commit | author | age
|
caefa6
|
1 |
--- |
WK |
2 |
## Request Let's Encrypt Certificates for a host |
|
3 |
- name: Set Certbot directory |
|
4 |
set_fact: |
|
5 |
_certbot_dir: "{{ _certbot_remote_dir }}/certbot" |
|
6 |
|
2f745d
|
7 |
- name: Check on AWS credentials |
caefa6
|
8 |
when: _certbot_dns_provider is match('route53') |
2f745d
|
9 |
block: |
NS |
10 |
- name: Verify if AWS Credentials exist on the host |
|
11 |
stat: |
|
12 |
path: "/home/{{ ansible_user }}/.aws/credentials" |
|
13 |
register: aws_credentials_result |
b85c91
|
14 |
|
2f745d
|
15 |
- name: Fail if AWS Credentials are not on the host |
NS |
16 |
fail: |
|
17 |
msg: AWS Credentials are required when requesting certificates for a wildcard domain |
|
18 |
when: aws_credentials_result.stat.exists == False |
caefa6
|
19 |
|
2f745d
|
20 |
- name: Check on DDNS credentials |
NS |
21 |
when: _certbot_dns_provider is match('rfc2136') |
|
22 |
block: |
|
23 |
- name: Verify credential are present on host |
b85c91
|
24 |
when: _certbot_dns_provider is match('rfc2136') |
2f745d
|
25 |
stat: |
NS |
26 |
path: /home/{{ _certbot_user }}/.rfc2136.ini |
|
27 |
register: ddns_credentials_result |
|
28 |
|
|
29 |
- name: Fail if DDNS credentials are missing |
|
30 |
fail: |
|
31 |
msg: You need a key and secret to update DNS |
|
32 |
when: ddns_credentials_result.stat.exists == False |
caefa6
|
33 |
|
WK |
34 |
- name: Set _certbot_wildcard_certs fact |
5b4c35
|
35 |
set_fact: |
caefa6
|
36 |
_certbot_wildcard_certs: "{{ (_certbot_wildcard_domain|length|int>0)|ternary('true','false') }}" |
WK |
37 |
|
|
38 |
- name: Test if Let's Encrypt Certificates are already there |
|
39 |
stat: |
|
40 |
path: "{{ _certbot_install_dir }}/fullchain.pem" |
|
41 |
register: cacert |
|
42 |
|
|
43 |
- name: No Certificates on host or _certbot_force_issue=true -> set up Let's Encrypt Certificates |
|
44 |
when: |
|
45 |
- cacert.stat.exists|bool == false or _certbot_force_issue|bool |
|
46 |
block: |
0b1859
|
47 |
# We expect Python3 and Python3-pip to be installed |
WK |
48 |
# They should be on the bastion that this role is running |
816b92
|
49 |
|
0b1859
|
50 |
# The requirements_certbot.txt file has the Python modules |
WK |
51 |
# For certbot, certbot-dns-route53 and certbot-dns-rfc2136 |
|
52 |
- name: Copy requirements_certbot.txt to target for certbot virtualenv |
|
53 |
copy: |
|
54 |
src: ./files/requirements_certbot.txt |
|
55 |
dest: /tmp/requirements_certbot.txt |
5b4c35
|
56 |
|
0b1859
|
57 |
# The next two commands need to be run as _certbot_user in order to set up the correct permissions |
WK |
58 |
# Running without will create links to /root/.local/... which won't be readable |
|
59 |
- name: Create Virtualenv Certbot |
7b32c1
|
60 |
become: True |
0b1859
|
61 |
become_user: "{{ _certbot_user }}" |
WK |
62 |
command: "/usr/local/bin/virtualenv -p /usr/bin/python3 {{ _certbot_virtualenv }}" |
|
63 |
|
|
64 |
- name: Install Certbot into Virtualenv |
|
65 |
become: true |
|
66 |
become_user: "{{ _certbot_user }}" |
|
67 |
command: "{{ _certbot_virtualenv }}/bin/pip3 install -r /tmp/requirements_certbot.txt" |
|
68 |
|
|
69 |
- name: Copy certbot script to virtualenv |
7b32c1
|
70 |
template: |
WK |
71 |
src: ./templates/run-certbot.j2 |
0b1859
|
72 |
dest: "{{ _certbot_virtualenv }}/bin/run-certbot" |
7b32c1
|
73 |
owner: "{{ _certbot_user }}" |
WK |
74 |
mode: 0755 |
caefa6
|
75 |
|
7b32c1
|
76 |
- name: Check if cached certificate archive exists |
WK |
77 |
become: false |
|
78 |
stat: |
|
79 |
path: "{{ _certbot_cache_archive_file }}" |
|
80 |
delegate_to: localhost |
|
81 |
register: cache_archive_file |
caefa6
|
82 |
|
b85c91
|
83 |
- name: Ensure Certbot Directories are present |
RM |
84 |
file: |
|
85 |
name: "{{ item }}" |
|
86 |
state: directory |
|
87 |
owner: "{{ _certbot_remote_dir_owner }}" |
|
88 |
mode: 0775 |
|
89 |
loop: |
|
90 |
- "{{ _certbot_dir }}" |
|
91 |
- "{{ _certbot_dir }}/config" |
|
92 |
- "{{ _certbot_dir }}/work" |
|
93 |
- "{{ _certbot_dir }}/logs" |
|
94 |
|
7b32c1
|
95 |
- name: Restore entire certificate archive |
WK |
96 |
when: |
|
97 |
- _certbot_use_cache|bool |
|
98 |
- cache_archive_file.stat.exists|bool |
|
99 |
- not _certbot_force_issue|bool |
|
100 |
block: |
|
101 |
- name: Upload certificate archive |
|
102 |
unarchive: |
|
103 |
src: "{{ _certbot_cache_archive_file }}" |
|
104 |
dest: "{{ _certbot_remote_dir }}" |
|
105 |
owner: "{{ _certbot_install_dir_owner }}" |
|
106 |
keep_newer: yes |
|
107 |
- name: Set _certbot_setup_complete=true |
|
108 |
set_fact: |
|
109 |
_certbot_setup_complete: true |
|
110 |
|
|
111 |
- name: Request Certificates from Let's Encrypt (force or no cache) |
|
112 |
when: |
|
113 |
- _certbot_force_issue|bool or not _certbot_setup_complete|bool |
|
114 |
block: |
|
115 |
# Get Intermediary CA Certificate. |
|
116 |
# This is also used in the SSO configuration! |
|
117 |
- name: Get Let's Encrypt Intermediary CA Certificate |
|
118 |
get_url: |
|
119 |
url: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt |
|
120 |
dest: "{{ _certbot_dir }}/lets-encrypt-x3-cross-signed.pem" |
|
121 |
- name: Print Shell Command |
|
122 |
debug: |
|
123 |
msg: >- |
|
124 |
About to request certificates using the following command: |
|
125 |
certbot certonly -n --agree-tos --email {{ _certbot_le_email }} |
|
126 |
-d {{ _certbot_domain }} |
|
127 |
{{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}} |
|
128 |
{{ (_certbot_wildcard_certs|bool)|ternary('--dns-'+_certbot_dns_provider, '') }} |
|
129 |
--config-dir={{ _certbot_dir }}/config |
|
130 |
--work-dir={{ _certbot_dir }}/work |
|
131 |
--logs-dir={{ _certbot_dir }}/logs |
|
132 |
{{ (_certbot_production|bool)|ternary('','--test-cert') }} |
|
133 |
{{ _certbot_additional_args|d(_certbot_args)|d('') }} |
|
134 |
|
|
135 |
- name: Request API and Wildcard Certificates |
|
136 |
# become: false |
|
137 |
become_user: "{{ _certbot_user }} " |
0b1859
|
138 |
command: "{{ _certbot_virtualenv }}/bin/run-certbot" |
7b32c1
|
139 |
retries: 5 |
WK |
140 |
delay: 30 |
|
141 |
register: r_request_le |
|
142 |
until: r_request_le is succeeded |
|
143 |
|
|
144 |
- name: Save certificates to cache |
caefa6
|
145 |
when: |
WK |
146 |
- _certbot_use_cache|bool |
7b32c1
|
147 |
- _certbot_cache_archive_file is defined |
WK |
148 |
- _certbot_cache_archive_file|trim != "" |
caefa6
|
149 |
block: |
7b32c1
|
150 |
- name: Create archive of certbot directory for cache |
WK |
151 |
archive: |
|
152 |
path: "{{ _certbot_dir }}" |
|
153 |
dest: "/tmp/certbot.tgz" |
|
154 |
- name: Save certbot archive to cache |
|
155 |
fetch: |
|
156 |
src: "/tmp/certbot.tgz" |
|
157 |
dest: "{{ _certbot_cache_archive_file }}" |
|
158 |
flat: yes |
|
159 |
- name: Remove archive from server |
|
160 |
file: |
|
161 |
name: "/tmp/certbot.tgz" |
|
162 |
state: absent |
caefa6
|
163 |
|
WK |
164 |
- name: Install the certificates into {{ _certbot_install_dir }} |
|
165 |
block: |
|
166 |
- name: Ensure {{ _certbot_install_dir }} exists |
|
167 |
file: |
|
168 |
path: "{{ _certbot_install_dir }}" |
|
169 |
state: directory |
|
170 |
owner: "{{ _certbot_install_dir_owner }}" |
|
171 |
mode: 0775 |
2f745d
|
172 |
|
caefa6
|
173 |
- name: Install certificates |
WK |
174 |
copy: |
|
175 |
src: "{{ _certbot_dir }}/config/live/{{ _certbot_domain }}/{{ item }}" |
|
176 |
dest: "{{ _certbot_install_dir }}/{{ item }}" |
|
177 |
remote_src: yes |
|
178 |
loop: |
|
179 |
- "cert.pem" |
|
180 |
- "fullchain.pem" |
|
181 |
- "chain.pem" |
|
182 |
- "privkey.pem" |
|
183 |
|
2f745d
|
184 |
- name: Set _certbot_setup_complete to true |
NS |
185 |
set_fact: |
|
186 |
_certbot_setup_complete: true |
|
187 |
|
e3cb5c
|
188 |
- name: Install Automatic renewals of Certificates |
WK |
189 |
when: |
|
190 |
- _certbot_renew_automatically|bool |
|
191 |
block: |
|
192 |
- name: Install crontab to renew certificates when they expire |
|
193 |
become: False |
|
194 |
cron: |
0d0d0e
|
195 |
name: "{{ _certbot_cron_job_name }}" |
e3cb5c
|
196 |
special_time: daily |
WK |
197 |
job: "certbot renew {{ _certbot_additional_args|d(_certbot_args)|d('') }} --config-dir={{ _certbot_dir }}/config --work-dir={{ _certbot_dir }}/work --logs-dir={{ _certbot_dir }}/logs --quiet > /dev/null" |