Use BIND 9 server instead of Cloudfl. for DNS-01 challenge via nsupdate
Co-authored-by: Jannik Beyerstedt <code@jannikbeyerstedt.de>
This commit is contained in:
parent
4814ea8bda
commit
aac049efb2
24
playbooks/roles/cert/README.md
Normal file
24
playbooks/roles/cert/README.md
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
# Role `cert`
|
||||||
|
|
||||||
|
A role for ordering and renewing certificates from Lets Encrypt via ACME.
|
||||||
|
It uses the DNS challenge and fullfills it via a BIND 9 server given to the role.
|
||||||
|
|
||||||
|
## Supported Distributions
|
||||||
|
|
||||||
|
The following distributions are supported:
|
||||||
|
|
||||||
|
- Debian 11
|
||||||
|
|
||||||
|
## Required Arguments
|
||||||
|
|
||||||
|
For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yml)
|
||||||
|
|
||||||
|
## `hosts`
|
||||||
|
|
||||||
|
The `hosts` for this role need to be the machines on which you want to have the certificates.
|
||||||
|
|
||||||
|
## Links & Resources
|
||||||
|
|
||||||
|
- <https://docs.ansible.com/ansible/7/collections/community/crypto/acme_certificate_module.html>
|
||||||
|
- <https://docs.ansible.com/ansible/7/collections/community/crypto/openssl_privatekey_module.html>
|
||||||
|
- <https://docs.ansible.com/ansible/7/collections/community/crypto/openssl_csr_module.html>
|
|
@ -22,16 +22,11 @@ argument_specs:
|
||||||
description: E-Mail address for ACME account
|
description: E-Mail address for ACME account
|
||||||
required: true
|
required: true
|
||||||
type: str
|
type: str
|
||||||
cert__cloudflare_dns:
|
cert__bind_9_host:
|
||||||
description: Cloudflare DNS API details
|
description: The machine running BIND 9.
|
||||||
required: true
|
required: true
|
||||||
type: dict
|
type: str
|
||||||
options:
|
cert__bind_9_zone:
|
||||||
api_token:
|
description: The zone to use for publishing the TXT record.
|
||||||
description: Cloudflare API token
|
required: true
|
||||||
required: true
|
type: str
|
||||||
type: str
|
|
||||||
zone:
|
|
||||||
description: DNS zone the domain is in
|
|
||||||
required: true
|
|
||||||
type: str
|
|
||||||
|
|
|
@ -74,17 +74,22 @@
|
||||||
- name: Retrieve certificate and fulfill challenge if needed # noqa no-handler
|
- name: Retrieve certificate and fulfill challenge if needed # noqa no-handler
|
||||||
when: cert__acme_challenge.changed # Can't be put in a handler, because then the block "always" tasks won't be executed for some reason
|
when: cert__acme_challenge.changed # Can't be put in a handler, because then the block "always" tasks won't be executed for some reason
|
||||||
block:
|
block:
|
||||||
- name: Set DNS record via Cloudflare API to fulfill the challenge
|
- name: Add file containing nsupdate commands for adding TXT record for DNS-01 challenge
|
||||||
when: not cert__acme_challenge.authorizations[item].status == "valid"
|
ansible.builtin.template:
|
||||||
community.general.cloudflare_dns:
|
src: nsupdate_add_txt_record.j2
|
||||||
api_token: "{{ cert__cloudflare_dns.api_token }}"
|
dest: /root/nsupdate_add_txt_record
|
||||||
zone: "{{ cert__cloudflare_dns.zone }}"
|
owner: root
|
||||||
record: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].record }}"
|
group: root
|
||||||
value: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].resource_value }}"
|
mode: "0600"
|
||||||
type: TXT
|
vars:
|
||||||
ttl: 60
|
cert__nsupdate_domain: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].record }}"
|
||||||
solo: true
|
cert__nsupdate_txt_data: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].resource_value }}"
|
||||||
state: present
|
delegate_to: "{{ cert__bind_9_host }}"
|
||||||
|
|
||||||
|
- name: Add DNS record to BIND 9 server via nsupdate # noqa: no-changed-when
|
||||||
|
ansible.builtin.command: /usr/bin/nsupdate -l /root/nsupdate_add_txt_record
|
||||||
|
delegate_to: "{{ cert__bind_9_host }}"
|
||||||
|
|
||||||
- name: Retrieve certificate
|
- name: Retrieve certificate
|
||||||
community.crypto.acme_certificate:
|
community.crypto.acme_certificate:
|
||||||
account_email: "{{ cert__acme_account_email }}"
|
account_email: "{{ cert__acme_account_email }}"
|
||||||
|
@ -101,16 +106,35 @@
|
||||||
become: true
|
become: true
|
||||||
notify: "{{ cert__handlers }}"
|
notify: "{{ cert__handlers }}"
|
||||||
always:
|
always:
|
||||||
- name: Ensure DNS record is removed
|
- name: Remove file containing nsupdate commands for adding TXT record again
|
||||||
when: not cert__acme_challenge.authorizations[item].status == "valid"
|
ansible.builtin.file:
|
||||||
community.general.cloudflare_dns:
|
path: /root/nsupdate_add_txt_record
|
||||||
api_token: "{{ cert__cloudflare_dns.api_token }}"
|
|
||||||
zone: "{{ cert__cloudflare_dns.zone }}"
|
|
||||||
record: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].record }}"
|
|
||||||
value: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].resource_value }}"
|
|
||||||
type: TXT
|
|
||||||
ttl: 60
|
|
||||||
state: absent
|
state: absent
|
||||||
|
delegate_to: "{{ cert__bind_9_host }}"
|
||||||
|
|
||||||
|
- name: Remove TXT record again
|
||||||
|
block:
|
||||||
|
- name: Add file containing nsupdate commands for deleting TXT record for DNS-01 challenge
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: nsupdate_delete_txt_record.j2
|
||||||
|
dest: /root/nsupdate_delete_txt_record
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0600"
|
||||||
|
vars:
|
||||||
|
cert__nsupdate_domain: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].record }}"
|
||||||
|
cert__nsupdate_txt_data: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].resource_value }}"
|
||||||
|
delegate_to: "{{ cert__bind_9_host }}"
|
||||||
|
|
||||||
|
- name: Remove DNS record from BIND 9 server via nsupdate # noqa: no-changed-when
|
||||||
|
ansible.builtin.command: /usr/bin/nsupdate -l /root/nsupdate_delete_txt_record
|
||||||
|
delegate_to: "{{ cert__bind_9_host }}"
|
||||||
|
always:
|
||||||
|
- name: Remove file containing nsupdate commands for deleting TXT record again
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /root/nsupdate_delete_txt_record
|
||||||
|
state: absent
|
||||||
|
delegate_to: "{{ cert__bind_9_host }}"
|
||||||
|
|
||||||
- name: Ensure correct permissions for certificate are set
|
- name: Ensure correct permissions for certificate are set
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
debug
|
||||||
|
zone {{ cert__bind_9_zone }}
|
||||||
|
update add {{ cert__nsupdate_domain }} 60 TXT {{ cert__nsupdate_txt_data }}
|
||||||
|
send
|
|
@ -0,0 +1,4 @@
|
||||||
|
debug
|
||||||
|
zone {{ cert__bind_9_zone }}
|
||||||
|
update delete {{ cert__nsupdate_domain }} 60 TXT {{ cert__nsupdate_txt_data }}
|
||||||
|
send
|
Loading…
Reference in a new issue