Templatize the changes required to fix ssl cipher handshake issues.

ansible/roles/acmedns_syno_updater/tasks/main.yml

@@ -37,6 +37,9 @@
     user: "{{ acmedns_syno_updater_user }}"
     cron_file: "{{ acmedns_syno_updater_cron_file }}"
 
+- name: Copy a new "httpd-ssl.conf-cipher" file into place
+  template: src=acmedns_httpd-ssl.conf-cipher dest=/etc/acmedns/certificates/storage/certificates/httpd-ssl.conf-cipher owner=root mode=0644
+
 - name: Run wrapper script once
   # Wrapper script passes --days, so this won't contact Let's Encrypt unless necessary
   command: "{{ acmedns_syno_updater_script_path }}"

ansible/roles/acmedns_syno_updater/templates/acmedns_httpd-ssl.conf-cipher

@@ -0,0 +1,18 @@
+AddType application/x-x509-ca-cert  .crt
+AddType application/x-pkcs7-crl     .crl
+
+SSLCertificateFile      "/usr/local/etc/certificate/WebDAVServer/webdav/cert.pem"
+SSLCertificateKeyFile   "/usr/local/etc/certificate/WebDAVServer/webdav/privkey.pem"
+
+SSLCertificateChainFile /usr/local/etc/certificate/WebDAVServer/webdav/fullchain.pem
+
+#SSLCACertificatePath "/etc/httpd/conf/ssl.crt"
+#SSLCACertificateFile "/etc/httpd/conf/ssl.crt/ca-bundle.crt"
+
+#SSLCARevocationPath "/etc/httpd/conf/ssl.crl"
+#SSLCARevocationFile "/etc/httpd/conf/ssl.crl/ca-bundle.crl"
+
+
+SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+SSLHonorCipherOrder     off

ansible/roles/acmedns_syno_updater/templates/acmedns_update.sh.j2

@@ -33,6 +33,7 @@ chown -R root:root "$tmppath"
 mv $tmppath/{{ acmedns_syno_updater_domain }}.crt /usr/syno/etc/certificate/system/default/fullchain.pem
 mv $tmppath/{{ acmedns_syno_updater_domain }}.key /usr/syno/etc/certificate/system/default/privkey.pem
 # fix webdav shit
+mv $tmppath/httpd-ssl.conf-cipher /var/packages/WebDAVServer/target/etc/httpd/conf/extra
 cp /usr/syno/etc/certificate/system/default/fullchain.pem /usr/local/etc/certificate/WebDAVServer/webdav/
 cp /usr/syno/etc/certificate/system/default/privkey.pem /usr/local/etc/certificate/WebDAVServer/webdav/
 # end fixing webdav shit