}.crt"

apache_httpd_conf_modules:
  - {module: socache_shmcb_module, mod: mod_socache_shmcb.so}
  - {module: ssl_module, mod: mod_ssl.so}

apache_directory_blocks:
  - Directory: /usr/local/www/apache24/data/
    Includefile: usr-local-www-apache-data.conf
    Conf:
      - "DirectoryIndex index.html index.htm"
      - "Options Indexes FollowSymLinks"
      - "AllowOverride All"
      - "Require all granted"

host_vars/www-2/certificate.yml

certificate_data_simple:
  - www-2

Create and start the jail

(env) > ansible-playbook vbotka.freebsd.pb_iocage_ansible_clients.yml \
                         -i iocage.ini \
                         -t clone_host_hostname -e clone_host_hostname=true

PLAY [Create and start jails. Optionally stop and destroy jails.] **************

TASK [Get pool.] ***************************************************************
ok: [iocage_04]

TASK [Create clones host_hostname] *********************************************
changed: [iocage_04] => (item=www-2 ansible_client_apache)

TASK [Start clones host_hostname] **********************************************
changed: [iocage_04]

PLAY RECAP *********************************************************************
iocage_04                  : ok=3    changed=2    unreachable=0    failed=0    skipped=8    rescued=0    ignored=0   

Inventory hosts

hosts

www-2

[www]
www-2

[www:vars]
ansible_user=admin
ansible_become=true
ansible_python_interpreter=auto_silent

Playbook pb-certificate.yml

- name: Create SSL certificate.
  hosts: www
  gather_facts: true

  roles:
    - vbotka.freebsd.certificate

Playbook output - Display variables

(env) > ansible-playbook pb-certificate.yml -i hosts \
                         -t certificate_debug -e certificate_debug=true

PLAY [Create SSL certificate.] *************************************************

TASK [Gathering Facts] *********************************************************
[ERROR]: Task failed: Failed to connect to the host via ssh: ssh: Could not resolve hostname www-2: Temporary failure in name resolution

Task failed.

<<< caused by >>>

Failed to connect to the host via ssh: ssh: Could not resolve hostname www-2: Temporary failure in name resolution

fatal: [www-2]: UNREACHABLE! => 
    changed: false
    msg: 'Task failed: Failed to connect to the host via ssh: ssh: Could not resolve hostname
        www-2: Temporary failure in name resolution'
    unreachable: true

PLAY RECAP *********************************************************************
www-2                      : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0   

Playbook output - Setup

(env) > ansible-playbook pb-certificate.yml -i hosts -t certificate_setup

PLAY [Create SSL certificate.] *************************************************

TASK [Gathering Facts] *********************************************************
[ERROR]: Task failed: Failed to connect to the host via ssh: ssh: Could not resolve hostname www-2: Temporary failure in name resolution

Task failed.

<<< caused by >>>

Failed to connect to the host via ssh: ssh: Could not resolve hostname www-2: Temporary failure in name resolution

fatal: [www-2]: UNREACHABLE! => 
    changed: false
    msg: 'Task failed: Failed to connect to the host via ssh: ssh: Could not resolve hostname
        www-2: Temporary failure in name resolution'
    unreachable: true

PLAY RECAP *********************************************************************
www-2                      : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0   

Playbook output - Create certificate

(env) > ansible-playbook pb-certificate.yml -i hosts -t certificate_openssl

PLAY [Create SSL certificate.] *************************************************

TASK [Gathering Facts] *********************************************************
[ERROR]: Task failed: Failed to connect to the host via ssh: ssh: Could not resolve hostname www-2: Temporary failure in name resolution

Task failed.

<<< caused by >>>

Failed to connect to the host via ssh: ssh: Could not resolve hostname www-2: Temporary failure in name resolution

fatal: [www-2]: UNREACHABLE! => 
    changed: false
    msg: 'Task failed: Failed to connect to the host via ssh: ssh: Could not resolve hostname
        www-2: Temporary failure in name resolution'
    unreachable: true

PLAY RECAP *********************************************************************
www-2                      : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0   

Playbook output - Display status

(env) > ansible-playbook pb-certificate.yml -i hosts -t certificate_openssl_stat

PLAY [Create SSL certificate.] *************************************************

TASK [Gathering Facts] *********************************************************
[ERROR]: Task failed: Failed to connect to the host via ssh: ssh: Could not resolve hostname www-2: Temporary failure in name resolution

Task failed.

<<< caused by >>>

Failed to connect to the host via ssh: ssh: Could not resolve hostname www-2: Temporary failure in name resolution

fatal: [www-2]: UNREACHABLE! => 
    changed: false
    msg: 'Task failed: Failed to connect to the host via ssh: ssh: Could not resolve hostname
        www-2: Temporary failure in name resolution'
    unreachable: true

PLAY RECAP *********************************************************************
www-2                      : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0   

Playbook pb-apache.yml

- name: Create Apache HTTP Server.
  hosts: www
  gather_facts: true

  roles:
    - vbotka.freebsd.apache

Playbook output - Create server

(env) > ansible-playbook pb-apache.yml -i hosts

PLAY [Create Apache HTTP Server.] **********************************************

TASK [Gathering Facts] *********************************************************
[ERROR]: Task failed: Failed to connect to the host via ssh: ssh: Could not resolve hostname www-2: Temporary failure in name resolution

Task failed.

<<< caused by >>>

Failed to connect to the host via ssh: ssh: Could not resolve hostname www-2: Temporary failure in name resolution

fatal: [www-2]: UNREACHABLE! => 
    changed: false
    msg: 'Task failed: Failed to connect to the host via ssh: ssh: Could not resolve hostname
        www-2: Temporary failure in name resolution'
    unreachable: true

PLAY RECAP *********************************************************************
www-2                      : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0   

Results

• Certificate

  Issued To
  Common Name (CN)         www-2
  Organization (O)         <Not Part Of Certificate>
  Organizational Unit (OU) <Not Part Of Certificate>
  Issued By
  Common Name (CN)         www-2
  Organization (O)         <Not Part Of Certificate>
  Organizational Unit (OU) <Not Part Of Certificate>
  Validity Period
  Issued On       Sunday, August 17, 2025 at 11:47:09 PM
  Expires On      Wednesday, August 15, 2035 at 11:47:09 PM
  SHA-256 Fingerprints
  Certificate     6700fe438535caeebd164c17ebe2902d989a5ce271ec6d09d61e0b952e633802
  Public Key      19a41208981a380cdae67256e7b14f8f887e776a10111029e1ad136a52db2e5d
  

• Test the configuration

  (env) > ssh admin@www-2 sudo service apache24 configtest
  Performing sanity check on apache24 configuration:
  Syntax OK
  

• In a browser, open the page https//www-2/. The content should be

  It works!