Issue #12: Fix standalone cert generation, add full build-test-teardown playbook.

7 years ago · 5f7c9e046c
parent 7651f0ac0b
commit 5f7c9e046c
8 changed files with 194 additions and 34 deletions
--- a/README.md
+++ b/README.md
@ -20,6 +20,10 @@ The variable `certbot_install_from_source` controls whether to install Certbot f
 By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.
 ### Automatic Certificate Generation
 TODO: Add new variables and documentation here.
 ### Source Installation from Git
 You can install Certbot from it's Git source repository if desired. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -8,7 +8,7 @@ certbot_auto_renew_options: "--quiet --no-self-upgrade"
 # Parameters used when creating new Certbot certs.
 certbot_admin_email: email@example.com
-certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ item.email | default(certbot_admin_email) }} -d {{ item.domains | join(',') }}"
+certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"
 certbot_create_if_missing: no
 certbot_create_stop_services:
  - nginx
--- a/tasks/create-cert-standalone.yml
+++ b/tasks/create-cert-standalone.yml
@ -1,7 +1,7 @@
 ---
 - name: Check if certificate already exists.
  stat:
-    path: /etc/letsencrypt/live/{{ item.domains | first }}/cert.pem
+    path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem
  register: letsencrypt_cert
 - name: Stop services to allow certbot to generate a cert.
@ -9,7 +9,7 @@
    name: "{{ item }}"
    state: stopped
  when: not letsencrypt_cert.stat.exists
-  with_items: certbot_create_stop_services
+  with_items: "{{ certbot_create_stop_services }}"
 - name: Generate new certificate if one doesn't exist.
  shell: "{{ certbot_create_command }}"
@ -20,4 +20,4 @@
    name: "{{ item }}"
    state: started
  when: not letsencrypt_cert.stat.exists
-  with_items: certbot_create_stop_services
+  with_items: "{{ certbot_create_stop_services }}"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -10,6 +10,8 @@
 - include: create-cert-standalone.yml
  with_items: "{{ certbot_certs }}"
  when: certbot_create_if_missing
  loop_control:
    loop_var: cert_item
 - include: renew-cron.yml
  when: certbot_auto_renew
--- a/tests/requirements.yml
+++ b/tests/requirements.yml
@ -1,2 +1,3 @@
 ---
 - src: geerlingguy.git
 - src: geerlingguy.nginx
--- a/tests/test-nginx-aws.yml
+++ b/tests/test-nginx-aws.yml
@ -1,28 +0,0 @@
 ---
 - hosts: all
  vars:
    certbot_admin_email: https@servercheck.in
    certbot_create_if_missing: yes
    certbot_create_stop_services:
      - nginx
    certbot_certs:
      - domains:
          - certbot-test.servercheck.in
  pre_tasks:
    - name: Update apt cache.
      apt: update_cache=yes cache_valid_time=600
      when: ansible_os_family == 'Debian'
      changed_when: false
    - name: Install cron (RedHat).
      yum: name=cronie state=present
      when: ansible_os_family == 'RedHat'
    - name: Install cron (Debian).
      apt: name=cron state=present
      when: ansible_os_family == 'Debian'
  roles:
    - role_under_test
--- a/tests/test-standalone-nginx-aws.yml
+++ b/tests/test-standalone-nginx-aws.yml
@ -0,0 +1,178 @@
 ---
 # To run:
 #   1. Ensure Ansible and Boto are installed (pip install ansible boto).
 #   2. Ensure you have AWS credentials stored where Boto can find them, and they
 #      are under the profile 'mm'.
 #   3. Ensure you have a pubkey available at ~/.ssh/id_rsa.pub.
 #   3. Run the playbook: ansible-playbook test-standalone-nginx-aws.yml
 # Play 1: Provision EC2 instance and A record.
 - hosts: localhost
  connection: local
  gather_facts: no
  tasks:
    - name: Configure EC2 Security Group.
      ec2_group:
        profile: mm
        name: certbot_test_http
        description: HTTP security group for Certbot testing.
        region: "us-east-1"
        state: present
        rules:
          - proto: tcp
            from_port: 80
            to_port: 80
            cidr_ip: 0.0.0.0/0
          - proto: tcp
            from_port: 443
            to_port: 443
            cidr_ip: 0.0.0.0/0
          - proto: tcp
            from_port: 22
            to_port: 22
            cidr_ip: 0.0.0.0/0
        rules_egress: []
    - name: Add EC2 Key Pair.
      ec2_key:
        profile: mm
        region: "us-east-1"
        name: certbot_test
        key_material: "{{ item }}"
      with_file: ~/.ssh/id_rsa.pub
    - name: Provision EC2 instance.
      ec2:
        profile: mm
        key_name: certbot_test
        instance_tags:
          Name: "certbot-standalone-nginx-test"
        group: ['default', 'certbot_test_http']
        instance_type: t2.micro
        image: ami-02e98f78 # CentOS Linux 7 x86_64 HVM EBS
        region: "us-east-1"
        wait: yes
        wait_timeout: 500
        exact_count: 1
        count_tag:
          Name: "certbot-standalone-nginx-test"
      register: created_instance
    - name: Add A record for the new EC2 instance IP in Route53.
      route53:
        profile: mm
        command: create
        zone: servercheck.in
        record: certbot-test.servercheck.in
        type: A
        ttl: 300
        value: "{{ created_instance.tagged_instances.0.public_ip }}"
        wait: yes
        overwrite: yes
    - name: Add EC2 instance to inventory groups.
      add_host:
        name: "certbot-test.servercheck.in"
        groups: "aws,aws_nginx"
        ansible_ssh_user: centos
        host_key_checking: False
      when: created_instance.tagged_instances.0.id is defined
 # Play 2: Configure EC2 instance with Certbot and Nginx.
 - hosts: aws_nginx
  gather_facts: yes
  become: yes
  vars:
    certbot_admin_email: https@servercheck.in
    certbot_create_if_missing: yes
    certbot_create_stop_services:
      - nginx
    certbot_certs:
      - domains:
          - certbot-test.servercheck.in
    certbot_create_stop_services: []
    nginx_vhosts:
      - listen: "443 ssl http2"
        server_name: "certbot-test.servercheck.in"
        root: "/usr/share/nginx/html"
        index: "index.html index.htm"
        state: "present"
        template: "{{ nginx_vhost_template }}"
        filename: "certbot_test.conf"
        extra_parameters: |
          ssl_certificate     /etc/letsencrypt/live/certbot-test.servercheck.in/fullchain.pem;
          ssl_certificate_key /etc/letsencrypt/live/certbot-test.servercheck.in/privkey.pem;
          ssl_protocols       TLSv1.1 TLSv1.2;
          ssl_ciphers         HIGH:!aNULL:!MD5;
  pre_tasks:
    - name: Update apt cache.
      apt: update_cache=yes cache_valid_time=600
      when: ansible_os_family == 'Debian'
      changed_when: false
    - name: Install dependencies (RedHat).
      yum: name={{ item }} state=present
      when: ansible_os_family == 'RedHat'
      with_items:
        - cronie
        - epel-release
    - name: Install cron (Debian).
      apt: name=cron state=present
      when: ansible_os_family == 'Debian'
  roles:
    - geerlingguy.certbot
    - geerlingguy.nginx
  tasks:
    - name: Flush handlers in case any configs have changed.
      meta: flush_handlers
    - name: Test secure connection to SSL domain.
      uri:
        url: https://certbot-test.servercheck.in/
        status_code: 200
      delegate_to: localhost
      become: no
 # Play 3: Tear down EC2 instance and A record.
 - hosts: localhost
  connection: local
  gather_facts: no
  tasks:
    - name: Destroy EC2 instance.
      ec2:
        profile: mm
        instance_ids: ["{{ created_instance.tagged_instances.0.id }}"]
        region: "us-east-1"
        state: absent
        wait: yes
        wait_timeout: 500
    - name: Delete Security Group.
      ec2_group:
        profile: mm
        name: certbot_test_http
        region: "us-east-1"
        state: absent
    - name: Delete Key Pair.
      ec2_key:
        profile: mm
        name: certbot_test
        region: "us-east-1"
        state: absent
    - name: Delete Route53 record.
      route53:
        profile: mm
        state: delete
        zone: servercheck.in
        record: certbot-test.servercheck.in
        type: A
        ttl: 300
--- a/tests/test.yml
+++ b/tests/test.yml
@ -7,9 +7,12 @@
      when: ansible_os_family == 'Debian'
      changed_when: false
-    - name: Install cron (RedHat).
+    - name: Install dependencies (RedHat).
-      yum: name=cronie state=present
+      yum: name={{ item }} state=present
      when: ansible_os_family == 'RedHat'
      with_items:
        - cronie
        - epel-release
    - name: Install cron (Debian).
      apt: name=cron state=present