---
|
## Request Let's Encrypt Certificates for a host
|
- name: Set Certbot directory
|
set_fact:
|
_certbot_dir: "{{ _certbot_remote_dir }}/certbot"
|
|
- name: Check on AWS credentials
|
when: _certbot_dns_provider is match('route53')
|
block:
|
- name: Verify if AWS Credentials exist on the host
|
stat:
|
path: "/home/{{ ansible_user }}/.aws/credentials"
|
register: aws_credentials_result
|
|
- name: Fail if AWS Credentials are not on the host
|
fail:
|
msg: AWS Credentials are required when requesting certificates for a wildcard domain
|
when: aws_credentials_result.stat.exists == False
|
|
- name: Check on DDNS credentials
|
when: _certbot_dns_provider is match('rfc2136')
|
block:
|
- name: Verify credential are present on host
|
when: _certbot_dns_provider is match('rfc2136')
|
stat:
|
path: /home/{{ _certbot_user }}/.rfc2136.ini
|
register: ddns_credentials_result
|
|
- name: Fail if DDNS credentials are missing
|
fail:
|
msg: You need a key and secret to update DNS
|
when: ddns_credentials_result.stat.exists == False
|
|
- name: Set _certbot_wildcard_certs fact
|
set_fact:
|
_certbot_wildcard_certs: "{{ (_certbot_wildcard_domain|length|int>0)|ternary('true','false') }}"
|
|
- name: Test if Let's Encrypt Certificates are already there
|
stat:
|
path: "{{ _certbot_install_dir }}/fullchain.pem"
|
register: cacert
|
|
- name: No Certificates on host or _certbot_force_issue=true -> set up Let's Encrypt Certificates
|
when:
|
- cacert.stat.exists|bool == false or _certbot_force_issue|bool
|
block:
|
# We expect Python3 and Python3-pip to be installed
|
# They should be on the bastion that this role is running
|
|
# The requirements_certbot.txt file has the Python modules
|
# For certbot, certbot-dns-route53 and certbot-dns-rfc2136
|
- name: Copy requirements_certbot.txt to target for certbot virtualenv
|
copy:
|
src: ./files/requirements_certbot.txt
|
dest: /tmp/requirements_certbot.txt
|
|
# The next two commands need to be run as _certbot_user in order to set up the correct permissions
|
# Running without will create links to /root/.local/... which won't be readable
|
- name: Create Virtualenv Certbot
|
become: True
|
become_user: "{{ _certbot_user }}"
|
command: "/usr/local/bin/virtualenv -p /usr/bin/python3 {{ _certbot_virtualenv }}"
|
|
- name: Install Certbot into Virtualenv
|
become: true
|
become_user: "{{ _certbot_user }}"
|
command: "{{ _certbot_virtualenv }}/bin/pip3 install -r /tmp/requirements_certbot.txt"
|
|
- name: Copy certbot script to virtualenv
|
template:
|
src: ./templates/run-certbot.j2
|
dest: "{{ _certbot_virtualenv }}/bin/run-certbot"
|
owner: "{{ _certbot_user }}"
|
mode: 0755
|
|
- name: Check if cached certificate archive exists
|
become: false
|
stat:
|
path: "{{ _certbot_cache_archive_file }}"
|
delegate_to: localhost
|
register: cache_archive_file
|
|
- name: Ensure Certbot Directories are present
|
file:
|
name: "{{ item }}"
|
state: directory
|
owner: "{{ _certbot_remote_dir_owner }}"
|
mode: 0775
|
loop:
|
- "{{ _certbot_dir }}"
|
- "{{ _certbot_dir }}/config"
|
- "{{ _certbot_dir }}/work"
|
- "{{ _certbot_dir }}/logs"
|
|
- name: Restore entire certificate archive
|
when:
|
- _certbot_use_cache|bool
|
- cache_archive_file.stat.exists|bool
|
- not _certbot_force_issue|bool
|
block:
|
- name: Upload certificate archive
|
unarchive:
|
src: "{{ _certbot_cache_archive_file }}"
|
dest: "{{ _certbot_remote_dir }}"
|
owner: "{{ _certbot_install_dir_owner }}"
|
keep_newer: yes
|
- name: Set _certbot_setup_complete=true
|
set_fact:
|
_certbot_setup_complete: true
|
|
- name: Request Certificates from Let's Encrypt (force or no cache)
|
when:
|
- _certbot_force_issue|bool or not _certbot_setup_complete|bool
|
block:
|
# Get Intermediary CA Certificate.
|
# This is also used in the SSO configuration!
|
- name: Get Let's Encrypt Intermediary CA Certificate
|
get_url:
|
url: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
|
dest: "{{ _certbot_dir }}/lets-encrypt-x3-cross-signed.pem"
|
- name: Print Shell Command
|
debug:
|
msg: >-
|
About to request certificates using the following command:
|
certbot certonly -n --agree-tos --email {{ _certbot_le_email }}
|
-d {{ _certbot_domain }}
|
{{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}}
|
{{ (_certbot_wildcard_certs|bool)|ternary('--dns-'+_certbot_dns_provider, '') }}
|
--config-dir={{ _certbot_dir }}/config
|
--work-dir={{ _certbot_dir }}/work
|
--logs-dir={{ _certbot_dir }}/logs
|
{{ (_certbot_production|bool)|ternary('','--test-cert') }}
|
{{ _certbot_additional_args|d(_certbot_args)|d('') }}
|
|
- name: Request API and Wildcard Certificates
|
# become: false
|
become_user: "{{ _certbot_user }} "
|
command: "{{ _certbot_virtualenv }}/bin/run-certbot"
|
retries: 5
|
delay: 30
|
register: r_request_le
|
until: r_request_le is succeeded
|
|
- name: Save certificates to cache
|
when:
|
- _certbot_use_cache|bool
|
- _certbot_cache_archive_file is defined
|
- _certbot_cache_archive_file|trim != ""
|
block:
|
- name: Create archive of certbot directory for cache
|
archive:
|
path: "{{ _certbot_dir }}"
|
dest: "/tmp/certbot.tgz"
|
- name: Save certbot archive to cache
|
fetch:
|
src: "/tmp/certbot.tgz"
|
dest: "{{ _certbot_cache_archive_file }}"
|
flat: yes
|
- name: Remove archive from server
|
file:
|
name: "/tmp/certbot.tgz"
|
state: absent
|
|
- name: Install the certificates into {{ _certbot_install_dir }}
|
block:
|
- name: Ensure {{ _certbot_install_dir }} exists
|
file:
|
path: "{{ _certbot_install_dir }}"
|
state: directory
|
owner: "{{ _certbot_install_dir_owner }}"
|
mode: 0775
|
|
- name: Install certificates
|
copy:
|
src: "{{ _certbot_dir }}/config/live/{{ _certbot_domain }}/{{ item }}"
|
dest: "{{ _certbot_install_dir }}/{{ item }}"
|
remote_src: yes
|
loop:
|
- "cert.pem"
|
- "fullchain.pem"
|
- "chain.pem"
|
- "privkey.pem"
|
|
- name: Set _certbot_setup_complete to true
|
set_fact:
|
_certbot_setup_complete: true
|
|
- name: Install Automatic renewals of Certificates
|
when:
|
- _certbot_renew_automatically|bool
|
block:
|
- name: Install crontab to renew certificates when they expire
|
become: False
|
cron:
|
name: "{{ _certbot_cron_job_name }}"
|
special_time: daily
|
job: "certbot renew {{ _certbot_additional_args|d(_certbot_args)|d('') }} --config-dir={{ _certbot_dir }}/config --work-dir={{ _certbot_dir }}/work --logs-dir={{ _certbot_dir }}/logs --quiet > /dev/null"
|