From d76e3915fed7a386bcd5771e52387c8140d13e62 Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Sat, 21 Jan 2017 15:16:45 -0600 Subject: [PATCH 1/4] Fixes #13: Add certbot-auto renew cron job. --- README.md | 7 +++++++ defaults/main.yml | 8 ++++++++ tasks/main.yml | 9 +++++++++ 3 files changed, 24 insertions(+) diff --git a/README.md b/README.md index 1dd00f7..6c55140 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,13 @@ Certbot code repository options. This role clones the agent from the configured The directory inside which Certbot will be cloned. + certbot_auto_renew: true + certbot_auto_renew_user: "{{ ansible_user }}" + certbot_auto_renew_hour: 3 + certbot_auto_renew_minute: 30 + +By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot-auto renew` via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account. + ## Dependencies None. diff --git a/defaults/main.yml b/defaults/main.yml index ec0a908..793362c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,14 @@ --- +# Where to get Certbot. certbot_repo: https://github.com/certbot/certbot.git certbot_version: master certbot_keep_updated: yes +# Where to put Certbot. certbot_dir: /opt/certbot + +# How to keep Certbot certs up to date. +certbot_auto_renew: true +certbot_auto_renew_user: "{{ ansible_user }}" +certbot_auto_renew_hour: 3 +certbot_auto_renew_minute: 30 diff --git a/tasks/main.yml b/tasks/main.yml index 5ff5548..ed076dc 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -10,3 +10,12 @@ file: path: "{{ certbot_dir }}/certbot-auto" mode: 0755 + +- name: Add cron job for 'certbot-auto renew' (if configured). + cron: + name: Certbot automatic renewal. + job: "{{ certbot_dir }}/certbot-auto renew --quiet --no-self-upgrade" + minute: "{{ certbot_auto_renew_minute }}" + hour: "{{ certbot_auto_renew_hour }}" + user: "{{ certbot_auto_renew_user }}" + when: certbot_auto_renew From bca9164582e19dd244554eb1afbeb14c62950bf3 Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Sat, 21 Jan 2017 15:28:26 -0600 Subject: [PATCH 2/4] Install cron in test environments so tests pass. --- tests/test.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/test.yml b/tests/test.yml index ac3eb64..acf224d 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -7,6 +7,14 @@ when: ansible_os_family == 'Debian' changed_when: false + - name: Install cron (RedHat). + yum: name=cronie state=present + when: ansible_os_family == 'RedHat' + + - name: Install cron (Debian). + apt: name=cron state=present + when: ansible_os_family == 'RedHat' + roles: - geerlingguy.git - role_under_test From b5ff8d488611e7ce91621bf319fe3f69c9539ceb Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Sat, 21 Jan 2017 15:31:40 -0600 Subject: [PATCH 3/4] Update README regarding example usage. --- README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6c55140..0786cf9 100644 --- a/README.md +++ b/README.md @@ -34,6 +34,12 @@ None. ## Example Playbook - hosts: servers + + vars: + certbot_auto_renew_user: your_username_here + certbot_auto_renew_minute: 20 + certbot_auto_renew_hour: 5 + roles: - geerlingguy.letsencrypt @@ -45,9 +51,7 @@ After installation, you can create certificates using the `certbot-auto` script, # Generate certs, but don't modify Apache configuration (safer). /opt/certbot/certbot-auto --apache certonly -To set up renewals, you should run the following command periodically (e.g. once or twice per day): - - /opt/certbot/certbot-auto renew --quiet --no-self-upgrade +By default, this role adds a cron job that will renew all installed certificates once per day at the hour and minute of your choosing. You can test the auto-renewal (without actually renewing the cert) with the command: From 7c8e2e5735739931faf1e1e41396fe96b48c281b Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Sat, 21 Jan 2017 15:33:06 -0600 Subject: [PATCH 4/4] Install correct package on Debian. --- tests/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test.yml b/tests/test.yml index acf224d..cf90f58 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -13,7 +13,7 @@ - name: Install cron (Debian). apt: name=cron state=present - when: ansible_os_family == 'RedHat' + when: ansible_os_family == 'Debian' roles: - geerlingguy.git