acme: Changed underlying package from acme.sh to certbot

group_vars/all/vars.yml

@@ -83,6 +83,10 @@ global_bind_service_name: "named.service"
 global_bind_configuration_directory: "/etc/bind"
 global_bind_data_directory: "/var/lib/bind"
 
+global_certbot_configuration_directory: "/etc/letsencrypt"
+global_certbot_configuration_file: "{{ global_certbot_configuration_directory }}/cli.ini"
+global_certbot_certificates_directory: "/etc/letsencrypt/live"
+
 global_dns_upstream_servers:
   - "9.9.9.11"
   - "149.112.112.11"

roles/acme/application/defaults/main.yml

@@ -1,18 +1,5 @@
 ---
 
-acme_system_user: "acme"
-acme_user_directory: "/var/{{ acme_system_user }}"
-
-acme_source_directory: "{{ acme_user_directory }}/repository"
-acme_source_repository: "https://github.com/Neilpang/acme.sh.git"
-acme_source_version: "master"
-
 acme_account_mail: "{{ global_admin_mail }}"
 
-acme_installation_directory: "{{ acme_user_directory }}/application"
-acme_configuration_directory: "{{ acme_user_directory }}/configuration"
-acme_internal_certificates_directory: "{{ acme_configuration_directory }}/certificates"
-acme_certificates_directory: "{{ acme_user_directory }}/certificates"
-
-acme_helper_script: "{{ acme_user_directory }}/acme"
-acme_root_helper_script: "/root/acme"
+acme_rsa_key_size: 4096

roles/acme/application/meta/main.yml

@@ -3,7 +3,4 @@
 allow_duplicates: no
 
 dependencies:
-  - role: misc/system_user
-    system_user: "{{ acme_system_user }}"
-    user_directory: "{{ acme_user_directory }}"
   - role: nginx/application

roles/acme/application/tasks/main.yml

@@ -1,56 +1,15 @@
 ---
 
-- name: Download acme.sh
-  become_user: "{{ acme_system_user }}"
-  git:
-    repo: "{{ acme_source_repository }}"
-    version: "{{ acme_source_version }}"
-    dest: "{{ acme_source_directory }}"
-    update: no
+- name: Install required packages
+  apt:
+    state: present
+    name:
+      - certbot # main package
 
-- name: Install acme helper script for user
+- name: Configure certbot
   template:
-    src: acme_user.sh
-    dest: "{{ acme_helper_script }}"
-    owner: "{{ acme_system_user }}"
-    group: "{{ acme_system_user }}"
-    mode: "u=rwx,g=rx,o="
-
-- name: Install acme helper script for root
-  template:
-    src: acme_root.sh
-    dest: "{{ acme_root_helper_script }}"
-    owner: "root"
-    group: "root"
-    mode: "u=rwx,g=rx,o="
-
-- name: Configure acme.sh
-  become_user: "{{ acme_system_user }}"
-  command: >-
-    ./acme.sh --install
-    --home {{ acme_installation_directory | quote }}
-    --config-home {{ acme_configuration_directory | quote }}
-    --cert-home {{ acme_internal_certificates_directory | quote }}
-    --accountemail {{ acme_account_mail | quote }}
-  args:
-    chdir: "{{ acme_source_directory }}"
-    creates: "{{ acme_installation_directory }}"
-
-- name: Upgrade acme.sh
-  become_user: "{{ acme_system_user }}"
-  command: >-
-    ./acme.sh --upgrade
-    --home {{ acme_installation_directory | quote }}
-    --config-home {{ acme_configuration_directory | quote }}
-  args:
-    chdir: "{{ acme_installation_directory }}"
-  register: acme_upgrade_results
-  changed_when: acme_upgrade_results.rc == 0 and "Upgrade success" in acme_upgrade_results.stdout
-
-- name: Create directory for certificates
-  file:
-    path: "{{ acme_certificates_directory }}"
-    state: directory
-    owner: "{{ acme_system_user }}"
-    group: "{{ acme_system_user }}"
-    mode: "u=rwx,g=,o="
+    src: cli.ini
+    dest: "{{ global_certbot_configuration_file }}"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r

roles/acme/application/templates/acme_root.sh

@@ -1,2 +0,0 @@
-#!/bin/bash
-sudo -u {{ acme_system_user | quote }} {{ acme_helper_script | quote }} "$@";

roles/acme/application/templates/acme_user.sh

@@ -1,6 +0,0 @@
-#!/bin/bash
-cd {{ acme_source_directory | quote }};
-./acme.sh \
-  --home {{ acme_installation_directory | quote }} \
-  --config-home {{ acme_configuration_directory | quote }} \
-  "$@";

roles/acme/application/templates/cli.ini

@@ -0,0 +1,12 @@
+# Accept service terms
+agree-tos
+
+# Default RSA key size
+rsa-key-size = {{ acme_rsa_key_size }}
+
+# E-Mail Address for registration
+email = {{ acme_account_mail }}
+
+# Use webroot per default
+authenticator = webroot
+webroot-path = {{ acme_validation_root_directory }}

roles/acme/certificate/defaults/main.yml

@@ -1,9 +1,22 @@
 ---
 
-# domain
+# at least one of domain or domains is required
+domain: "{{ domains[0] }}"
+domains:
+  - "{{ domain }}"
 
-acme_certificate_prefix: "{{ acme_certificates_directory }}/{{ domain }}"
-acme_fullchain_location: "{{ acme_certificate_prefix }}.crt"
-acme_key_location: "{{ acme_certificate_prefix }}.key"
+certificate_name: "{{ domain }}"
 
-reload_command: "systemctl reload {{ global_nginx_service_name }}"
+# acme_validation_root_directory from nginx/application
+
+acme_certificate_directory: "{{ global_certbot_certificates_directory }}/{{ certificate_name }}"
+acme_certificate_location: "{{ acme_certificate_directory }}/cert.pem"
+acme_chain_location: "{{ acme_certificate_directory }}/chain.pem"
+acme_fullchain_location: "{{ acme_certificate_directory }}/fullchain.pem"
+acme_key_location: "{{ acme_certificate_directory }}/privkey.pem"
+acme_keyfullchain_location: "{{ acme_certificate_directory }}/keyfullchain.pem"
+
+# at maximun one of is used
+reload_command: "systemctl reload-or-restart {{ global_nginx_service_name }}"
+reload_commands:
+  - "{{ reload_command }}"

roles/acme/certificate/tasks/main.yml

@@ -1,34 +1,16 @@
 ---
 
-- meta: flush_handlers
-
-- name: "Issue certificate for {{ domain }}"
-  become_user: "{{ acme_system_user }}"
-  command: >-
-    ./acme.sh --issue
-    --home {{ acme_installation_directory | quote }}
-    --config-home {{ acme_configuration_directory | quote }}
-    --domain {{ domain | quote }}
-    --webroot {{ acme_validation_root_directory | quote }}
-    --ocsp-must-staple
-  args:
-    chdir: "{{ acme_installation_directory }}"
-  register: acme_issue_result
-  changed_when: acme_issue_result.rc != 2 or "Domains not changed" not in acme_issue_result.stdout
-  failed_when: acme_issue_result.rc != 0 and "Domains not changed" not in acme_issue_result.stdout
-
-- name: "Install certificate for {{ domain }}"
-  become_user: "{{ acme_system_user }}"
-  command: >-
-    ./acme.sh --install-cert
-    --home {{ acme_installation_directory | quote }}
-    --config-home {{ acme_configuration_directory | quote }}
-    --domain {{ domain | quote }}
-    --key-file {{ acme_key_location | quote }}
-    --fullchain-file {{ acme_fullchain_location | quote }}
-    --reloadcmd {{ reload_command | quote }}
-  args:
-    chdir: "{{ acme_installation_directory }}"
-    creates: "{{ acme_key_location }}"
-  register: acme_install_result
-  failed_when: acme_install_result.rc != 0 and "Reload error for" not in acme_install_result.stderr
+- name: Issue certificate for {{ domain }}
+  command:
+    cmd: >-
+      certbot certonly
+      --non-interactive
+      --cert-name {{ certificate_name | quote }}
+      --must-staple
+      --disable-hook-validation
+      --post-hook {{ ( '(' + (all_reload_commands | join(') && (')) + ')' ) | quote }}
+      {% for d in domains %}
+      --domain {{ d | quote }}
+      {% endfor %}
+    creates: "{{ acme_certificate_location }}"
+  tags: cert_change

roles/acme/certificate/vars/main.yml

@@ -0,0 +1,5 @@
+---
+
+required_reload_commands:
+  - "cat {{ acme_key_location | quote }} {{ acme_fullchain_location | quote }} > {{ acme_keyfullchain_location | quote }}"
+all_reload_commands: "{{ required_reload_commands + reload_commands }}"

roles/nginx/application/tasks/main.yml

@@ -49,8 +49,8 @@
     state: directory
     name: "{{ item }}"
     owner: root
-    group: "{{ acme_system_user }}"
-    mode: "u=rwx,g=rwx,o=rx"
+    group: root
+    mode: "u=rwx,g=rx,o=rx"
   loop:
     - "{{ acme_validation_root_directory }}"
     - "{{ acme_validation_test_file | dirname }}"