PPBe/ansible-role-acme
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

acme script read the domains from config file

Browse Source
This commit is contained in:
HgO
2020-12-25 18:41:34 +01:00
parent f18368fc6f
commit 646bfc463d
7 changed files with 426 additions and 303 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
tasks/acme_challenge.yml
View File

@@ -1,74 +0,0 @@
- name: Create {{ domain_name }} certificates directory
file:
path: "{{ acme_certs_dir }}/{{ domain_name }}.d"
state: directory
owner: root
group: "{{ acme_ssl_group }}"
mode: "755"
tags: acme_install
- name: Generate Let's Encrypt account key
openssl_privatekey:
path: "{{ acme_accounts_dir }}/{{ acme_account_key }}"
owner: root
group: root
mode: "600"
type: RSA
size: 4096
tags: acme_account
- name: Generate Let's Encrypt private key for {{ domain_name }}
openssl_privatekey:
path: "{{ acme_keys_dir }}/{{ domain_name }}.pem"
owner: root
group: "{{ acme_ssl_group }}"
mode: "640"
type: RSA
size: 4096
- name: Generate Let's Encrypt CSR for {{ domain_name }}
openssl_csr:
path: "{{ acme_csr_dir }}/{{ domain_name }}.csr"
owner: root
group: "{{ acme_ssl_group }}"
mode: "644"
privatekey_path: "{{ acme_keys_dir }}/{{ domain_name }}.pem"
common_name: "{{ domain_name }}"
- name: Begin Let's Encrypt challenges for {{ domain_name }}
acme_certificate:
acme_directory: "{{ acme_directory }}"
acme_version: "{{ acme_version }}"
account_key_src: "{{ acme_accounts_dir }}/{{ acme_account_key }}"
account_email: "{{ acme_email }}"
terms_agreed: yes
challenge: http-01
csr: "{{ acme_csr_dir }}/{{ domain_name }}.csr"
dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/cert.pem"
fullchain_dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/fullchain.pem"
remaining_days: 30
register: _acme_challenge
- name: Implement and complete Let's Encrypt challenge for {{ domain_name }}
when: _acme_challenge is changed
block:
- name: Implement http-01 challenge files for {{ domain_name }}
copy:
content: "{{ _acme_challenge.challenge_data[domain_name]['http-01'].resource_value }}"
dest: "{{ acme_challenge_dir }}/{{ _acme_challenge.challenge_data[domain_name]['http-01'].resource }}"
owner: root
group: root
mode: "644"
- name: Complete Let's Encrypt challenges for {{ domain_name }}
acme_certificate:
acme_directory: "{{ acme_directory }}"
acme_version: "{{ acme_version }}"
account_key_src: "{{ acme_accounts_dir }}/{{ acme_account_key }}"
account_email: "{{ acme_email }}"
challenge: http-01
csr: "{{ acme_csr_dir }}/{{ domain_name }}.csr"
dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/cert.pem"
chain_dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/chain.pem"
fullchain_dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/fullchain.pem"
data: "{{ _acme_challenge }}"

90
tasks/main.yml
View File

@@ -1,48 +1,59 @@
- name: Install ACME dependencies
package:
name: python3-acme
name: "{{ package }}"
state: present
loop: "{{ acme_packages }}"
loop_control:
loop_var: package
tags: acme_install
- name: Install SSL dependencies
package:
name: ssl-cert
state: present
tags: acme_install
- name: Create Let's Encrypt config directories
- name: Create ACME config directories
file:
path: "{{ config_dir }}"
state: directory
owner: root
group: "{{ acme_ssl_group }}"
mode: "711"
group: root
mode: "755"
loop:
- "{{ acme_config_dir }}"
- "{{ acme_keys_dir }}"
- "{{ acme_accounts_dir }}"
- "{{ acme_csr_dir }}"
- "{{ acme_config_dir }}"
- "{{ acme_certs_dir }}"
- "{{ acme_csr_dir }}"
loop_control:
loop_var: config_dir
tags: acme_install
- name: Create challenge directory
- name: Create ACME private keys directory
file:
path: "{{ acme_challenge_dir }}/.well-known/acme-challenge"
path: "{{ acme_keys_dir }}"
state: directory
owner: root
group: "{{ acme_ssl_group }}"
mode: "640"
tags: acme_install
- name: Create ACME accounts directory
file:
path: "{{ acme_accounts_dir }}"
state: directory
owner: root
group: root
mode: "755"
mode: "640"
tags: acme_install
- name: Perform ACME challenge for each domain
include_tasks:
file: acme_challenge.yml
apply:
tags: acme_challenge
loop: "{{ acme_domains | unique }}"
loop_control:
loop_var: domain_name
tags: acme_challenge
- name: Copy ACME config file
copy:
content: "{{ acme_config | to_nice_yaml(indent=2) }}"
dest: "{{ acme_config_file }}"
owner: root
group: root
mode: "600"
tags: [acme_install, acme_config]
- name: Create directory for certificate renewal tool
file:
@@ -51,31 +62,38 @@
group: root
mode: "755"
state: directory
tags: acme_renew
tags: acme_install
- name: Copy script to renew ACME certificates
copy:
src: acme_renew_cert.py
dest: /opt/acme/acme_renew_cert.py
dest: "{{ acme_script_dir }}/acme_renew_cert.py"
owner: root
group: root
mode: "755"
tags: acme_renew
tags: acme_install
- name: Create '{{ acme_script_bin }}' symlink for ACME renewal script
file:
src: "{{ acme_script_dir }}/acme_renew_cert.py"
dest: "{{ acme_script_bin }}"
state: link
owner: root
group: root
mode: "755"
tags: acme_install
- name: Perform ACME challenge for each domain
command: acme-renew-cert -v -c {{ acme_config_file | quote }}
tags: acme_challenge
- name: Setup cron job for ACME certificates renewal of {{ domain_name }}
cron:
name: acme renew {{ domain_name }} cert
job: >-
bash -c 'sleep $((RANDOM \% 3600))' && /opt/acme/acme_renew_cert.py {{ domain_name }} -q
-a {{ (acme_accounts_dir + '/' + acme_account_key) | quote }}
-p {{ acme_keys_dir | quote }}/{domain}.pem
-r {{ acme_csr_dir | quote }}/{domain}.csr
-o {{ acme_certs_dir | quote }}/{domain}.d
-c {{ acme_challenge_dir | quote }}/.well-known/acme-challenge
user: root
name: acme-renew-cert
cron_file: acme-renew-cert
job: "{{ acme_script_bin }} -q {{ acme_config_file | quote }}"
minute: "30"
hour: "2"
state: present
loop: "{{ acme_domains | unique }}"
loop_control:
loop_var: domain_name
tags: acme_renew
tags: acme_cron