| | |
| | | set_fact: |
| | | _certbot_dir: "{{ _certbot_remote_dir }}/certbot" |
| | | |
| | | - name: Verify if AWS Credentials exist on the host |
| | | - name: Check on AWS credentials |
| | | when: _certbot_dns_provider is match('route53') |
| | | stat: |
| | | path: "{{ _certbot_remote_dir }}/.aws/credentials" |
| | | register: aws_credentials_result |
| | | block: |
| | | - name: Verify if AWS Credentials exist on the host |
| | | stat: |
| | | path: "/home/{{ ansible_user }}/.aws/credentials" |
| | | register: aws_credentials_result |
| | | |
| | | - name: Fail if AWS Credentials are not on the host |
| | | fail: |
| | | msg: AWS Credentials are required when requesting certificates for a wildcard domain |
| | | when: |
| | | - _certbot_dns_provider is match('route53') |
| | | - aws_credentials_result.stat.exists == False |
| | | - name: Fail if AWS Credentials are not on the host |
| | | fail: |
| | | msg: AWS Credentials are required when requesting certificates for a wildcard domain |
| | | when: aws_credentials_result.stat.exists == False |
| | | |
| | | - name: Check on DDNS credentials |
| | | when: _certbot_dns_provider is match('rfc2136') |
| | | block: |
| | | - name: Verify credential are present on host |
| | | when: _certbot_dns_provider is match('rfc2136') |
| | | stat: |
| | | path: /home/{{ _certbot_user }}/.rfc2136.ini |
| | | register: ddns_credentials_result |
| | | |
| | | - name: Fail if DDNS credentials are missing |
| | | fail: |
| | | msg: You need a key and secret to update DNS |
| | | when: ddns_credentials_result.stat.exists == False |
| | | |
| | | - name: Set _certbot_wildcard_certs fact |
| | | set_fact: |
| | | set_fact: |
| | | _certbot_wildcard_certs: "{{ (_certbot_wildcard_domain|length|int>0)|ternary('true','false') }}" |
| | | |
| | | - name: Test if Let's Encrypt Certificates are already there |
| | |
| | | when: |
| | | - cacert.stat.exists|bool == false or _certbot_force_issue|bool |
| | | block: |
| | | - name: Install certbot packages |
| | | become: True |
| | | yum: |
| | | name: |
| | | - certbot |
| | | - "python2-certbot-dns-{{ _certbot_dns_provider }}" |
| | | state: latest |
| | | # We expect Python3 and Python3-pip to be installed |
| | | # They should be on the bastion that this role is running |
| | | |
| | | - name: Check if cached certificate archive exists |
| | | stat: |
| | | path: "{{ _certbot_cache_archive_file }}" |
| | | delegate_to: localhost |
| | | register: cache_archive_file |
| | | # The requirements_certbot.txt file has the Python modules |
| | | # For certbot, certbot-dns-route53 and certbot-dns-rfc2136 |
| | | - name: Copy requirements_certbot.txt to target for certbot virtualenv |
| | | copy: |
| | | src: ./files/requirements_certbot.txt |
| | | dest: /tmp/requirements_certbot.txt |
| | | |
| | | - name: Restore entire certificate archive |
| | | when: |
| | | - _certbot_use_cache|bool |
| | | - cache_archive_file.stat.exists|bool |
| | | - not _certbot_force_issue|bool |
| | | block: |
| | | - name: Upload certificate archive |
| | | unarchive: |
| | | src: "{{ _certbot_cache_archive_file }}" |
| | | dest: "{{ _certbot_remote_dir }}" |
| | | owner: "{{ _certbot_install_dir_owner }}" |
| | | keep_newer: yes |
| | | - name: Set _certbot_setup_complete=true |
| | | set_fact: |
| | | _certbot_setup_complete: true |
| | | # The next two commands need to be run as _certbot_user in order to set up the correct permissions |
| | | # Running without will create links to /root/.local/... which won't be readable |
| | | - name: Create Virtualenv Certbot |
| | | become: True |
| | | become_user: "{{ _certbot_user }}" |
| | | command: "/usr/local/bin/virtualenv -p /usr/bin/python3 {{ _certbot_virtualenv }}" |
| | | |
| | | - name: Install Certbot into Virtualenv |
| | | become: true |
| | | become_user: "{{ _certbot_user }}" |
| | | command: "{{ _certbot_virtualenv }}/bin/pip3 install -r /tmp/requirements_certbot.txt" |
| | | |
| | | - name: Copy certbot script to virtualenv |
| | | template: |
| | | src: ./templates/run-certbot.j2 |
| | | dest: "{{ _certbot_virtualenv }}/bin/run-certbot" |
| | | owner: "{{ _certbot_user }}" |
| | | mode: 0755 |
| | | |
| | | - name: Ensure Certbot Directories are present |
| | | file: |
| | | name: "{{ item }}" |
| | | state: directory |
| | | owner: "{{ _certbot_remote_dir_owner }}" |
| | | mode: 0775 |
| | | loop: |
| | | - "{{ _certbot_dir }}" |
| | | - "{{ _certbot_dir }}/config" |
| | | - "{{ _certbot_dir }}/work" |
| | | - "{{ _certbot_dir }}/logs" |
| | | - "{{ _certbot_dir }}/renewal-hooks" |
| | | - "{{ _certbot_dir }}/renewal-hooks/deploy" |
| | | - name: Check if cached certificate archive exists |
| | | become: false |
| | | stat: |
| | | path: "{{ _certbot_cache_archive_file }}" |
| | | delegate_to: localhost |
| | | register: cache_archive_file |
| | | |
| | | - name: Install redeploy hook scripts |
| | | copy: |
| | | src: ./files/deploy_certs.sh |
| | | dest: "{{ _certbot_dir }}/renewal-hooks/deploy/deploy_certs.sh" |
| | | mode: 0775 |
| | | owner: "{{ _certbot_remote_dir_owner }}" |
| | | - name: Install redeploy hook playbook and cert secret template |
| | | copy: |
| | | src: "./files/{{ item }}" |
| | | dest: "{{ _certbot_dir }}/renewal-hooks/deploy/{{ item }}" |
| | | mode: 0664 |
| | | owner: "{{ _certbot_remote_dir_owner }}" |
| | | loop: |
| | | - deploy_certs.yml |
| | | - router-certs.j2 |
| | | - name: Ensure Certbot Directories are present |
| | | file: |
| | | name: "{{ item }}" |
| | | state: directory |
| | | owner: "{{ _certbot_remote_dir_owner }}" |
| | | mode: 0775 |
| | | loop: |
| | | - "{{ _certbot_dir }}" |
| | | - "{{ _certbot_dir }}/config" |
| | | - "{{ _certbot_dir }}/work" |
| | | - "{{ _certbot_dir }}/logs" |
| | | |
| | | - name: Request Certificates from Let's Encrypt (force or no cache) |
| | | when: |
| | | - _certbot_force_issue|bool or not _certbot_setup_complete|bool |
| | | block: |
| | | # Get Intermediary CA Certificate. |
| | | # This is also used in the SSO configuration! |
| | | - name: Get Let's Encrypt Intermediary CA Certificate |
| | | get_url: |
| | | url: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt |
| | | dest: "{{ _certbot_dir }}/lets-encrypt-x3-cross-signed.pem" |
| | | - name: Print Shell Command |
| | | debug: |
| | | msg: >- |
| | | About to request certificates using the following command: |
| | | certbot certonly -n --agree-tos --email {{ _certbot_le_email }} |
| | | -d {{ _certbot_domain }} |
| | | {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}} |
| | | {{ (_certbot_production|bool)|ternary('','--test-cert') }} |
| | | {{ _certbot_additional_args|d(_certbot_args)|d('') }} |
| | | {{ (_certbot_wildcard_certs|bool)|ternary('--dns-'+_certbot_dns_provider, '') }} |
| | | --config-dir={{ _certbot_dir }}/config |
| | | --work-dir={{ _certbot_dir }}/work |
| | | --logs-dir={{ _certbot_dir }}/logs |
| | | - name: Restore entire certificate archive |
| | | when: |
| | | - _certbot_use_cache|bool |
| | | - cache_archive_file.stat.exists|bool |
| | | - not _certbot_force_issue|bool |
| | | block: |
| | | - name: Upload certificate archive |
| | | unarchive: |
| | | src: "{{ _certbot_cache_archive_file }}" |
| | | dest: "{{ _certbot_remote_dir }}" |
| | | owner: "{{ _certbot_install_dir_owner }}" |
| | | keep_newer: yes |
| | | - name: Set _certbot_setup_complete=true |
| | | set_fact: |
| | | _certbot_setup_complete: true |
| | | |
| | | - name: Request API and Wildcard Certificates |
| | | become: False |
| | | shell: >- |
| | | certbot certonly -n --agree-tos --email {{ _certbot_le_email }} |
| | | - name: Request Certificates from Let's Encrypt (force or no cache) |
| | | when: |
| | | - _certbot_force_issue|bool or not _certbot_setup_complete|bool |
| | | block: |
| | | # Get Intermediary CA Certificate. |
| | | # This is also used in the SSO configuration! |
| | | - name: Get Let's Encrypt Intermediary CA Certificate |
| | | get_url: |
| | | url: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt |
| | | dest: "{{ _certbot_dir }}/lets-encrypt-x3-cross-signed.pem" |
| | | - name: Print Shell Command |
| | | debug: |
| | | msg: >- |
| | | About to request certificates using the following command: |
| | | certbot certonly -n --agree-tos --email {{ _certbot_le_email }} |
| | | -d {{ _certbot_domain }} |
| | | {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}} |
| | | {{ (_certbot_production|bool)|ternary('','--test-cert') }} |
| | | {{ _certbot_additional_args|d(_certbot_args)|d('') }} |
| | | {{ (_certbot_wildcard_certs|bool)|ternary('--dns-'+_certbot_dns_provider, '') }} |
| | | --config-dir={{ _certbot_dir }}/config |
| | | --work-dir={{ _certbot_dir }}/work |
| | | --logs-dir={{ _certbot_dir }}/logs |
| | | retries: 5 |
| | | delay: 30 |
| | | register: r_request_le |
| | | until: r_request_le is succeeded |
| | | {{ (_certbot_production|bool)|ternary('','--test-cert') }} |
| | | {{ _certbot_additional_args|d(_certbot_args)|d('') }} |
| | | |
| | | - name: Save certificates to cache |
| | | when: |
| | | - _certbot_use_cache|bool |
| | | - _certbot_cache_archive_file is defined |
| | | - _certbot_cache_archive_file|trim != "" |
| | | block: |
| | | - name: Create archive of certbot directory for cache |
| | | archive: |
| | | path: "{{ _certbot_dir }}" |
| | | dest: "/tmp/certbot.tgz" |
| | | - name: Save certbot archive to cache |
| | | fetch: |
| | | src: "/tmp/certbot.tgz" |
| | | dest: "{{ _certbot_cache_archive_file }}" |
| | | flat: yes |
| | | - name: Remove archive from server |
| | | file: |
| | | name: "/tmp/certbot.tgz" |
| | | state: absent |
| | | - name: Request API and Wildcard Certificates |
| | | # become: false |
| | | become_user: "{{ _certbot_user }} " |
| | | command: "{{ _certbot_virtualenv }}/bin/run-certbot" |
| | | retries: 5 |
| | | delay: 30 |
| | | register: r_request_le |
| | | until: r_request_le is succeeded |
| | | |
| | | - name: Save certificates to cache |
| | | when: |
| | | - _certbot_use_cache|bool |
| | | - _certbot_cache_archive_file is defined |
| | | - _certbot_cache_archive_file|trim != "" |
| | | block: |
| | | - name: Create archive of certbot directory for cache |
| | | archive: |
| | | path: "{{ _certbot_dir }}" |
| | | dest: "/tmp/certbot.tgz" |
| | | - name: Save certbot archive to cache |
| | | fetch: |
| | | src: "/tmp/certbot.tgz" |
| | | dest: "{{ _certbot_cache_archive_file }}" |
| | | flat: yes |
| | | - name: Remove archive from server |
| | | file: |
| | | name: "/tmp/certbot.tgz" |
| | | state: absent |
| | | |
| | | - name: Install the certificates into {{ _certbot_install_dir }} |
| | | block: |
| | |
| | | state: directory |
| | | owner: "{{ _certbot_install_dir_owner }}" |
| | | mode: 0775 |
| | | |
| | | - name: Install certificates |
| | | copy: |
| | | src: "{{ _certbot_dir }}/config/live/{{ _certbot_domain }}/{{ item }}" |
| | |
| | | - "chain.pem" |
| | | - "privkey.pem" |
| | | |
| | | - name: Set _certbot_setup_complete to true |
| | | set_fact: |
| | | _certbot_setup_complete: true |
| | | |
| | | - name: Install Automatic renewals of Certificates |
| | | when: |
| | | - _certbot_renew_automatically|bool |
| | |
| | | - name: Install crontab to renew certificates when they expire |
| | | become: False |
| | | cron: |
| | | name: LETS_ENCRYPT_RENEW |
| | | name: "{{ _certbot_cron_job_name }}" |
| | | special_time: daily |
| | | job: "certbot renew {{ _certbot_additional_args|d(_certbot_args)|d('') }} --config-dir={{ _certbot_dir }}/config --work-dir={{ _certbot_dir }}/work --logs-dir={{ _certbot_dir }}/logs --quiet > /dev/null" |
| | | # --deploy-hook /path/to/deploy-hook-script |
| | | # You can also specify hooks by placing files in subdirectories of Certbot’s configuration directory. Assuming your configuration directory is /etc/letsencrypt, any executable files found in /etc/letsencrypt/renewal-hooks/pre, /etc/letsencrypt/renewal-hooks/deploy, and /etc/letsencrypt/renewal-hooks/post will be run as pre, deploy, and post hooks respectively when any certificate is renewed with the renew subcommand. These hooks are run in alphabetical order and are not run for other subcommands. (The order the hooks are run is determined by the byte value of the characters in their filenames and is not dependent on your locale.) |