Variables to include in server-vars.yml
NGINX_ENABLE_SSL: true NGINX_SSL_CERTIFICATE: "/path/to/STAR.example.com-bundle.crt" NGINX_SSL_KEY: "/path/to/STAR.example.com.key" NGINX_SET_X_FORWARDED_HEADERS: True #True if not behind load balancer EDXAPP_LMS_NGINX_PORT: 80 EDXAPP_LMS_SSL_NGINX_PORT: 443 EDXAPP_LMS_PREVIEW_NGINX_PORT: 80 EDXAPP_CMS_NGINX_PORT: 80 EDXAPP_CMS_SSL_NGINX_PORT: 443 nginx_sites: - cms - lms - forum - ora - xqueue nginx_default_sites: - lms COMMON_HTPASSWD_USER: "user" COMMON_HTPASSWD_PASS: "pass" COMMON_ENABLE_BASIC_AUTH: True #if not using the default studio.example.com and instead edxstudio.example.com CMS_HOSTNAME: '~^((stage|prod)-)?studio.*' #for redirect within nginx
Chaining Certificates
If using multiple .crt files, combine them into a single certificate:
e.g.:
cat STAR.example.com.crt STAR.example.com-intermediate.crt >> STAR.example.com-bundled.crt
Configuring Nginx with Ansible
Run the nginx role. This is a long command because it requires default port numbers and locations from a bunch of different roles. Make sure to specify server-vars.yml as the last included file so that it can overwrite all default variables.
ansible-playbook ./run_role.yml -vvvv -i “localhost,” -c local -e role=nginx
-e@/edx/app/edx_ansible/edx_ansible/playbooks/roles/edxapp/defaults/main.yml
-e@/edx/app/edx_ansible/edx_ansible/playbooks/roles/forum/defaults/main.yml -e@/edx/app/edx_ansible/edx_ansible/playbooks/roles/xqueue/defaults/main.yml -e@/edx/app/edx_ansible/edx_ansible/playbooks/roles/certs/defaults/main.yml -e@/edx/app/edx_ansible/server-vars.yml -e'{“nginx_sites”:[“lms”, “cms”]}’ -e'{“nginx_default_sites”: [“lms”]}’
Customer should provide a wildcard SSL certificate *.learning.example.com with a Subject Alternative Name (SAN) for learning.example.com.
The wildcard will cover:
studio.learning.example.com
preview.learning.example.com
and the SAN covers:
learning.example.com
Generating a CSR.
Use the website:
https://www.digicert.com/easy-csr/openssl.htm
and provide the required information:
e.g.
Common Name: example.com
Organization: NodeRabbit Inc.
Department: Appsembler
City: Cambridge
State/Province: Massachusetts
Country: USA
Key Size: 2048
then the page will spit out a command like:
openssl req -new -newkey rsa:2048 -nodes -out example_com.csr -keyout example_com.key -subj “/C=US/ST=Massachusetts/L=Cambridge/O=NodeRabbitInc./OU=Appsembler/CN=example.com”
Run this command in a terminal with OpenSSL installed and it will spit out two files:
example_com.csr (certificate)
example_com.key (private key)
When providing the CSR file to the CA, be sure to ask for SAN that covers the subdomains (in this case: *.example.com)
Note:
all certs from now on (1/1/16) should be generated using the -sha256 flag instead. something about future compatibility and chrome not complaining. change the above example to:
openssl req -new -newkey rsa:2048 -nodes -out example_com.csr -keyout example_com.key -subj “/C=US/ST=Massachusetts/L=Cambridge/O=NodeRabbitInc./OU=Appsembler/CN=example.com” -sha256