| | |
| | | set_fact: |
| | | _certbot_dir: "{{ _certbot_remote_dir }}/certbot" |
| | | |
| | | - name: Verify if AWS Credentials exist on the host |
| | | - name: Check on AWS credentials |
| | | when: _certbot_dns_provider is match('route53') |
| | | stat: |
| | | path: "{{ _certbot_remote_dir }}/.aws/credentials" |
| | | register: aws_credentials_result |
| | | block: |
| | | - name: Verify if AWS Credentials exist on the host |
| | | stat: |
| | | path: "/home/{{ ansible_user }}/.aws/credentials" |
| | | register: aws_credentials_result |
| | | |
| | | - name: Fail if AWS Credentials are not on the host |
| | | fail: |
| | | msg: AWS Credentials are required when requesting certificates for a wildcard domain |
| | | when: |
| | | - _certbot_dns_provider is match('route53') |
| | | - aws_credentials_result.stat.exists == False |
| | | - name: Fail if AWS Credentials are not on the host |
| | | fail: |
| | | msg: AWS Credentials are required when requesting certificates for a wildcard domain |
| | | when: aws_credentials_result.stat.exists == False |
| | | |
| | | - name: Check on DDNS credentials |
| | | when: _certbot_dns_provider is match('rfc2136') |
| | | block: |
| | | - name: Verify credential are present on host |
| | | when: _certbot_dns_provider is match('rfc2136') |
| | | stat: |
| | | path: /home/{{ _certbot_user }}/.rfc2136.ini |
| | | register: ddns_credentials_result |
| | | |
| | | - name: Fail if DDNS credentials are missing |
| | | fail: |
| | | msg: You need a key and secret to update DNS |
| | | when: ddns_credentials_result.stat.exists == False |
| | | |
| | | - name: Set _certbot_wildcard_certs fact |
| | | set_fact: |
| | | set_fact: |
| | | _certbot_wildcard_certs: "{{ (_certbot_wildcard_domain|length|int>0)|ternary('true','false') }}" |
| | | |
| | | - name: Test if Let's Encrypt Certificates are already there |
| | |
| | | when: |
| | | - cacert.stat.exists|bool == false or _certbot_force_issue|bool |
| | | block: |
| | | - name: Setup certbot |
| | | block: |
| | | - name: Ensure certbot is installed |
| | | become: True |
| | | yum: |
| | | name: |
| | | - certbot |
| | | - python2-certbot-dns-route53 |
| | | state: latest |
| | | # We expect Python3 and Python3-pip to be installed |
| | | # They should be on the bastion that this role is running |
| | | |
| | | - name: Check if cached certificate archive exists |
| | | become: False |
| | | stat: |
| | | path: "{{ _certbot_cache_archive_file }}" |
| | | delegate_to: localhost |
| | | register: cache_archive_file |
| | | # The requirements_certbot.txt file has the Python modules |
| | | # For certbot, certbot-dns-route53 and certbot-dns-rfc2136 |
| | | - name: Copy requirements_certbot.txt to target for certbot virtualenv |
| | | copy: |
| | | src: ./files/requirements_certbot.txt |
| | | dest: /tmp/requirements_certbot.txt |
| | | |
| | | - name: Restore entire certificate archive |
| | | when: |
| | | - _certbot_use_cache|bool |
| | | - cache_archive_file.stat.exists|bool |
| | | - not _certbot_force_issue|bool |
| | | block: |
| | | - name: Upload certificate archive |
| | | unarchive: |
| | | src: "{{ _certbot_cache_archive_file }}" |
| | | dest: "{{ _certbot_remote_dir }}" |
| | | owner: "{{ _certbot_install_dir_owner }}" |
| | | group: "{{ _certbot_install_dir_group }}" |
| | | keep_newer: yes |
| | | - name: Set _certbot_setup_complete=true |
| | | set_fact: |
| | | _certbot_setup_complete: true |
| | | # The next two commands need to be run as _certbot_user in order to set up the correct permissions |
| | | # Running without will create links to /root/.local/... which won't be readable |
| | | - name: Create Virtualenv Certbot |
| | | become: True |
| | | become_user: "{{ _certbot_user }}" |
| | | command: "/usr/local/bin/virtualenv -p /usr/bin/python3 {{ _certbot_virtualenv }}" |
| | | |
| | | - name: Install Certbot into Virtualenv |
| | | become: true |
| | | become_user: "{{ _certbot_user }}" |
| | | command: "{{ _certbot_virtualenv }}/bin/pip3 install -r /tmp/requirements_certbot.txt" |
| | | |
| | | - name: Copy certbot script to virtualenv |
| | | template: |
| | | src: ./templates/run-certbot.j2 |
| | | dest: "{{ _certbot_virtualenv }}/bin/run-certbot" |
| | | owner: "{{ _certbot_user }}" |
| | | mode: 0755 |
| | | |
| | | - name: Ensure Certbot Directories are present |
| | | file: |
| | | name: "{{ item }}" |
| | | state: directory |
| | | owner: "{{ _certbot_remote_dir_owner }}" |
| | | group: "{{ _certbot_remote_dir_group }}" |
| | | mode: 0775 |
| | | loop: |
| | | - "{{ _certbot_dir }}" |
| | | - "{{ _certbot_dir }}/config" |
| | | - "{{ _certbot_dir }}/work" |
| | | - "{{ _certbot_dir }}/logs" |
| | | - name: Check if cached certificate archive exists |
| | | become: false |
| | | stat: |
| | | path: "{{ _certbot_cache_archive_file }}" |
| | | delegate_to: localhost |
| | | register: cache_archive_file |
| | | |
| | | - name: Request Certificates from Let's Encrypt (force or no cache) |
| | | when: |
| | | - _certbot_force_issue|bool or not _certbot_setup_complete|bool |
| | | block: |
| | | # Get Intermediary CA Certificate. |
| | | # This is also used in the SSO configuration! |
| | | - name: Get Let's Encrypt Intermediary CA Certificate |
| | | get_url: |
| | | url: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt |
| | | dest: "{{ _certbot_dir }}/lets-encrypt-x3-cross-signed.pem" |
| | | - name: Print Shell Command |
| | | debug: |
| | | msg: >- |
| | | About to request certificates using the following command: |
| | | certbot certonly -n --agree-tos --email {{ _certbot_le_email }} |
| | | -d {{ _certbot_domain }} |
| | | {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}} |
| | | {{ (_certbot_production|bool)|ternary('','--test-cert') }} |
| | | {{ _certbot_additional_args|d(_certbot_args)|d('') }} |
| | | {{ (_certbot_wildcard_certs|bool)|ternary('--dns-'+_certbot_dns_provider, '') }} |
| | | --config-dir={{ _certbot_dir }}/config |
| | | --work-dir={{ _certbot_dir }}/work |
| | | --logs-dir={{ _certbot_dir }}/logs |
| | | - name: Ensure Certbot Directories are present |
| | | file: |
| | | name: "{{ item }}" |
| | | state: directory |
| | | owner: "{{ _certbot_remote_dir_owner }}" |
| | | mode: 0775 |
| | | loop: |
| | | - "{{ _certbot_dir }}" |
| | | - "{{ _certbot_dir }}/config" |
| | | - "{{ _certbot_dir }}/work" |
| | | - "{{ _certbot_dir }}/logs" |
| | | |
| | | - name: Request API and Wildcard Certificates |
| | | become: False |
| | | shell: >- |
| | | certbot certonly -n --agree-tos --email {{ _certbot_le_email }} |
| | | - name: Restore entire certificate archive |
| | | when: |
| | | - _certbot_use_cache|bool |
| | | - cache_archive_file.stat.exists|bool |
| | | - not _certbot_force_issue|bool |
| | | block: |
| | | - name: Upload certificate archive |
| | | unarchive: |
| | | src: "{{ _certbot_cache_archive_file }}" |
| | | dest: "{{ _certbot_remote_dir }}" |
| | | owner: "{{ _certbot_install_dir_owner }}" |
| | | keep_newer: yes |
| | | - name: Set _certbot_setup_complete=true |
| | | set_fact: |
| | | _certbot_setup_complete: true |
| | | |
| | | - name: Request Certificates from Let's Encrypt (force or no cache) |
| | | when: |
| | | - _certbot_force_issue|bool or not _certbot_setup_complete|bool |
| | | block: |
| | | # Get Intermediary CA Certificate. |
| | | # This is also used in the SSO configuration! |
| | | - name: Get Let's Encrypt Intermediary CA Certificate |
| | | get_url: |
| | | url: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt |
| | | dest: "{{ _certbot_dir }}/lets-encrypt-x3-cross-signed.pem" |
| | | - name: Print Shell Command |
| | | debug: |
| | | msg: >- |
| | | About to request certificates using the following command: |
| | | certbot certonly -n --agree-tos --email {{ _certbot_le_email }} |
| | | -d {{ _certbot_domain }} |
| | | {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}} |
| | | {{ (_certbot_production|bool)|ternary('','--test-cert') }} |
| | | {{ _certbot_additional_args|d(_certbot_args)|d('') }} |
| | | {{ (_certbot_wildcard_certs|bool)|ternary('--dns-'+_certbot_dns_provider, '') }} |
| | | --config-dir={{ _certbot_dir }}/config |
| | | --work-dir={{ _certbot_dir }}/work |
| | | --logs-dir={{ _certbot_dir }}/logs |
| | | retries: 5 |
| | | delay: 30 |
| | | register: r_request_le |
| | | until: r_request_le is succeeded |
| | | {{ (_certbot_production|bool)|ternary('','--test-cert') }} |
| | | {{ _certbot_additional_args|d(_certbot_args)|d('') }} |
| | | |
| | | - name: Save certificates to cache |
| | | when: |
| | | - _certbot_use_cache|bool |
| | | - _certbot_cache_archive_file is defined |
| | | - _certbot_cache_archive_file|trim != "" |
| | | block: |
| | | - name: Create archive of certbot directory for cache |
| | | archive: |
| | | path: "{{ _certbot_dir }}" |
| | | dest: "/tmp/certbot.tgz" |
| | | - name: Save certbot archive to cache |
| | | fetch: |
| | | src: "/tmp/certbot.tgz" |
| | | dest: "{{ _certbot_cache_archive_file }}" |
| | | flat: yes |
| | | - name: Remove archive from server |
| | | file: |
| | | name: "/tmp/certbot.tgz" |
| | | state: absent |
| | | - name: Request API and Wildcard Certificates |
| | | # become: false |
| | | become_user: "{{ _certbot_user }} " |
| | | command: "{{ _certbot_virtualenv }}/bin/run-certbot" |
| | | retries: 5 |
| | | delay: 30 |
| | | register: r_request_le |
| | | until: r_request_le is succeeded |
| | | |
| | | - name: Save certificates to cache |
| | | when: |
| | | - _certbot_use_cache|bool |
| | | - _certbot_cache_archive_file is defined |
| | | - _certbot_cache_archive_file|trim != "" |
| | | block: |
| | | - name: Create archive of certbot directory for cache |
| | | archive: |
| | | path: "{{ _certbot_dir }}" |
| | | dest: "/tmp/certbot.tgz" |
| | | - name: Save certbot archive to cache |
| | | fetch: |
| | | src: "/tmp/certbot.tgz" |
| | | dest: "{{ _certbot_cache_archive_file }}" |
| | | flat: yes |
| | | - name: Remove archive from server |
| | | file: |
| | | name: "/tmp/certbot.tgz" |
| | | state: absent |
| | | |
| | | - name: Install the certificates into {{ _certbot_install_dir }} |
| | | block: |
| | |
| | | path: "{{ _certbot_install_dir }}" |
| | | state: directory |
| | | owner: "{{ _certbot_install_dir_owner }}" |
| | | group: "{{ _certbot_install_dir_group }}" |
| | | mode: 0775 |
| | | |
| | | - name: Install certificates |
| | | copy: |
| | | src: "{{ _certbot_dir }}/config/live/{{ _certbot_domain }}/{{ item }}" |
| | |
| | | - "chain.pem" |
| | | - "privkey.pem" |
| | | |
| | | # - name: Install Automatic renewals of Certificates |
| | | # when: |
| | | # - _certbot_renew_automatically|bool |
| | | # block: |
| | | # - name: Install crontab to renew certificates when they expire |
| | | # cron: |
| | | # name: LETS_ENCRYPT_RENEW |
| | | # special_time: daily |
| | | # job: "{{ _certbot_install_dir }}/acme.sh/acme.sh {{ _certbot_additional_args|d(_certbot_args)|d('') }} --cron --home {{ _certbot_install_dir }}/.acme.sh > /dev/null" |
| | | - name: Set _certbot_setup_complete to true |
| | | set_fact: |
| | | _certbot_setup_complete: true |
| | | |
| | | # - name: Install deploy_LE_certs.yml playbook |
| | | # copy: |
| | | # src: deploy_LE_certs.yml |
| | | # dest: "{{ _certbot_install_dir }}/deploy_LE_certs.yml" |
| | | - name: Install Automatic renewals of Certificates |
| | | when: |
| | | - _certbot_renew_automatically|bool |
| | | block: |
| | | - name: Install crontab to renew certificates when they expire |
| | | become: False |
| | | cron: |
| | | name: "{{ _certbot_cron_job_name }}" |
| | | special_time: daily |
| | | job: "certbot renew {{ _certbot_additional_args|d(_certbot_args)|d('') }} --config-dir={{ _certbot_dir }}/config --work-dir={{ _certbot_dir }}/work --logs-dir={{ _certbot_dir }}/logs --quiet > /dev/null" |