certbot(role): support DNS-01 certs using acme-dns
All checks were successful
/ Ansible Lint (push) Successful in 3m36s
All checks were successful
/ Ansible Lint (push) Successful in 3m36s
Introduce new configuration structure called certbot__certs, which allows for different challenge types per cert with the first challenge type supported being dns-01-acme-dns.
This commit is contained in:
parent
21f51ea2d7
commit
8bf6dfbefb
SSH key fingerprint:
SHA256:o9EAq4Y9N9K0pBQeBTqhSDrND5E7oB+60ZNx0U1yPe0
9 changed files with 188 additions and 18 deletions
|
|
@ -1,24 +1,46 @@
|
|||
- name: get expiry date before
|
||||
ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
|
||||
ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item.commonName }}/fullchain.pem
|
||||
ignore_errors: true
|
||||
become: true
|
||||
changed_when: false
|
||||
register: certbot__cert_expiry_before
|
||||
|
||||
- name: obtain the certificate using certbot
|
||||
ansible.builtin.command: /usr/bin/certbot certonly --keep-until-expiring --agree-tos --non-interactive --email "{{ certbot__acme_account_email_address }}" --no-eff-email --standalone --http-01-port "{{ certbot__http_01_port }}" -d "{{ item }}"
|
||||
- name: ensure directory for cert configs exists
|
||||
ansible.builtin.file:
|
||||
path: "/etc/ansible_certbot/cert_configs/"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0750"
|
||||
become: true
|
||||
|
||||
- name: ensure cert config is stored
|
||||
ansible.builtin.copy:
|
||||
content: "{{ cert_config_defaults[item.challengeType] | combine(item, recursive=True) | ansible.builtin.to_nice_json }}"
|
||||
dest: "/etc/ansible_certbot/cert_configs/{{ item.commonName }}.json"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
become: true
|
||||
vars:
|
||||
cert_config_defaults:
|
||||
dns-01-acme-dns:
|
||||
dns_01_acme_dns:
|
||||
serverUrl: "https://acmedns.hamburg.ccc.de"
|
||||
|
||||
# # https://eff-certbot.readthedocs.io/en/stable/using.html#manual
|
||||
- name: obtain the certificate using certbot and the manual auth hook
|
||||
ansible.builtin.command: /usr/bin/certbot certonly --keep-until-expiring --agree-tos --non-interactive --email "{{ certbot__acme_account_email_address }}" --no-eff-email --manual --preferred-challenge dns --manual-auth-hook "/usr/local/lib/ansible_certbot/manual_auth_scripts/{{ item.challengeType }}.sh" -d "{{ item.commonName }}"
|
||||
become: true
|
||||
changed_when: false
|
||||
|
||||
- name: get expiry date after
|
||||
ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
|
||||
ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item.commonName }}/fullchain.pem
|
||||
become: true
|
||||
changed_when: false
|
||||
register: certbot__cert_expiry_after
|
||||
|
||||
# Doesn't work anymore. Dunno why.
|
||||
# TODO: Fix
|
||||
# - name: potentially report changed
|
||||
# ansible.builtin.debug:
|
||||
# msg: "If this reports changed, then the certificate expiry date and therefore the certificate changed."
|
||||
# changed_when: certbot__cert_expiry_before.stdout != certbot__cert_expiry_after.stdout
|
||||
- name: potentially report changed
|
||||
ansible.builtin.debug:
|
||||
msg: "If this reports changed, then the certificate expiry date and therefore the certificate changed."
|
||||
changed_when: certbot__cert_expiry_before.stdout != certbot__cert_expiry_after.stdout
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue