ansible-infra/roles/acme/tasks/challenge.yml

91 lines
3.2 KiB
YAML

- name: Create {{ domain_name }} certificates directory
file:
path: "{{ acme_certs_dir }}/{{ domain_name }}.d"
state: directory
owner: root
group: "{{ acme_ssl_group }}"
mode: "755"
tags: acme_install
- name: Generate Let's Encrypt account key
openssl_privatekey:
path: "{{ acme_accounts_dir }}/{{ acme_account_key }}"
owner: root
group: root
mode: "600"
type: RSA
size: 4096
tags: acme_account
- name: Generate Let's Encrypt private key for {{ domain_name }}
openssl_privatekey:
path: "{{ acme_keys_dir }}/{{ domain_name }}.pem"
owner: root
group: "{{ acme_ssl_group }}"
mode: "640"
type: RSA
size: 4096
- name: Generate Let's Encrypt CSR for {{ domain_name }}
openssl_csr:
path: "{{ acme_csr_dir }}/{{ domain_name }}.csr"
owner: root
group: "{{ acme_ssl_group }}"
mode: "644"
privatekey_path: "{{ acme_keys_dir }}/{{ domain_name }}.pem"
common_name: "{{ domain_name }}"
# - name: Check if Let's Encrypt certificate already exists for {{ domain_name }}
# stat:
# path: "{{ acme_certs_dir }}/{{ domain_name }}.d/cert.pem"
# register: _acme_cert_file
# - name: Check Let's Encrypt certificate expiration date for {{ domain_name }}
# openssl_certificate_info:
# path: "{{ acme_certs_dir }}/{{ domain_name }}.d/cert.pem"
# valid_at:
# thirty_days: "+30d"
# register: _acme_cert_validity
# when: _acme_cert_file.stat.isreg is defined and _acme_cert_file.stat.isreg
- name: Begin Let's Encrypt challenges for {{ domain_name }}
acme_certificate:
acme_directory: "{{ acme_directory }}"
acme_version: "{{ acme_version }}"
account_key_src: "{{ acme_accounts_dir }}/{{ acme_account_key }}"
account_email: "{{ acme_email }}"
terms_agreed: yes
challenge: http-01
csr: "{{ acme_csr_dir }}/{{ domain_name }}.csr"
dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/cert.pem"
fullchain_dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/fullchain.pem"
remaining_days: 30
register: _acme_challenge
# when: _acme_cert_validity is skipped or not _acme_cert_validity.valid_at.thirty_days
- debug:
var: _acme_challenge
# - name: Implement and complete Let's Encrypt challenge for {{ domain_name }}
# when: _acme_challenge is not skipped
# block:
# - name: Implement http-01 challenge files for {{ domain_name }}
# copy:
# content: "{{ _acme_challenge.challenge_data[domain_name]['http-01'].resource_value }}"
# dest: "{{ acme_challenge_dir }}/{{ _acme_challenge.challenge_data[domain_name]['http-01'].resource }}"
# owner: root
# group: root
# mode: "644"
# - name: Complete Let's Encrypt challenges for {{ domain_name }}
# acme_certificate:
# acme_directory: "{{ acme_directory }}"
# acme_version: "{{ acme_version }}"
# account_key_src: "{{ acme_accounts_dir }}/{{ acme_account_key }}"
# account_email: "{{ acme_email }}"
# challenge: http-01
# csr: "{{ acme_csr_dir }}/{{ domain_name }}.csr"
# dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/cert.pem"
# chain_dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/chain.pem"
# fullchain_dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/fullchain.pem"
# data: "{{ _acme_challenge }}"