acme: Changed underlying package from acme.sh to certbot
parent
2be15aa10a
commit
f46e51115e
@ -1,18 +1,5 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
acme_system_user: "acme"
|
|
||||||
acme_user_directory: "/var/{{ acme_system_user }}"
|
|
||||||
|
|
||||||
acme_source_directory: "{{ acme_user_directory }}/repository"
|
|
||||||
acme_source_repository: "https://github.com/Neilpang/acme.sh.git"
|
|
||||||
acme_source_version: "master"
|
|
||||||
|
|
||||||
acme_account_mail: "{{ global_admin_mail }}"
|
acme_account_mail: "{{ global_admin_mail }}"
|
||||||
|
|
||||||
acme_installation_directory: "{{ acme_user_directory }}/application"
|
acme_rsa_key_size: 4096
|
||||||
acme_configuration_directory: "{{ acme_user_directory }}/configuration"
|
|
||||||
acme_internal_certificates_directory: "{{ acme_configuration_directory }}/certificates"
|
|
||||||
acme_certificates_directory: "{{ acme_user_directory }}/certificates"
|
|
||||||
|
|
||||||
acme_helper_script: "{{ acme_user_directory }}/acme"
|
|
||||||
acme_root_helper_script: "/root/acme"
|
|
||||||
|
@ -1,56 +1,15 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
- name: Download acme.sh
|
- name: Install required packages
|
||||||
become_user: "{{ acme_system_user }}"
|
apt:
|
||||||
git:
|
state: present
|
||||||
repo: "{{ acme_source_repository }}"
|
name:
|
||||||
version: "{{ acme_source_version }}"
|
- certbot # main package
|
||||||
dest: "{{ acme_source_directory }}"
|
|
||||||
update: no
|
|
||||||
|
|
||||||
- name: Install acme helper script for user
|
- name: Configure certbot
|
||||||
template:
|
template:
|
||||||
src: acme_user.sh
|
src: cli.ini
|
||||||
dest: "{{ acme_helper_script }}"
|
dest: "{{ global_certbot_configuration_file }}"
|
||||||
owner: "{{ acme_system_user }}"
|
owner: root
|
||||||
group: "{{ acme_system_user }}"
|
group: root
|
||||||
mode: "u=rwx,g=rx,o="
|
mode: u=rw,g=r,o=r
|
||||||
|
|
||||||
- name: Install acme helper script for root
|
|
||||||
template:
|
|
||||||
src: acme_root.sh
|
|
||||||
dest: "{{ acme_root_helper_script }}"
|
|
||||||
owner: "root"
|
|
||||||
group: "root"
|
|
||||||
mode: "u=rwx,g=rx,o="
|
|
||||||
|
|
||||||
- name: Configure acme.sh
|
|
||||||
become_user: "{{ acme_system_user }}"
|
|
||||||
command: >-
|
|
||||||
./acme.sh --install
|
|
||||||
--home {{ acme_installation_directory | quote }}
|
|
||||||
--config-home {{ acme_configuration_directory | quote }}
|
|
||||||
--cert-home {{ acme_internal_certificates_directory | quote }}
|
|
||||||
--accountemail {{ acme_account_mail | quote }}
|
|
||||||
args:
|
|
||||||
chdir: "{{ acme_source_directory }}"
|
|
||||||
creates: "{{ acme_installation_directory }}"
|
|
||||||
|
|
||||||
- name: Upgrade acme.sh
|
|
||||||
become_user: "{{ acme_system_user }}"
|
|
||||||
command: >-
|
|
||||||
./acme.sh --upgrade
|
|
||||||
--home {{ acme_installation_directory | quote }}
|
|
||||||
--config-home {{ acme_configuration_directory | quote }}
|
|
||||||
args:
|
|
||||||
chdir: "{{ acme_installation_directory }}"
|
|
||||||
register: acme_upgrade_results
|
|
||||||
changed_when: acme_upgrade_results.rc == 0 and "Upgrade success" in acme_upgrade_results.stdout
|
|
||||||
|
|
||||||
- name: Create directory for certificates
|
|
||||||
file:
|
|
||||||
path: "{{ acme_certificates_directory }}"
|
|
||||||
state: directory
|
|
||||||
owner: "{{ acme_system_user }}"
|
|
||||||
group: "{{ acme_system_user }}"
|
|
||||||
mode: "u=rwx,g=,o="
|
|
||||||
|
@ -1,2 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
sudo -u {{ acme_system_user | quote }} {{ acme_helper_script | quote }} "$@";
|
|
@ -1,6 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
cd {{ acme_source_directory | quote }};
|
|
||||||
./acme.sh \
|
|
||||||
--home {{ acme_installation_directory | quote }} \
|
|
||||||
--config-home {{ acme_configuration_directory | quote }} \
|
|
||||||
"$@";
|
|
@ -0,0 +1,12 @@
|
|||||||
|
# Accept service terms
|
||||||
|
agree-tos
|
||||||
|
|
||||||
|
# Default RSA key size
|
||||||
|
rsa-key-size = {{ acme_rsa_key_size }}
|
||||||
|
|
||||||
|
# E-Mail Address for registration
|
||||||
|
email = {{ acme_account_mail }}
|
||||||
|
|
||||||
|
# Use webroot per default
|
||||||
|
authenticator = webroot
|
||||||
|
webroot-path = {{ acme_validation_root_directory }}
|
@ -1,9 +1,22 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
# domain
|
# at least one of domain or domains is required
|
||||||
|
domain: "{{ domains[0] }}"
|
||||||
|
domains:
|
||||||
|
- "{{ domain }}"
|
||||||
|
|
||||||
acme_certificate_prefix: "{{ acme_certificates_directory }}/{{ domain }}"
|
certificate_name: "{{ domain }}"
|
||||||
acme_fullchain_location: "{{ acme_certificate_prefix }}.crt"
|
|
||||||
acme_key_location: "{{ acme_certificate_prefix }}.key"
|
|
||||||
|
|
||||||
reload_command: "systemctl reload {{ global_nginx_service_name }}"
|
# acme_validation_root_directory from nginx/application
|
||||||
|
|
||||||
|
acme_certificate_directory: "{{ global_certbot_certificates_directory }}/{{ certificate_name }}"
|
||||||
|
acme_certificate_location: "{{ acme_certificate_directory }}/cert.pem"
|
||||||
|
acme_chain_location: "{{ acme_certificate_directory }}/chain.pem"
|
||||||
|
acme_fullchain_location: "{{ acme_certificate_directory }}/fullchain.pem"
|
||||||
|
acme_key_location: "{{ acme_certificate_directory }}/privkey.pem"
|
||||||
|
acme_keyfullchain_location: "{{ acme_certificate_directory }}/keyfullchain.pem"
|
||||||
|
|
||||||
|
# at maximun one of is used
|
||||||
|
reload_command: "systemctl reload-or-restart {{ global_nginx_service_name }}"
|
||||||
|
reload_commands:
|
||||||
|
- "{{ reload_command }}"
|
||||||
|
@ -1,34 +1,16 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
- meta: flush_handlers
|
- name: Issue certificate for {{ domain }}
|
||||||
|
command:
|
||||||
- name: "Issue certificate for {{ domain }}"
|
cmd: >-
|
||||||
become_user: "{{ acme_system_user }}"
|
certbot certonly
|
||||||
command: >-
|
--non-interactive
|
||||||
./acme.sh --issue
|
--cert-name {{ certificate_name | quote }}
|
||||||
--home {{ acme_installation_directory | quote }}
|
--must-staple
|
||||||
--config-home {{ acme_configuration_directory | quote }}
|
--disable-hook-validation
|
||||||
--domain {{ domain | quote }}
|
--post-hook {{ ( '(' + (all_reload_commands | join(') && (')) + ')' ) | quote }}
|
||||||
--webroot {{ acme_validation_root_directory | quote }}
|
{% for d in domains %}
|
||||||
--ocsp-must-staple
|
--domain {{ d | quote }}
|
||||||
args:
|
{% endfor %}
|
||||||
chdir: "{{ acme_installation_directory }}"
|
creates: "{{ acme_certificate_location }}"
|
||||||
register: acme_issue_result
|
tags: cert_change
|
||||||
changed_when: acme_issue_result.rc != 2 or "Domains not changed" not in acme_issue_result.stdout
|
|
||||||
failed_when: acme_issue_result.rc != 0 and "Domains not changed" not in acme_issue_result.stdout
|
|
||||||
|
|
||||||
- name: "Install certificate for {{ domain }}"
|
|
||||||
become_user: "{{ acme_system_user }}"
|
|
||||||
command: >-
|
|
||||||
./acme.sh --install-cert
|
|
||||||
--home {{ acme_installation_directory | quote }}
|
|
||||||
--config-home {{ acme_configuration_directory | quote }}
|
|
||||||
--domain {{ domain | quote }}
|
|
||||||
--key-file {{ acme_key_location | quote }}
|
|
||||||
--fullchain-file {{ acme_fullchain_location | quote }}
|
|
||||||
--reloadcmd {{ reload_command | quote }}
|
|
||||||
args:
|
|
||||||
chdir: "{{ acme_installation_directory }}"
|
|
||||||
creates: "{{ acme_key_location }}"
|
|
||||||
register: acme_install_result
|
|
||||||
failed_when: acme_install_result.rc != 0 and "Reload error for" not in acme_install_result.stderr
|
|
||||||
|
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
required_reload_commands:
|
||||||
|
- "cat {{ acme_key_location | quote }} {{ acme_fullchain_location | quote }} > {{ acme_keyfullchain_location | quote }}"
|
||||||
|
all_reload_commands: "{{ required_reload_commands + reload_commands }}"
|
Loading…
Reference in New Issue