Set of fixes to make the provisioning of DO999 and DO280 courses compatible...

Razique Mahroua

2020-03-18 b85c91a8192593f6b62f93e11c971868964343a9

 ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml

@@ -4,21 +4,35 @@
  set_fact:
    _certbot_dir: "{{ _certbot_remote_dir }}/certbot"

- name: Verify if AWS Credentials exist on the host
- name: Check on AWS credentials
  when: _certbot_dns_provider is match('route53')
  stat:
    path: "{{ _certbot_remote_dir }}/.aws/credentials"
  register: aws_credentials_result
  block:
    - name: Verify if AWS Credentials exist on the host
      stat:
        path: "/home/{{ ansible_user }}/.aws/credentials"
      register: aws_credentials_result

- name: Fail if AWS Credentials are not on the host
  fail:
    msg: AWS Credentials are required when requesting certificates for a wildcard domain
  when:
  - _certbot_dns_provider is match('route53')
  - aws_credentials_result.stat.exists == False 
    - name: Fail if AWS Credentials are not on the host
      fail:
        msg: AWS Credentials are required when requesting certificates for a wildcard domain
      when: aws_credentials_result.stat.exists == False

- name: Check on DDNS credentials
  when: _certbot_dns_provider is match('rfc2136')
  block:
    - name: Verify credential are present on host
      when: _certbot_dns_provider is match('rfc2136')
      stat:
        path: /home/{{ _certbot_user }}/.rfc2136.ini
      register: ddns_credentials_result

    - name: Fail if DDNS credentials are missing
      fail:
        msg: You need a key and secret to update DNS
      when: ddns_credentials_result.stat.exists == False

- name: Set _certbot_wildcard_certs fact
  set_fact:
  set_fact: 
    _certbot_wildcard_certs: "{{ (_certbot_wildcard_domain|length|int>0)|ternary('true','false') }}"

- name: Test if Let's Encrypt Certificates are already there
@@ -30,113 +44,122 @@
  when:
    - cacert.stat.exists|bool == false or _certbot_force_issue|bool
  block:
    - name: Setup certbot
      block:
      - name: Ensure certbot is installed
        become: True
        yum:
          name:
          - certbot
          - python2-certbot-dns-route53
          state: latest
  # We expect Python3 and Python3-pip to be installed
  # They should be on the bastion that this role is running

    - name: Check if cached certificate archive exists
      become: False
      stat:
        path: "{{ _certbot_cache_archive_file }}"
      delegate_to: localhost
      register: cache_archive_file
  # The requirements_certbot.txt file has the Python modules
  # For certbot, certbot-dns-route53 and certbot-dns-rfc2136
  - name: Copy requirements_certbot.txt to target for certbot virtualenv
    copy:
      src: ./files/requirements_certbot.txt
      dest: /tmp/requirements_certbot.txt

    - name: Restore entire certificate archive
      when:
      - _certbot_use_cache|bool
      - cache_archive_file.stat.exists|bool
      - not _certbot_force_issue|bool
      block:
      - name: Upload certificate archive
        unarchive:
          src: "{{ _certbot_cache_archive_file }}"
          dest: "{{ _certbot_remote_dir }}"
          owner: "{{ _certbot_install_dir_owner }}"
          group: "{{ _certbot_install_dir_group }}"
          keep_newer: yes
      - name: Set _certbot_setup_complete=true
        set_fact:
          _certbot_setup_complete: true
  # The next two commands need to be run as _certbot_user in order to set up the correct permissions
  # Running without will create links to /root/.local/... which won't be readable
  - name: Create Virtualenv Certbot
    become: True
    become_user: "{{ _certbot_user }}"
    command: "/usr/local/bin/virtualenv -p /usr/bin/python3 {{ _certbot_virtualenv }}"
  
  - name: Install Certbot into Virtualenv
    become: true
    become_user: "{{ _certbot_user }}"
    command: "{{ _certbot_virtualenv }}/bin/pip3 install -r /tmp/requirements_certbot.txt"
  
  - name: Copy certbot script to virtualenv
    template:
      src: ./templates/run-certbot.j2
      dest: "{{ _certbot_virtualenv }}/bin/run-certbot"
      owner: "{{ _certbot_user }}"
      mode: 0755

    - name: Ensure Certbot Directories are present
      file:
        name: "{{ item }}"
        state: directory
        owner: "{{ _certbot_remote_dir_owner }}"
        group: "{{ _certbot_remote_dir_group }}"
        mode: 0775
      loop:
      - "{{ _certbot_dir }}"
      - "{{ _certbot_dir }}/config"
      - "{{ _certbot_dir }}/work"
      - "{{ _certbot_dir }}/logs"
  - name: Check if cached certificate archive exists
    become: false
    stat:
      path: "{{ _certbot_cache_archive_file }}"
    delegate_to: localhost
    register: cache_archive_file

    - name: Request Certificates from Let's Encrypt (force or no cache)
      when:
      - _certbot_force_issue|bool or not _certbot_setup_complete|bool
      block:
      # Get Intermediary CA Certificate.
      # This is also used in the SSO configuration!
      - name: Get Let's Encrypt Intermediary CA Certificate
        get_url:
          url: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
          dest: "{{ _certbot_dir }}/lets-encrypt-x3-cross-signed.pem"
      - name: Print Shell Command
        debug:
          msg: >-
            About to request certificates using the following command:
            certbot certonly -n --agree-tos --email {{ _certbot_le_email }} 
            -d {{ _certbot_domain }}
            {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}}
            {{ (_certbot_production|bool)|ternary('','--test-cert') }}
            {{ _certbot_additional_args|d(_certbot_args)|d('') }}
            {{ (_certbot_wildcard_certs|bool)|ternary('--dns-'+_certbot_dns_provider, '') }}
            --config-dir={{ _certbot_dir }}/config
            --work-dir={{ _certbot_dir }}/work
            --logs-dir={{ _certbot_dir }}/logs
  - name: Ensure Certbot Directories are present
    file:
      name: "{{ item }}"
      state: directory
      owner: "{{ _certbot_remote_dir_owner }}"
      mode: 0775
    loop:
    - "{{ _certbot_dir }}"
    - "{{ _certbot_dir }}/config"
    - "{{ _certbot_dir }}/work"
    - "{{ _certbot_dir }}/logs"

      - name: Request API and Wildcard Certificates
        become: False
        shell: >-
          certbot certonly -n --agree-tos --email {{ _certbot_le_email }} 
  - name: Restore entire certificate archive
    when:
    - _certbot_use_cache|bool
    - cache_archive_file.stat.exists|bool
    - not _certbot_force_issue|bool
    block:
    - name: Upload certificate archive
      unarchive:
        src: "{{ _certbot_cache_archive_file }}"
        dest: "{{ _certbot_remote_dir }}"
        owner: "{{ _certbot_install_dir_owner }}"
        keep_newer: yes
    - name: Set _certbot_setup_complete=true
      set_fact:
        _certbot_setup_complete: true

  - name: Request Certificates from Let's Encrypt (force or no cache)
    when:
    - _certbot_force_issue|bool or not _certbot_setup_complete|bool
    block:
    # Get Intermediary CA Certificate.
    # This is also used in the SSO configuration!
    - name: Get Let's Encrypt Intermediary CA Certificate
      get_url:
        url: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
        dest: "{{ _certbot_dir }}/lets-encrypt-x3-cross-signed.pem"
    - name: Print Shell Command
      debug:
        msg: >-
          About to request certificates using the following command:
          certbot certonly -n --agree-tos --email {{ _certbot_le_email }}
          -d {{ _certbot_domain }}
          {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}}
          {{ (_certbot_production|bool)|ternary('','--test-cert') }}
          {{ _certbot_additional_args|d(_certbot_args)|d('') }}
          {{ (_certbot_wildcard_certs|bool)|ternary('--dns-'+_certbot_dns_provider, '') }}
          --config-dir={{ _certbot_dir }}/config
          --work-dir={{ _certbot_dir }}/work
          --logs-dir={{ _certbot_dir }}/logs
        retries: 5
        delay: 30
        register: r_request_le
        until: r_request_le is succeeded
          {{ (_certbot_production|bool)|ternary('','--test-cert') }}
          {{ _certbot_additional_args|d(_certbot_args)|d('') }}

      - name: Save certificates to cache
        when:
        - _certbot_use_cache|bool
        - _certbot_cache_archive_file is defined
        - _certbot_cache_archive_file|trim != ""
        block:
        - name: Create archive of certbot directory for cache
          archive:
            path: "{{ _certbot_dir }}"
            dest: "/tmp/certbot.tgz"
        - name: Save certbot archive to cache
          fetch:
            src: "/tmp/certbot.tgz"
            dest: "{{ _certbot_cache_archive_file }}"
            flat: yes
        - name: Remove archive from server
          file:
            name: "/tmp/certbot.tgz"
            state: absent
    - name: Request API and Wildcard Certificates
      # become: false
      become_user: "{{ _certbot_user }} "
      command: "{{ _certbot_virtualenv }}/bin/run-certbot"
      retries: 5
      delay: 30
      register: r_request_le
      until: r_request_le is succeeded

    - name: Save certificates to cache
      when:
      - _certbot_use_cache|bool
      - _certbot_cache_archive_file is defined
      - _certbot_cache_archive_file|trim != ""
      block:
      - name: Create archive of certbot directory for cache
        archive:
          path: "{{ _certbot_dir }}"
          dest: "/tmp/certbot.tgz"
      - name: Save certbot archive to cache
        fetch:
          src: "/tmp/certbot.tgz"
          dest: "{{ _certbot_cache_archive_file }}"
          flat: yes
      - name: Remove archive from server
        file:
          name: "/tmp/certbot.tgz"
          state: absent

- name: Install the certificates into {{ _certbot_install_dir }}
  block:
@@ -145,8 +168,8 @@
      path: "{{ _certbot_install_dir }}"
      state: directory
      owner: "{{ _certbot_install_dir_owner }}"
      group: "{{ _certbot_install_dir_group }}"
      mode: 0775

  - name: Install certificates
    copy:
      src: "{{ _certbot_dir }}/config/live/{{ _certbot_domain }}/{{ item }}"
@@ -158,17 +181,17 @@
    - "chain.pem"
    - "privkey.pem"

# - name: Install Automatic renewals of Certificates
#   when:
#   - _certbot_renew_automatically|bool
#   block:
#   - name: Install crontab to renew certificates when they expire
#     cron:
#       name: LETS_ENCRYPT_RENEW
#       special_time: daily
#       job: "{{ _certbot_install_dir }}/acme.sh/acme.sh {{ _certbot_additional_args|d(_certbot_args)|d('') }} --cron --home {{ _certbot_install_dir }}/.acme.sh > /dev/null"
  - name: Set _certbot_setup_complete to true
    set_fact:
      _certbot_setup_complete: true

#   - name: Install deploy_LE_certs.yml playbook
#     copy:
#       src: deploy_LE_certs.yml
#       dest: "{{ _certbot_install_dir }}/deploy_LE_certs.yml"
- name: Install Automatic renewals of Certificates
  when:
  - _certbot_renew_automatically|bool
  block:
  - name: Install crontab to renew certificates when they expire
    become: False
    cron:
      name: "{{ _certbot_cron_job_name }}"
      special_time: daily
      job: "certbot renew {{ _certbot_additional_args|d(_certbot_args)|d('') }} --config-dir={{ _certbot_dir }}/config --work-dir={{ _certbot_dir }}/work --logs-dir={{ _certbot_dir }}/logs --quiet > /dev/null"