gregandev/ansible-role-certbot
gregandev/ansible-role-certbot
1
0
Fork 0
mirror of https://github.com/geerlingguy/ansible-role-certbot.git synced 2025-04-19 00:41:38 +02:00
Code Issues Projects Releases Wiki Activity

Issue #12: Fix standalone cert generation, add full build-test-teardown playbook.

Browse Source
This commit is contained in:
Jeff Geerling 2017-12-10 22:47:54 -06:00
parent 7651f0ac0b
commit 5f7c9e046c
8 changed files with 194 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -20,6 +20,10 @@ The variable `certbot_install_from_source` controls whether to install Certbot f
By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.
### Automatic Certificate Generation
TODO: Add new variables and documentation here.
### Source Installation from Git
You can install Certbot from it's Git source repository if desired. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).

2
defaults/main.yml
View File

@ -8,7 +8,7 @@ certbot_auto_renew_options: "--quiet --no-self-upgrade"
# Parameters used when creating new Certbot certs.
certbot_admin_email: email@example.com
certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ item.email | default(certbot_admin_email) }} -d {{ item.domains | join(',') }}"
certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"
certbot_create_if_missing: no
certbot_create_stop_services:
- nginx

6
tasks/create-cert-standalone.yml
View File

@ -1,7 +1,7 @@
---
- name: Check if certificate already exists.
stat:
path: /etc/letsencrypt/live/{{ item.domains | first }}/cert.pem
path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem
register: letsencrypt_cert
- name: Stop services to allow certbot to generate a cert.
@ -9,7 +9,7 @@
name: "{{ item }}"
state: stopped
when: not letsencrypt_cert.stat.exists
with_items: certbot_create_stop_services
with_items: "{{ certbot_create_stop_services }}"
- name: Generate new certificate if one doesn't exist.
shell: "{{ certbot_create_command }}"
@ -20,4 +20,4 @@
name: "{{ item }}"
state: started
when: not letsencrypt_cert.stat.exists
with_items: certbot_create_stop_services
with_items: "{{ certbot_create_stop_services }}"

2
tasks/main.yml
View File

@ -10,6 +10,8 @@
- include: create-cert-standalone.yml
with_items: "{{ certbot_certs }}"
when: certbot_create_if_missing
loop_control:
loop_var: cert_item
- include: renew-cron.yml
when: certbot_auto_renew

1
tests/requirements.yml
View File

@ -1,2 +1,3 @@
---
- src: geerlingguy.git
- src: geerlingguy.nginx

28
tests/test-nginx-aws.yml
View File

@ -1,28 +0,0 @@
---
- hosts: all
vars:
certbot_admin_email: https@servercheck.in
certbot_create_if_missing: yes
certbot_create_stop_services:
- nginx
certbot_certs:
- domains:
- certbot-test.servercheck.in
pre_tasks:
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian'
changed_when: false
- name: Install cron (RedHat).
yum: name=cronie state=present
when: ansible_os_family == 'RedHat'
- name: Install cron (Debian).
apt: name=cron state=present
when: ansible_os_family == 'Debian'
roles:
- role_under_test

178
tests/test-standalone-nginx-aws.yml Normal file
View File

@ -0,0 +1,178 @@
---
# To run:
# 1. Ensure Ansible and Boto are installed (pip install ansible boto).
# 2. Ensure you have AWS credentials stored where Boto can find them, and they
# are under the profile 'mm'.
# 3. Ensure you have a pubkey available at ~/.ssh/id_rsa.pub.
# 3. Run the playbook: ansible-playbook test-standalone-nginx-aws.yml
# Play 1: Provision EC2 instance and A record.
- hosts: localhost
connection: local
gather_facts: no
tasks:
- name: Configure EC2 Security Group.
ec2_group:
profile: mm
name: certbot_test_http
description: HTTP security group for Certbot testing.
region: "us-east-1"
state: present
rules:
- proto: tcp
from_port: 80
to_port: 80
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 443
to_port: 443
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 22
to_port: 22
cidr_ip: 0.0.0.0/0
rules_egress: []
- name: Add EC2 Key Pair.
ec2_key:
profile: mm
region: "us-east-1"
name: certbot_test
key_material: "{{ item }}"
with_file: ~/.ssh/id_rsa.pub
- name: Provision EC2 instance.
ec2:
profile: mm
key_name: certbot_test
instance_tags:
Name: "certbot-standalone-nginx-test"
group: ['default', 'certbot_test_http']
instance_type: t2.micro
image: ami-02e98f78 # CentOS Linux 7 x86_64 HVM EBS
region: "us-east-1"
wait: yes
wait_timeout: 500
exact_count: 1
count_tag:
Name: "certbot-standalone-nginx-test"
register: created_instance
- name: Add A record for the new EC2 instance IP in Route53.
route53:
profile: mm
command: create
zone: servercheck.in
record: certbot-test.servercheck.in
type: A
ttl: 300
value: "{{ created_instance.tagged_instances.0.public_ip }}"
wait: yes
overwrite: yes
- name: Add EC2 instance to inventory groups.
add_host:
name: "certbot-test.servercheck.in"
groups: "aws,aws_nginx"
ansible_ssh_user: centos
host_key_checking: False
when: created_instance.tagged_instances.0.id is defined
# Play 2: Configure EC2 instance with Certbot and Nginx.
- hosts: aws_nginx
gather_facts: yes
become: yes
vars:
certbot_admin_email: https@servercheck.in
certbot_create_if_missing: yes
certbot_create_stop_services:
- nginx
certbot_certs:
- domains:
- certbot-test.servercheck.in
certbot_create_stop_services: []
nginx_vhosts:
- listen: "443 ssl http2"
server_name: "certbot-test.servercheck.in"
root: "/usr/share/nginx/html"
index: "index.html index.htm"
state: "present"
template: "{{ nginx_vhost_template }}"
filename: "certbot_test.conf"
extra_parameters: |
ssl_certificate /etc/letsencrypt/live/certbot-test.servercheck.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/certbot-test.servercheck.in/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
pre_tasks:
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian'
changed_when: false
- name: Install dependencies (RedHat).
yum: name={{ item }} state=present
when: ansible_os_family == 'RedHat'
with_items:
- cronie
- epel-release
- name: Install cron (Debian).
apt: name=cron state=present
when: ansible_os_family == 'Debian'
roles:
- geerlingguy.certbot
- geerlingguy.nginx
tasks:
- name: Flush handlers in case any configs have changed.
meta: flush_handlers
- name: Test secure connection to SSL domain.
uri:
url: https://certbot-test.servercheck.in/
status_code: 200
delegate_to: localhost
become: no
# Play 3: Tear down EC2 instance and A record.
- hosts: localhost
connection: local
gather_facts: no
tasks:
- name: Destroy EC2 instance.
ec2:
profile: mm
instance_ids: ["{{ created_instance.tagged_instances.0.id }}"]
region: "us-east-1"
state: absent
wait: yes
wait_timeout: 500
- name: Delete Security Group.
ec2_group:
profile: mm
name: certbot_test_http
region: "us-east-1"
state: absent
- name: Delete Key Pair.
ec2_key:
profile: mm
name: certbot_test
region: "us-east-1"
state: absent
- name: Delete Route53 record.
route53:
profile: mm
state: delete
zone: servercheck.in
record: certbot-test.servercheck.in
type: A
ttl: 300

7
tests/test.yml
View File

@ -7,9 +7,12 @@
when: ansible_os_family == 'Debian'
changed_when: false
- name: Install cron (RedHat).
yum: name=cronie state=present
- name: Install dependencies (RedHat).
yum: name={{ item }} state=present
when: ansible_os_family == 'RedHat'
with_items:
- cronie
- epel-release
- name: Install cron (Debian).
apt: name=cron state=present