certbot(role): support DNS-01 certs using acme-dns

Introduce new configuration structure called certbot__certs, which allows for different challenge types per cert with the first challenge type supported being dns-01-acme-dns.
2026-03-31 16:48:00 +02:00 · 2026-03-31 16:48:00 +02:00 · 8bf6dfbefb
commit 8bf6dfbefb
parent 21f51ea2d7
9 changed files with 188 additions and 18 deletions
--- a/roles/certbot/tasks/main/cert.yaml
+++ b/roles/certbot/tasks/main/cert.yaml
@ -1,24 +1,46 @@
 - name: get expiry date before
-  ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
+  ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item.commonName }}/fullchain.pem
  ignore_errors: true
  become: true
  changed_when: false
  register: certbot__cert_expiry_before

- name: obtain the certificate using certbot
-  ansible.builtin.command: /usr/bin/certbot certonly --keep-until-expiring --agree-tos --non-interactive --email "{{ certbot__acme_account_email_address }}" --no-eff-email --standalone --http-01-port "{{ certbot__http_01_port }}" -d "{{ item }}"
+- name: ensure directory for cert configs exists
+  ansible.builtin.file:
+    path: "/etc/ansible_certbot/cert_configs/"
+    state: directory
+    owner: root
+    group: root
+    mode: "0750"
+  become: true
+
+- name: ensure cert config is stored
+  ansible.builtin.copy:
+    content: "{{ cert_config_defaults[item.challengeType] | combine(item, recursive=True) | ansible.builtin.to_nice_json }}"
+    dest: "/etc/ansible_certbot/cert_configs/{{ item.commonName }}.json"
+    owner: root
+    group: root
+    mode: "0640"
+  become: true
+  vars:
+    cert_config_defaults:
+      dns-01-acme-dns:
+        dns_01_acme_dns:
+          serverUrl: "https://acmedns.hamburg.ccc.de"
+
+# # https://eff-certbot.readthedocs.io/en/stable/using.html#manual
+- name: obtain the certificate using certbot and the manual auth hook
+  ansible.builtin.command: /usr/bin/certbot certonly --keep-until-expiring --agree-tos --non-interactive --email "{{ certbot__acme_account_email_address }}" --no-eff-email --manual --preferred-challenge dns --manual-auth-hook "/usr/local/lib/ansible_certbot/manual_auth_scripts/{{ item.challengeType }}.sh" -d "{{ item.commonName }}"
  become: true
  changed_when: false

 - name: get expiry date after
-  ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
+  ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item.commonName }}/fullchain.pem
  become: true
  changed_when: false
  register: certbot__cert_expiry_after

-# Doesn't work anymore. Dunno why.
-# TODO: Fix
-# - name: potentially report changed
-#   ansible.builtin.debug:
-#     msg: "If this reports changed, then the certificate expiry date and therefore the certificate changed."
-#   changed_when: certbot__cert_expiry_before.stdout != certbot__cert_expiry_after.stdout
+- name: potentially report changed
+  ansible.builtin.debug:
+    msg: "If this reports changed, then the certificate expiry date and therefore the certificate changed."
+  changed_when: certbot__cert_expiry_before.stdout != certbot__cert_expiry_after.stdout
--- a/roles/certbot/tasks/main/certs.yaml
+++ b/roles/certbot/tasks/main/certs.yaml
@ -1,4 +1,14 @@
- name: obtain certificates
+- name: obtain http-01 challenge certificates
  loop: "{{ certbot__certificate_domains }}"
+  ansible.builtin.include_tasks:
+    file: main/http_01_cert.yaml
+
+- name: validate certs config
+  loop: "{{ certbot__certs }}"
+  ansible.builtin.include_tasks:
+    file: main/validate_cert.yaml
+
+- name: obtain certs
+  loop: "{{ certbot__certs }}"
  ansible.builtin.include_tasks:
    file: main/cert.yaml
--- a/roles/certbot/tasks/main/http_01_cert.yaml
+++ b/roles/certbot/tasks/main/http_01_cert.yaml
@ -0,0 +1,24 @@
+- name: get expiry date before
+  ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
+  ignore_errors: true
+  become: true
+  changed_when: false
+  register: certbot__cert_expiry_before
+
+- name: obtain the certificate using certbot
+  ansible.builtin.command: /usr/bin/certbot certonly --keep-until-expiring --agree-tos --non-interactive --email "{{ certbot__acme_account_email_address }}" --no-eff-email --standalone --http-01-port "{{ certbot__http_01_port }}" -d "{{ item }}"
+  become: true
+  changed_when: false
+
+- name: get expiry date after
+  ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
+  become: true
+  changed_when: false
+  register: certbot__cert_expiry_after
+
+# Doesn't work anymore. Dunno why.
+# TODO: Fix
+# - name: potentially report changed
+#   ansible.builtin.debug:
+#     msg: "If this reports changed, then the certificate expiry date and therefore the certificate changed."
+#   changed_when: certbot__cert_expiry_before.stdout != certbot__cert_expiry_after.stdout
--- a/roles/certbot/tasks/main/install.yaml
+++ b/roles/certbot/tasks/main/install.yaml
@ -1,11 +1,30 @@
- name: make sure the `openssl` package is installed
+- name: ensure relevant packages are installed
  ansible.builtin.apt:
-    name: openssl
+    name:
+      - openssl
+      - certbot
+      - jq
    state: present
  become: true

- name: make sure the `certbot` package is installed
-  ansible.builtin.apt:
-    name: certbot
-    state: present
-  become: true
+- name: ensure manual auth scripts are deployed
+  block:
+    - name: ensure manual auth scripts directory exists
+      ansible.builtin.file:
+        path: "/usr/local/lib/ansible_certbot/manual_auth_scripts"
+        state: directory
+        owner: root
+        group: root
+        mode: "0755"
+      become: true
+
+    - name: ensure manual auth scripts are deployed
+      ansible.builtin.copy:
+        src: "manual_auth_scripts/{{ item }}.sh"
+        dest: "/usr/local/lib/ansible_certbot/manual_auth_scripts/{{ item }}.sh"
+        owner: root
+        group: root
+        mode: "0754"
+      become: true
+      loop:
+        - "dns-01-acme-dns"
--- a/roles/certbot/tasks/main/validate_cert.yaml
+++ b/roles/certbot/tasks/main/validate_cert.yaml
@ -0,0 +1,31 @@
+- name: validate dns-01-acme-dns challenge type config
+  when: item.challengeType == "dns-01-acme-dns"
+  block:
+    - name: assert dns_01_acme_dns config exists
+      ansible.builtin.assert:
+        that: item.dns_01_acme_dns is defined
+
+    - name: assert dns_01_acme_dns config is valid
+      ansible.builtin.validate_argument_spec:
+        argument_spec: "{{ required_data }}"
+        provided_arguments:
+          dns_01_acme_dns: "{{ item.dns_01_acme_dns }}"
+      vars:
+        required_data:
+          dns_01_acme_dns:
+            type: dict
+            required: true
+            options:
+              serverUrl:
+                type: str
+                required: false
+                default: https://acmedns.hamburg.ccc.de
+              subdomain:
+                type: str
+                required: true
+              apiUser:
+                type: str
+                required: true
+              apiKey:
+                type: str
+                required: true