From fa59772ab16809163302dbf235b1b170dd008765 Mon Sep 17 00:00:00 2001 From: Yoan Tournade Date: Thu, 15 Feb 2018 23:59:05 +0100 Subject: [PATCH 01/10] Add a test for domain list change using grep --- tasks/create-cert-standalone.yml | 18 +++++++++++------- tasks/test-cert-exists.yml | 21 +++++++++++++++++++++ 2 files changed, 32 insertions(+), 7 deletions(-) create mode 100644 tasks/test-cert-exists.yml diff --git a/tasks/create-cert-standalone.yml b/tasks/create-cert-standalone.yml index b92faec..1e813d5 100644 --- a/tasks/create-cert-standalone.yml +++ b/tasks/create-cert-standalone.yml @@ -1,23 +1,27 @@ --- -- name: Check if certificate already exists. - stat: - path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem - register: letsencrypt_cert +- name: Check if certificate exists or has been changed + import_tasks: test-cert-exists.yml - name: Stop services to allow certbot to generate a cert. service: name: "{{ item }}" state: stopped - when: not letsencrypt_cert.stat.exists + when: not letsencrypt_cert_exists.stat.exists with_items: "{{ certbot_create_standalone_stop_services }}" - name: Generate new certificate if one doesn't exist. shell: "{{ certbot_create_command }}" - when: not letsencrypt_cert.stat.exists + when: not letsencrypt_cert_exists.stat.exists + +- name: Persist domain list to host + copy: + content: "{{ cert_item.domains }}" + dest: /etc/letsencrypt/domains-{{ cert_item.domains | first }} + when: letsencrypt_cert_updated.rc != 0 - name: Start services after cert has been generated. service: name: "{{ item }}" state: started - when: not letsencrypt_cert.stat.exists + when: not letsencrypt_cert_exists.stat.exists with_items: "{{ certbot_create_standalone_stop_services }}" diff --git a/tasks/test-cert-exists.yml b/tasks/test-cert-exists.yml new file mode 100644 index 0000000..518f8b4 --- /dev/null +++ b/tasks/test-cert-exists.yml @@ -0,0 +1,21 @@ +--- +- name: Check if certificate already exists. + stat: + path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem + register: letsencrypt_cert_exists + +- name: Check if certificate has changed. + command: grep -Fxq "{{ cert_item.domains }}" /etc/letsencrypt/domains-{{ cert_item.domains | first }} + register: letsencrypt_cert_updated + check_mode: no + ignore_errors: yes + changed_when: no + when: letsencrypt_cert_exists.stat.exists + +- debug: + msg: Not changed + when: letsencrypt_cert_updated.rc == 0 + +- debug: + msg: Changed + when: letsencrypt_cert_updated.rc != 0 From e1d787d811d90904c9fbff6e7cb0ed935cb0014c Mon Sep 17 00:00:00 2001 From: Yoan Tournade Date: Fri, 16 Feb 2018 00:08:49 +0100 Subject: [PATCH 02/10] Use lineinfile to check domain list content --- tasks/create-cert-standalone.yml | 9 +++++---- tasks/test-cert-exists.yml | 21 +++++++++------------ 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/tasks/create-cert-standalone.yml b/tasks/create-cert-standalone.yml index 1e813d5..b84204c 100644 --- a/tasks/create-cert-standalone.yml +++ b/tasks/create-cert-standalone.yml @@ -14,10 +14,11 @@ when: not letsencrypt_cert_exists.stat.exists - name: Persist domain list to host - copy: - content: "{{ cert_item.domains }}" - dest: /etc/letsencrypt/domains-{{ cert_item.domains | first }} - when: letsencrypt_cert_updated.rc != 0 + lineinfile: + path: /etc/letsencrypt/domains-{{ cert_item.domains | first }} + line: "{{ cert_item.domains }}" + state: present + when: letsencrypt_cert_updated - name: Start services after cert has been generated. service: diff --git a/tasks/test-cert-exists.yml b/tasks/test-cert-exists.yml index 518f8b4..eca752e 100644 --- a/tasks/test-cert-exists.yml +++ b/tasks/test-cert-exists.yml @@ -5,17 +5,14 @@ register: letsencrypt_cert_exists - name: Check if certificate has changed. - command: grep -Fxq "{{ cert_item.domains }}" /etc/letsencrypt/domains-{{ cert_item.domains | first }} - register: letsencrypt_cert_updated - check_mode: no - ignore_errors: yes - changed_when: no + lineinfile: + path: /etc/letsencrypt/domains-{{ cert_item.domains | first }} + line: "{{ cert_item.domains }}" + state: present + check_mode: yes + register: letsencrypt_cert_contents when: letsencrypt_cert_exists.stat.exists -- debug: - msg: Not changed - when: letsencrypt_cert_updated.rc == 0 - -- debug: - msg: Changed - when: letsencrypt_cert_updated.rc != 0 +- set_fact: + letsencrypt_cert_updated: "{{ (letsencrypt_cert_contents | changed) or (letsencrypt_cert_contents | failed) }}" + when: letsencrypt_cert_exists.stat.exists From b469b40ed6c1481c3a7215f5a1477d0cfc0fc5ff Mon Sep 17 00:00:00 2001 From: Yoan Tournade Date: Fri, 16 Feb 2018 00:18:18 +0100 Subject: [PATCH 03/10] Actually update certificate when domain list file is absent or has changed --- tasks/create-cert-standalone.yml | 7 ++++--- tasks/test-cert-exists.yml | 12 +++++++++--- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/tasks/create-cert-standalone.yml b/tasks/create-cert-standalone.yml index b84204c..1347dd9 100644 --- a/tasks/create-cert-standalone.yml +++ b/tasks/create-cert-standalone.yml @@ -6,23 +6,24 @@ service: name: "{{ item }}" state: stopped - when: not letsencrypt_cert_exists.stat.exists + when: not letsencrypt_cert_exists.stat.exists or letsencrypt_cert_updated with_items: "{{ certbot_create_standalone_stop_services }}" - name: Generate new certificate if one doesn't exist. shell: "{{ certbot_create_command }}" - when: not letsencrypt_cert_exists.stat.exists + when: not letsencrypt_cert_exists.stat.exists or letsencrypt_cert_updated - name: Persist domain list to host lineinfile: path: /etc/letsencrypt/domains-{{ cert_item.domains | first }} line: "{{ cert_item.domains }}" state: present + create: yes when: letsencrypt_cert_updated - name: Start services after cert has been generated. service: name: "{{ item }}" state: started - when: not letsencrypt_cert_exists.stat.exists + when: not letsencrypt_cert_exists.stat.exists or letsencrypt_cert_updated with_items: "{{ certbot_create_standalone_stop_services }}" diff --git a/tasks/test-cert-exists.yml b/tasks/test-cert-exists.yml index eca752e..02553af 100644 --- a/tasks/test-cert-exists.yml +++ b/tasks/test-cert-exists.yml @@ -4,15 +4,21 @@ path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem register: letsencrypt_cert_exists -- name: Check if certificate has changed. +- name: Check if certificate domain list exists. + stat: + path: /etc/letsencrypt/domains-{{ cert_item.domains | first }} + register: letsencrypt_cert_list_exists + when: letsencrypt_cert_exists.stat.exists + +- name: Check if certificate domain list has changed. lineinfile: path: /etc/letsencrypt/domains-{{ cert_item.domains | first }} line: "{{ cert_item.domains }}" state: present check_mode: yes register: letsencrypt_cert_contents - when: letsencrypt_cert_exists.stat.exists + when: letsencrypt_cert_exists.stat.exists and letsencrypt_cert_list_exists.stat.exists - set_fact: - letsencrypt_cert_updated: "{{ (letsencrypt_cert_contents | changed) or (letsencrypt_cert_contents | failed) }}" + letsencrypt_cert_updated: "{{ not letsencrypt_cert_list_exists.stat.exists or (letsencrypt_cert_contents | changed) or (letsencrypt_cert_contents | failed) }}" when: letsencrypt_cert_exists.stat.exists From 36c5ac6d29e8d8fd9b61868717c9e376ca15b9b1 Mon Sep 17 00:00:00 2001 From: Yoan Tournade Date: Fri, 16 Feb 2018 00:26:59 +0100 Subject: [PATCH 04/10] Use only lineinfile module, even to check the file exists --- tasks/create-cert-standalone.yml | 1 + tasks/test-cert-exists.yml | 11 +++-------- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/tasks/create-cert-standalone.yml b/tasks/create-cert-standalone.yml index 1347dd9..4640aaf 100644 --- a/tasks/create-cert-standalone.yml +++ b/tasks/create-cert-standalone.yml @@ -13,6 +13,7 @@ shell: "{{ certbot_create_command }}" when: not letsencrypt_cert_exists.stat.exists or letsencrypt_cert_updated +# TODO May use a more direct https://docs.ansible.com/ansible/latest/copy_module.html - name: Persist domain list to host lineinfile: path: /etc/letsencrypt/domains-{{ cert_item.domains | first }} diff --git a/tasks/test-cert-exists.yml b/tasks/test-cert-exists.yml index 02553af..d3f4f30 100644 --- a/tasks/test-cert-exists.yml +++ b/tasks/test-cert-exists.yml @@ -4,21 +4,16 @@ path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem register: letsencrypt_cert_exists -- name: Check if certificate domain list exists. - stat: - path: /etc/letsencrypt/domains-{{ cert_item.domains | first }} - register: letsencrypt_cert_list_exists - when: letsencrypt_cert_exists.stat.exists - - name: Check if certificate domain list has changed. lineinfile: path: /etc/letsencrypt/domains-{{ cert_item.domains | first }} line: "{{ cert_item.domains }}" state: present + create: yes check_mode: yes register: letsencrypt_cert_contents - when: letsencrypt_cert_exists.stat.exists and letsencrypt_cert_list_exists.stat.exists + when: letsencrypt_cert_exists.stat.exists - set_fact: - letsencrypt_cert_updated: "{{ not letsencrypt_cert_list_exists.stat.exists or (letsencrypt_cert_contents | changed) or (letsencrypt_cert_contents | failed) }}" + letsencrypt_cert_updated: "{{ (letsencrypt_cert_contents | changed) or (letsencrypt_cert_contents | failed) }}" when: letsencrypt_cert_exists.stat.exists From 36609dac50b238c4563f1d6f642ba004c2f8a793 Mon Sep 17 00:00:00 2001 From: Yoan Tournade Date: Fri, 16 Feb 2018 00:27:23 +0100 Subject: [PATCH 05/10] Make certificate expansion the default behaviour --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2e79029..eb4d5c2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -17,7 +17,7 @@ certbot_certs: [] # - example2.com # - domains: # - example3.com -certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}" +certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --expand --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}" certbot_create_standalone_stop_services: - nginx # - apache From 45005e9bc2624e29bac04ca13a7f610c744b3f8b Mon Sep 17 00:00:00 2001 From: Yoan Tournade Date: Fri, 16 Feb 2018 00:44:06 +0100 Subject: [PATCH 06/10] Use copy module to persist domain list. --- tasks/create-cert-standalone.yml | 16 +++++++--------- tasks/test-cert-exists.yml | 2 +- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/tasks/create-cert-standalone.yml b/tasks/create-cert-standalone.yml index 4640aaf..6c7f501 100644 --- a/tasks/create-cert-standalone.yml +++ b/tasks/create-cert-standalone.yml @@ -1,5 +1,5 @@ --- -- name: Check if certificate exists or has been changed +- name: Check if certificate exists or has been changed. import_tasks: test-cert-exists.yml - name: Stop services to allow certbot to generate a cert. @@ -13,14 +13,12 @@ shell: "{{ certbot_create_command }}" when: not letsencrypt_cert_exists.stat.exists or letsencrypt_cert_updated -# TODO May use a more direct https://docs.ansible.com/ansible/latest/copy_module.html -- name: Persist domain list to host - lineinfile: - path: /etc/letsencrypt/domains-{{ cert_item.domains | first }} - line: "{{ cert_item.domains }}" - state: present - create: yes - when: letsencrypt_cert_updated +- name: Persist domain list to /etc/letsencrypt/domains-{{ cert_item.domains | first }}. + copy: + dest: /etc/letsencrypt/domains-{{ cert_item.domains | first }} + # Add a space here because of https://github.com/ansible/ansible/issues/6077 + content: " {{ cert_item.domains }}\n" + # when: not letsencrypt_cert_exists.stat.exists or letsencrypt_cert_updated - name: Start services after cert has been generated. service: diff --git a/tasks/test-cert-exists.yml b/tasks/test-cert-exists.yml index d3f4f30..4b571d6 100644 --- a/tasks/test-cert-exists.yml +++ b/tasks/test-cert-exists.yml @@ -7,7 +7,7 @@ - name: Check if certificate domain list has changed. lineinfile: path: /etc/letsencrypt/domains-{{ cert_item.domains | first }} - line: "{{ cert_item.domains }}" + line: " {{ cert_item.domains }}" state: present create: yes check_mode: yes From 7c5a41c8d9924db0da1a1f66c0217704e01d711d Mon Sep 17 00:00:00 2001 From: Yoan Tournade Date: Fri, 16 Feb 2018 00:47:38 +0100 Subject: [PATCH 07/10] Use json for serializing domain list --- tasks/create-cert-standalone.yml | 6 +++--- tasks/test-cert-exists.yml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/create-cert-standalone.yml b/tasks/create-cert-standalone.yml index 6c7f501..2fa8664 100644 --- a/tasks/create-cert-standalone.yml +++ b/tasks/create-cert-standalone.yml @@ -15,10 +15,10 @@ - name: Persist domain list to /etc/letsencrypt/domains-{{ cert_item.domains | first }}. copy: - dest: /etc/letsencrypt/domains-{{ cert_item.domains | first }} + dest: /etc/letsencrypt/domains-{{ cert_item.domains | first }}.json # Add a space here because of https://github.com/ansible/ansible/issues/6077 - content: " {{ cert_item.domains }}\n" - # when: not letsencrypt_cert_exists.stat.exists or letsencrypt_cert_updated + content: " {{ cert_item.domains | to_json }}\n" + when: not letsencrypt_cert_exists.stat.exists or letsencrypt_cert_updated - name: Start services after cert has been generated. service: diff --git a/tasks/test-cert-exists.yml b/tasks/test-cert-exists.yml index 4b571d6..7090c02 100644 --- a/tasks/test-cert-exists.yml +++ b/tasks/test-cert-exists.yml @@ -6,8 +6,8 @@ - name: Check if certificate domain list has changed. lineinfile: - path: /etc/letsencrypt/domains-{{ cert_item.domains | first }} - line: " {{ cert_item.domains }}" + path: /etc/letsencrypt/domains-{{ cert_item.domains | first }}.json + line: " {{ cert_item.domains | to_json }}" state: present create: yes check_mode: yes From 130eb078f348eabe0e65ed1d721a76610ae70a93 Mon Sep 17 00:00:00 2001 From: Yoan Tournade Date: Thu, 3 May 2018 23:58:35 +0200 Subject: [PATCH 08/10] Do not use anymore deprecated 'Tests as filters'. Use new syntax is failed or is changed. --- tasks/test-cert-exists.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/test-cert-exists.yml b/tasks/test-cert-exists.yml index 7090c02..6804877 100644 --- a/tasks/test-cert-exists.yml +++ b/tasks/test-cert-exists.yml @@ -15,5 +15,5 @@ when: letsencrypt_cert_exists.stat.exists - set_fact: - letsencrypt_cert_updated: "{{ (letsencrypt_cert_contents | changed) or (letsencrypt_cert_contents | failed) }}" + letsencrypt_cert_updated: "{{ (letsencrypt_cert_contents is changed) or (letsencrypt_cert_contents is failed) }}" when: letsencrypt_cert_exists.stat.exists From 1fa9de6adacec25a1736a67a90d96019ef637fe9 Mon Sep 17 00:00:00 2001 From: Yoan Tournade Date: Fri, 18 Jan 2019 11:22:21 +0100 Subject: [PATCH 09/10] Fix typo --- tasks/test-cert-exists.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/test-cert-exists.yml b/tasks/test-cert-exists.yml index 33d066e..3c44ba1 100644 --- a/tasks/test-cert-exists.yml +++ b/tasks/test-cert-exists.yml @@ -6,7 +6,7 @@ - name: Check if certificate domain list has changed. lineinfile: - path: /etc/letsencrypt/domains-{{ cert_item.domains | first | replace('*.', '' }}.json + path: /etc/letsencrypt/domains-{{ cert_item.domains | first | replace('*.', '') }}.json line: " {{ cert_item.domains | to_json }}" state: present create: yes From 7ac32bda338f4161ce0a1c6795a206d159d1f617 Mon Sep 17 00:00:00 2001 From: Yoan Tournade Date: Fri, 18 Jan 2019 11:37:01 +0100 Subject: [PATCH 10/10] Fix lint warning --- tasks/test-cert-exists.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/test-cert-exists.yml b/tasks/test-cert-exists.yml index 3c44ba1..91e9d26 100644 --- a/tasks/test-cert-exists.yml +++ b/tasks/test-cert-exists.yml @@ -9,8 +9,8 @@ path: /etc/letsencrypt/domains-{{ cert_item.domains | first | replace('*.', '') }}.json line: " {{ cert_item.domains | to_json }}" state: present - create: yes - check_mode: yes + create: true + check_mode: true register: letsencrypt_cert_contents when: letsencrypt_cert_exists.stat.exists