---
|
## Request Let's Encrypt Certificates for a host
|
- name: Set Certbot directory
|
set_fact:
|
_certbot_dir: "{{ _certbot_remote_dir }}/certbot"
|
|
- name: Verify if AWS Credentials exist on the host
|
when: _certbot_dns_provider is match('route53')
|
stat:
|
path: "/home/{{ ansible_user }}/.aws/credentials"
|
register: aws_credentials_result
|
|
- name: Fail if AWS Credentials are not on the host
|
fail:
|
msg: AWS Credentials are required when requesting certificates for a wildcard domain
|
when:
|
- _certbot_dns_provider is match('route53')
|
- aws_credentials_result.stat.exists == False
|
|
- name: Set _certbot_wildcard_certs fact
|
set_fact:
|
_certbot_wildcard_certs: "{{ (_certbot_wildcard_domain|length|int>0)|ternary('true','false') }}"
|
|
- name: Test if Let's Encrypt Certificates are already there
|
stat:
|
path: "{{ _certbot_install_dir }}/fullchain.pem"
|
register: cacert
|
|
- name: No Certificates on host or _certbot_force_issue=true -> set up Let's Encrypt Certificates
|
when:
|
- cacert.stat.exists|bool == false or _certbot_force_issue|bool
|
block:
|
- name: Install certbot packages
|
become: True
|
yum:
|
name:
|
- certbot
|
- "python2-certbot-dns-{{ _certbot_dns_provider }}"
|
state: latest
|
|
- name: Check if cached certificate archive exists
|
stat:
|
path: "{{ _certbot_cache_archive_file }}"
|
delegate_to: localhost
|
register: cache_archive_file
|
|
- name: Restore entire certificate archive
|
when:
|
- _certbot_use_cache|bool
|
- cache_archive_file.stat.exists|bool
|
- not _certbot_force_issue|bool
|
block:
|
- name: Upload certificate archive
|
unarchive:
|
src: "{{ _certbot_cache_archive_file }}"
|
dest: "{{ _certbot_remote_dir }}"
|
owner: "{{ _certbot_install_dir_owner }}"
|
keep_newer: yes
|
- name: Set _certbot_setup_complete=true
|
set_fact:
|
_certbot_setup_complete: true
|
|
- name: Ensure Certbot Directories are present
|
file:
|
name: "{{ item }}"
|
state: directory
|
owner: "{{ _certbot_remote_dir_owner }}"
|
mode: 0775
|
loop:
|
- "{{ _certbot_dir }}"
|
- "{{ _certbot_dir }}/config"
|
- "{{ _certbot_dir }}/work"
|
- "{{ _certbot_dir }}/logs"
|
- "{{ _certbot_dir }}/renewal-hooks"
|
- "{{ _certbot_dir }}/renewal-hooks/deploy"
|
|
- name: Request Certificates from Let's Encrypt (force or no cache)
|
when:
|
- _certbot_force_issue|bool or not _certbot_setup_complete|bool
|
block:
|
# Get Intermediary CA Certificate.
|
# This is also used in the SSO configuration!
|
- name: Get Let's Encrypt Intermediary CA Certificate
|
get_url:
|
url: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
|
dest: "{{ _certbot_dir }}/lets-encrypt-x3-cross-signed.pem"
|
- name: Print Shell Command
|
debug:
|
msg: >-
|
About to request certificates using the following command:
|
certbot certonly -n --agree-tos --email {{ _certbot_le_email }}
|
-d {{ _certbot_domain }}
|
{{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}}
|
{{ (_certbot_production|bool)|ternary('','--test-cert') }}
|
{{ _certbot_additional_args|d(_certbot_args)|d('') }}
|
{{ (_certbot_wildcard_certs|bool)|ternary('--dns-'+_certbot_dns_provider, '') }}
|
--config-dir={{ _certbot_dir }}/config
|
--work-dir={{ _certbot_dir }}/work
|
--logs-dir={{ _certbot_dir }}/logs
|
|
- name: Request API and Wildcard Certificates
|
become: False
|
shell: >-
|
certbot certonly -n --agree-tos --email {{ _certbot_le_email }}
|
-d {{ _certbot_domain }}
|
{{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}}
|
{{ (_certbot_production|bool)|ternary('','--test-cert') }}
|
{{ _certbot_additional_args|d(_certbot_args)|d('') }}
|
{{ (_certbot_wildcard_certs|bool)|ternary('--dns-'+_certbot_dns_provider, '') }}
|
--config-dir={{ _certbot_dir }}/config
|
--work-dir={{ _certbot_dir }}/work
|
--logs-dir={{ _certbot_dir }}/logs
|
retries: 5
|
delay: 30
|
register: r_request_le
|
until: r_request_le is succeeded
|
|
- name: Save certificates to cache
|
when:
|
- _certbot_use_cache|bool
|
- _certbot_cache_archive_file is defined
|
- _certbot_cache_archive_file|trim != ""
|
block:
|
- name: Create archive of certbot directory for cache
|
archive:
|
path: "{{ _certbot_dir }}"
|
dest: "/tmp/certbot.tgz"
|
- name: Save certbot archive to cache
|
fetch:
|
src: "/tmp/certbot.tgz"
|
dest: "{{ _certbot_cache_archive_file }}"
|
flat: yes
|
- name: Remove archive from server
|
file:
|
name: "/tmp/certbot.tgz"
|
state: absent
|
|
- name: Install the certificates into {{ _certbot_install_dir }}
|
block:
|
- name: Ensure {{ _certbot_install_dir }} exists
|
file:
|
path: "{{ _certbot_install_dir }}"
|
state: directory
|
owner: "{{ _certbot_install_dir_owner }}"
|
mode: 0775
|
- name: Install certificates
|
copy:
|
src: "{{ _certbot_dir }}/config/live/{{ _certbot_domain }}/{{ item }}"
|
dest: "{{ _certbot_install_dir }}/{{ item }}"
|
remote_src: yes
|
loop:
|
- "cert.pem"
|
- "fullchain.pem"
|
- "chain.pem"
|
- "privkey.pem"
|
|
- name: Install Automatic renewals of Certificates
|
when:
|
- _certbot_renew_automatically|bool
|
block:
|
- name: Install crontab to renew certificates when they expire
|
become: False
|
cron:
|
name: "{{ _certbot_cron_job_name }}"
|
special_time: daily
|
job: "certbot renew {{ _certbot_additional_args|d(_certbot_args)|d('') }} --config-dir={{ _certbot_dir }}/config --work-dir={{ _certbot_dir }}/work --logs-dir={{ _certbot_dir }}/logs --quiet > /dev/null"
|