public_git
/
ansibleguy.infra_certs
mirror of https://github.com/ansibleguy/infra_certs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

updates to letsencrypt multi-cert processing

This commit is contained in:
AnsibleGuy 2022-08-16 17:07:06 +02:00
parent cae577866e
commit 54d52cee98
3 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
defaults/main.yml
View File

@ -62,6 +62,7 @@ defaults_certs:
verbosity: 'v' verbosity: 'v'
certs: {} # see 'default_le_certbot_cert' below certs: {} # see 'default_le_certbot_cert' below
renew: false # if a renewal should be started by the role; the renewal service will auto-renew the certificates otherwise renew: false # if a renewal should be started by the role; the renewal service will auto-renew the certificates otherwise
email:
ca: ca:
path: path:
@ -87,8 +88,9 @@ CERT_CONFIG: "{{ defaults_certs | combine(certs, recursive=true) }}"
default_le_certbot_cert: default_le_certbot_cert:
domains: [] domains: []
state: 'present' key_size: "{{ CERT_CONFIG.letsencrypt.key_size | default(CERT_CONFIG.cert.key_size, true) }}"
email: state: "{{ CERT_CONFIG.letsencrypt.state | default('present', true) }}"
email: "{{ CERT_CONFIG.letsencrypt.email }}"
# letsencrypt example: # letsencrypt example:
#certs: #certs:

4
tasks/debian/letsencrypt/cert.yml
View File

@ -23,7 +23,7 @@
msg: "certbot certonly --non-interactive --agree-tos --no-redirect{% if debug or testing %} --staging{% endif %} msg: "certbot certonly --non-interactive --agree-tos --no-redirect{% if debug or testing %} --staging{% endif %}
--{{ CERT_CONFIG.letsencrypt.service }} --cert-name {{ le_name }} --{{ CERT_CONFIG.letsencrypt.service }} --cert-name {{ le_name }}
-{{ CERT_CONFIG.letsencrypt.verbosity }} -{{ CERT_CONFIG.letsencrypt.verbosity }}
--rsa-key-size {{ le_cert.key_size | default(CERT_CONFIG.cert.key_size, true) }} --rsa-key-size {{ le_cert.key_size }}
--config-dir {{ CERT_CONFIG.letsencrypt.path }} --config-dir {{ CERT_CONFIG.letsencrypt.path }}
{% for domain in le_cert.domains %}{% if domain | valid_hostname %}--domain {{ domain }} {% endif %}{% endfor %} {% for domain in le_cert.domains %}{% if domain | valid_hostname %}--domain {{ domain }} {% endif %}{% endfor %}
{% if le_cert.email is not none %}--email {{ le_cert.email }} {% else %}--email {{ CERT_CONFIG.cert.email }} {% endif %}" {% if le_cert.email is not none %}--email {{ le_cert.email }} {% else %}--email {{ CERT_CONFIG.cert.email }} {% endif %}"
@ -33,7 +33,7 @@
ansible.builtin.command: "certbot certonly --non-interactive --agree-tos --no-redirect{% if debug or testing %} --staging{% endif %} ansible.builtin.command: "certbot certonly --non-interactive --agree-tos --no-redirect{% if debug or testing %} --staging{% endif %}
--{{ CERT_CONFIG.letsencrypt.service }} --cert-name {{ le_name }} --{{ CERT_CONFIG.letsencrypt.service }} --cert-name {{ le_name }}
-{{ CERT_CONFIG.letsencrypt.verbosity }} -{{ CERT_CONFIG.letsencrypt.verbosity }}
--rsa-key-size {{ le_cert.key_size | default(CERT_CONFIG.cert.key_size, true) }} --rsa-key-size {{ le_cert.key_size }}
--config-dir {{ CERT_CONFIG.letsencrypt.path }} --config-dir {{ CERT_CONFIG.letsencrypt.path }}
{% for domain in le_cert.domains %}{% if domain | valid_hostname %}--domain {{ domain }} {% endif %}{% endfor %} {% for domain in le_cert.domains %}{% if domain | valid_hostname %}--domain {{ domain }} {% endif %}{% endfor %}
{% if le_cert.email is not none %}--email {{ le_cert.email }} {% else %}--email {{ CERT_CONFIG.cert.email }} {% endif %}" {% if le_cert.email is not none %}--email {{ le_cert.email }} {% else %}--email {{ CERT_CONFIG.cert.email }} {% endif %}"

8
tasks/debian/letsencrypt/main.yml
View File

@ -4,8 +4,8 @@
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- CERT_CONFIG.letsencrypt.certs | length > 0 - CERT_CONFIG.letsencrypt.certs | length > 0
- CERT_CONFIG.letsencrypt.service | default(none, true) is not none - CERT_CONFIG.letsencrypt.service | default(false, true)
- CERT_CONFIG.letsencrypt.email | default(none, true) is not none or CERT_CONFIG.letsencrypt.certs|check_email - CERT_CONFIG.letsencrypt.email | default(false, true) or CERT_CONFIG.letsencrypt.certs | check_email
- "CERT_CONFIG.letsencrypt.service in ['apache', 'nginx']" - "CERT_CONFIG.letsencrypt.service in ['apache', 'nginx']"
- name: Certificates | Debian | LetsEncrypt Certbot | Configure for Apache2 - name: Certificates | Debian | LetsEncrypt Certbot | Configure for Apache2
@ -16,11 +16,12 @@
ansible.builtin.import_tasks: nginx.yml ansible.builtin.import_tasks: nginx.yml
when: CERT_CONFIG.letsencrypt.service == 'nginx' when: CERT_CONFIG.letsencrypt.service == 'nginx'
- name: Certificates | Debian | LetsEncrypt Certbot | Pulling existing certs - name: Certificates | Debian | LetsEncrypt Certbot | Pulling existing certs (this can take some time)
ansible.builtin.command: "certbot certificates --config-dir {{ CERT_CONFIG.letsencrypt.path }}{% if debug or testing %} --staging{% endif %}" ansible.builtin.command: "certbot certificates --config-dir {{ CERT_CONFIG.letsencrypt.path }}{% if debug or testing %} --staging{% endif %}"
register: existing_certs_raw register: existing_certs_raw
changed_when: false changed_when: false
check_mode: false check_mode: false
timeout: 120
- name: Certificates | Debian | LetsEncrypt Certbot | Existing certificates - name: Certificates | Debian | LetsEncrypt Certbot | Existing certificates
ansible.builtin.debug: ansible.builtin.debug:
@ -95,6 +96,7 @@
enabled: yes enabled: yes
state: started state: started
# Renew all previously obtained certificates that are near expiry
- name: Certificates | Debian | LetsEncrypt Certbot | Running renewal - name: Certificates | Debian | LetsEncrypt Certbot | Running renewal
ansible.builtin.command: "certbot renew --force-renewal{% if debug or testing %} --staging{% endif %}" ansible.builtin.command: "certbot renew --force-renewal{% if debug or testing %} --staging{% endif %}"
when: CERT_CONFIG.letsencrypt.renew when: CERT_CONFIG.letsencrypt.renew