From 0b414a9d74afbd633ab97f05568ca14ecc2b7916 Mon Sep 17 00:00:00 2001 From: fliespl Date: Fri, 20 Sep 2024 22:44:16 +0200 Subject: [PATCH 01/13] expand variable --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index dc1034e..cf12a24 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,6 +6,7 @@ certbot_auto_renew_hour: "3" certbot_auto_renew_minute: "30" certbot_auto_renew_options: "--quiet" +certbot_expand: false certbot_testmode: false certbot_hsts: false From 6230e82ba926c0e57800286b62b3f1f9f7dede2c Mon Sep 17 00:00:00 2001 From: fliespl Date: Fri, 20 Sep 2024 22:45:47 +0200 Subject: [PATCH 02/13] handle expand in standalone --- tasks/create-cert-standalone.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tasks/create-cert-standalone.yml b/tasks/create-cert-standalone.yml index 1d1f979..259888e 100644 --- a/tasks/create-cert-standalone.yml +++ b/tasks/create-cert-standalone.yml @@ -40,3 +40,18 @@ - name: Generate new certificate if one doesn't exist. command: "{{ certbot_create_command }}" when: not letsencrypt_cert.stat.exists + +- name: Register certificate domains (if certbot_expand) + shell: "{{ certbot_script }} certificates --cert-name {{ cert_item.domains | first | replace('*.', '') }} | grep Domains | cut -d':' -f2" + changed_when: false + register: letsencrypt_cert_domains_dirty + when: certbot_expand and letsencrypt_cert.stat.exists + +- name: Cleanup domain list (if certbot_expand) + set_fact: + letsencrypt_cert_domains: "{{ letsencrypt_cert_domains_dirty.stdout | trim | split(' ') | map('trim') | select('!=', '') | list | sort }}" + when: certbot_expand and letsencrypt_cert.stat.exists + +- name: Expand certbot certificate (if certbot_expand) + command: "{{ certbot_create_command }}" + when: certbot_expand and letsencrypt_cert.stat.exists and letsencrypt_cert_domains != cert_item.domains | map('trim') | select('!=', '') | list | sort From 48941fe2a0b5ef4ce4620f8cfafb383651091b72 Mon Sep 17 00:00:00 2001 From: fliespl Date: Fri, 20 Sep 2024 22:46:05 +0200 Subject: [PATCH 03/13] handle certbot expand in webroot --- tasks/create-cert-webroot.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tasks/create-cert-webroot.yml b/tasks/create-cert-webroot.yml index 8399872..00e5e12 100644 --- a/tasks/create-cert-webroot.yml +++ b/tasks/create-cert-webroot.yml @@ -12,3 +12,18 @@ - name: Generate new certificate if one doesn't exist. command: "{{ certbot_create_command }}" when: not letsencrypt_cert.stat.exists + +- name: Register certificate domains (if certbot_expand) + shell: "{{ certbot_script }} certificates --cert-name {{ cert_item.domains | first | replace('*.', '') }} | grep Domains | cut -d':' -f2" + changed_when: false + register: letsencrypt_cert_domains_dirty + when: certbot_expand and letsencrypt_cert.stat.exists + +- name: Cleanup domain list (if certbot_expand) + set_fact: + letsencrypt_cert_domains: "{{ letsencrypt_cert_domains_dirty.stdout | trim | split(' ') | map('trim') | select('!=', '') | list | sort }}" + when: certbot_expand and letsencrypt_cert.stat.exists + +- name: Expand certbot certificate (if certbot_expand) + command: "{{ certbot_create_command }}" + when: certbot_expand and letsencrypt_cert.stat.exists and letsencrypt_cert_domains != cert_item.domains | map('trim') | select('!=', '') | list | sort From 49e18182a7eb8c5d55d8af31082d658c5fc50f0e Mon Sep 17 00:00:00 2001 From: fliespl Date: Fri, 20 Sep 2024 22:46:37 +0200 Subject: [PATCH 04/13] certbot expand in command --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index cf12a24..19272a1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -38,6 +38,7 @@ certbot_create_command: >- {{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }} {{ certbot_create_extra_args }} -d {{ cert_item.domains | join(',') }} + {{ '--expand' if certbot_expand else '' }} {{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services' if certbot_create_standalone_stop_services and certbot_create_method == 'standalone' else '' }} From 811fa11044d25d504f8ef6b16c5df3f9bc6ec713 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Florian=20R=2E=20H=C3=B6lzlwimmer?= Date: Tue, 28 Jan 2025 19:18:21 +0100 Subject: [PATCH 05/13] add --cert-name and --deploy-hook options --- defaults/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 9ac2823..3deb2f4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -40,6 +40,7 @@ certbot_create_command: >- {{ '--webroot-path ' if certbot_create_method == 'webroot' else '' }} {{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }} {{ certbot_create_extra_args }} + --cert-name {{ cert_item.name | default(cert_item.domains | first | replace('*.', '') ) }} -d {{ cert_item.domains | join(',') }} {{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services' if certbot_create_standalone_stop_services and certbot_create_method == 'standalone' @@ -47,6 +48,9 @@ certbot_create_command: >- {{ '--post-hook /etc/letsencrypt/renewal-hooks/post/start_services' if certbot_create_standalone_stop_services and certbot_create_method == 'standalone' else '' }} + {{ '--deploy-hook \'' + cert_item.deploy_hook + '\'' + if 'deploy_hook' in cert_item + else '' }} certbot_create_standalone_stop_services: - nginx From 999372cc7e49031d458f632abe237f290c644fac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Florian=20R=2E=20H=C3=B6lzlwimmer?= Date: Tue, 28 Jan 2025 19:20:19 +0100 Subject: [PATCH 06/13] Update tests to include certificate name --- molecule/default/playbook-standalone-nginx-aws.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/molecule/default/playbook-standalone-nginx-aws.yml b/molecule/default/playbook-standalone-nginx-aws.yml index 4d9fdd3..a5c53e5 100644 --- a/molecule/default/playbook-standalone-nginx-aws.yml +++ b/molecule/default/playbook-standalone-nginx-aws.yml @@ -91,7 +91,8 @@ certbot_create_if_missing: true certbot_create_standalone_stop_services: [] certbot_certs: - - domains: + - name: certbot-test.servercheck.in + domains: - certbot-test.servercheck.in nginx_vhosts: - listen: "443 ssl http2" From 2d3cf2ad13f7831c2e8be97266b7f767c8d72d9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Florian=20R=2E=20H=C3=B6lzlwimmer?= Date: Tue, 28 Jan 2025 19:23:15 +0100 Subject: [PATCH 07/13] fix trailing space --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3deb2f4..e1a7e18 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -48,7 +48,7 @@ certbot_create_command: >- {{ '--post-hook /etc/letsencrypt/renewal-hooks/post/start_services' if certbot_create_standalone_stop_services and certbot_create_method == 'standalone' else '' }} - {{ '--deploy-hook \'' + cert_item.deploy_hook + '\'' + {{ '--deploy-hook \'' + cert_item.deploy_hook + '\'' if 'deploy_hook' in cert_item else '' }} From 851d2b98551dda7b7b07e702ea1728fbd68f0d8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Florian=20R=2E=20H=C3=B6lzlwimmer?= Date: Wed, 29 Jan 2025 13:07:36 +0100 Subject: [PATCH 08/13] Fix escaping --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index e1a7e18..99e9f20 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -48,7 +48,7 @@ certbot_create_command: >- {{ '--post-hook /etc/letsencrypt/renewal-hooks/post/start_services' if certbot_create_standalone_stop_services and certbot_create_method == 'standalone' else '' }} - {{ '--deploy-hook \'' + cert_item.deploy_hook + '\'' + {{ "--deploy-hook '" ~ cert_item.deploy_hook ~ "'" if 'deploy_hook' in cert_item else '' }} From 943abd882d84e0a4ddc20cbf2edc02a49de372ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Florian=20R=2E=20H=C3=B6lzlwimmer?= Date: Wed, 29 Jan 2025 14:36:01 +0100 Subject: [PATCH 09/13] update to debian 11 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 31f7196..7a9b0b4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,7 +47,7 @@ jobs: - distro: ubuntu2004 playbook: converge.yml experimental: false - - distro: debian10 + - distro: debian11 playbook: converge.yml experimental: false From b3ae28fb777d6d4bc0b1c6acb0c44de7101adfd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Florian=20R=2E=20H=C3=B6lzlwimmer?= Date: Wed, 29 Jan 2025 15:45:07 +0100 Subject: [PATCH 10/13] change certbot_expand default back to false --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index f55f25c..258504d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,7 +6,7 @@ certbot_auto_renew_hour: "3" certbot_auto_renew_minute: "30" certbot_auto_renew_options: "--quiet" -certbot_expand: true +certbot_expand: false certbot_testmode: false certbot_hsts: false From 32d18724a62353a565446a14bacdb86537f50a93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Florian=20R=2E=20H=C3=B6lzlwimmer?= Date: Mon, 10 Mar 2025 17:09:43 +0100 Subject: [PATCH 11/13] revert debian and ubuntu version changes in CI --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 04499d8..e402a55 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - distro: rockylinux9 playbook: converge.yml experimental: false - - distro: ubuntu2204 + - distro: ubuntu2404 playbook: converge.yml experimental: false - - distro: debian11 + - distro: debian12 playbook: converge.yml experimental: false From d5a1f4df3c0598216955429ce912c620b25ca4ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Florian=20R=2E=20H=C3=B6lzlwimmer?= Date: Tue, 25 Mar 2025 14:27:35 +0100 Subject: [PATCH 12/13] move 'certbot_expand' back to original position in file --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index c9b0bf5..a47680d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,7 +6,6 @@ certbot_auto_renew_hour: "3" certbot_auto_renew_minute: "30" certbot_auto_renew_options: "--quiet" -certbot_expand: false certbot_testmode: false certbot_hsts: false @@ -16,6 +15,7 @@ certbot_create_if_missing: false certbot_create_method: standalone certbot_create_extra_args: "" certbot_admin_email: email@example.com +certbot_expand: false # Default webroot, overwritten by individual per-cert webroot directories certbot_webroot: /var/www/letsencrypt From d2e42ea1985fb4d320ecb1161e82539220729004 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Florian=20R=2E=20H=C3=B6lzlwimmer?= Date: Tue, 25 Mar 2025 14:31:01 +0100 Subject: [PATCH 13/13] remove duplicate 'certbot_create_extra_args' introduced in #227 --- defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a47680d..3f29db0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -30,8 +30,6 @@ certbot_certs: [] # - domains: # - example3.com -certbot_create_extra_args: "" - certbot_create_command: >- {{ certbot_script }} certonly --{{ certbot_create_method }} {{ '--hsts' if certbot_hsts else '' }}