Merge fbe6399b007666e641a9c23c11f744c9067b3ddc into 574c0843c8620f299ff67acbf35c9a6aa45121d0

README.md

@@ -20,6 +20,27 @@ The variable `certbot_install_from_source` controls whether to install Certbot f
 
 By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.
 
+### Certificate generation
+`certbot_handle_certs: true`
+Set to true to have this role register and generate certificates for your
+domains.
+
+`certbot_register_email: ''``
+The email to register with. This is required (if you set `certbot_handle_certs` to true) or else the role will fail.
+
+certbot_domains: []
+The domains to generate certs for. This is required (if you set `certbot_handle_certs` to true) or else the role will fail. If you are also using the [geerlingguy/ansible-role-apache](https://github.com/geerlingguy/ansible-role-apache) role, you can use something like this to get a list of your domains:
+```yaml
+certbot_domains: "{{ [0,1,2] | map('extract', apache_vhosts, 'servername') | list }}"
+```
+where `[0,1,2,]` means the first, second and third virtual host specification respectively.
+
+`certbot_register_command: "{{ certbot_script }} register --non-interactive --agree-tos --email {{ certbot_register_email }}"`
+The command to run to register with Let's Encrypt.
+
+`certbot_cert_command: "{{ certbot_script }} certonly --noninteractive --standalone"`
+The command to run to generate the certificates.
+
 ### Source Installation from Git
 
 You can install Certbot from it's Git source repository if desired. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).
@@ -51,7 +72,9 @@ None.
       roles:
         - geerlingguy.certbot
 
-### Creating certificates with certbot
+### Manually creating certificates with certbot
+
+If you do not enable certificate generation via this role (`certbot_handle_certs: true`), you can follow the steps below to generate your certificates.
 
 After installation, you can create certificates using the `certbot` (or `certbot-auto`) script (use `letsencrypt` on Ubuntu 16.04, or use `/opt/certbot/certbot-auto` if installing from source/Git. Here are some example commands to configure certificates with Certbot:
 

defaults/main.yml

@@ -1,7 +1,10 @@
 ---
+# Global options for configuration file
+certbot_config_file_options: {}
+
 # Certbot auto-renew cron job configuration (for certificate renewals).
 certbot_auto_renew: true
-certbot_auto_renew_user: "{{ ansible_user }}"
+certbot_auto_renew_user: "{{ lookup('env', 'USER') }}"
 certbot_auto_renew_hour: 3
 certbot_auto_renew_minute: 30
 certbot_auto_renew_options: "--quiet --no-self-upgrade"
@@ -15,3 +18,19 @@ certbot_keep_updated: yes
 
 # Where to put Certbot when installing from source.
 certbot_dir: /opt/certbot
+
+# Set to true to have this role register and generate certificates for your
+# domains.
+certbot_handle_certs: true
+
+# The email to register with (required).
+certbot_register_email: ''
+
+# The command to run to register with Let's Encrypt
+certbot_register_command: "{{ certbot_script }} register --non-interactive --agree-tos --email {{ certbot_register_email }}"
+
+# The domains to generate certs for
+certbot_domains: []
+
+# The command to run to generate the certificates
+certbot_cert_command: "{{ certbot_script }} certonly --noninteractive --standalone --expand"

tasks/generate-certs.yml

@@ -0,0 +1,23 @@
+---
+
+- name: Make sure we have an email
+  assert:
+    that:
+    - "certbot_register_email != ''"
+    msg: "You need to provide an email address you own to register with Let's Encrypt."
+
+- name: Make sure we have domains
+  assert:
+    that:
+    - "certbot_domains != []"
+    msg: "You need to provide at least one domain to generate certificates for."
+
+- name: Register with Let's Encrypt
+  command: "{{ certbot_register_command }}"
+  args:
+    creates: /etc/letsencrypt/accounts
+
+- name: Generate certificates
+  command: "{{ certbot_cert_command }} -d {{ certbot_domains | join(' -d ') }}"
+  register: result
+  changed_when: result.stdout.find("Certificate not yet due for renewal") == -1

tasks/main.yml

@@ -7,5 +7,8 @@
 - include: install-from-source.yml
   when: certbot_install_from_source
 
+- include: generate-certs.yml
+  when: certbot_handle_certs
+
 - include: renew-cron.yml
   when: certbot_auto_renew