gregandev/ansible-role-certbot
gregandev/ansible-role-certbot
1
0
Fork 0
mirror of https://github.com/geerlingguy/ansible-role-certbot.git synced 2025-04-19 17:01:37 +02:00
Code Issues Projects Releases Wiki Activity

updated to include more OSs and pip install

Browse Source
This commit is contained in:
Eric Anderson 2020-04-27 13:27:59 -07:00
parent 09c8986636
commit 7203b84e63
15 changed files with 230 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.travis.yml
View File

@ -7,12 +7,26 @@ env:
- ROLE_NAME: certbot
matrix:
- MOLECULE_DISTRO: centos8
- MOLECULE_DISTRO: centos8
MOLECULE_PLAYBOOK: playbook-plugin-install.yml
- MOLECULE_DISTRO: centos8
MOLECULE_PLAYBOOK: playbook-pip-install.yml
- MOLECULE_DISTRO: centos7
- MOLECULE_DISTRO: centos7
MOLECULE_PLAYBOOK: playbook-plugin-install.yml
- MOLECULE_DISTRO: centos7
MOLECULE_PLAYBOOK: playbook-pip-install.yml
- MOLECULE_DISTRO: centos6
MOLECULE_PLAYBOOK: playbook-source-install.yml
- MOLECULE_DISTRO: ubuntu1804
- MOLECULE_DISTRO: ubuntu1804
MOLECULE_PLAYBOOK: playbook-ppa-install.yml
- MOLECULE_DISTRO: ubuntu1804
MOLECULE_PLAYBOOK: playbook-pip-install.yml
- MOLECULE_DISTRO: ubuntu1604
- MOLECULE_DISTRO: debian10
- MOLECULE_DISTRO: debian9
install:
# Install test dependencies.

26
README.md
View File

@ -22,6 +22,12 @@ The variable `certbot_install_from_source` controls whether to install Certbot f
By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.
`certbot_pkg_mgr`: (string) (default: `ansible_pkg_mgr`) (options: `apt`, `dnf`, `pip`, `yum`) this allows configuring the type of package install
`certbot_use_ppa`: (boolean) (Ubuntu Only) (optional) this var defaults to `no/false`, and if set to `yes/true` also installs the ppa:certbot/certbot for latest packages
`certbot_plugins`: (list) (optional) `apache`, `dns-cloudflare`, `digitalocean`, `dns-dnsimple`, `dns-rfc2136`, `dns-route53`, `nginx` Specified as a list allows installation of certbot plugins
`certbot_python`: (string) (optional) `python3`, `python2` Used when installing plugins via `apt`, `dnf`, `yum`, the repositories have differences depending on release and we handle this by default
`certbot_pip_executable`: (string) (optional) `pip` or `pip3` used when specifying `pip` install. If using `geerlingguy.pip` this should match `pip_executable` role param
### Automatic Certificate Generation
Currently there is one built-in method for generating new certificates using this role: `standalone`. Other methods (e.g. using nginx or apache and a webroot) may be added in the future.
@ -62,7 +68,7 @@ These services will only be stopped the first time a new cert is generated.
### Source Installation from Git
You can install Certbot from it's Git source repository if desired. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).
You can install Certbot from it's Git source repository if desired. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS &lt; 7, Ubuntu &lt; 16.10 and Debian &lt; 8).
certbot_install_from_source: false
certbot_repo: https://github.com/certbot/certbot.git
@ -88,12 +94,12 @@ None.
## Example Playbook
- hosts: servers
vars:
certbot_auto_renew_user: your_username_here
certbot_auto_renew_minute: "20"
certbot_auto_renew_hour: "5"
roles:
- geerlingguy.certbot
@ -113,13 +119,13 @@ You can manually create certificates using the `certbot` (or `certbot-auto`) scr
If you want to fully automate the process of adding a new certificate, but don't want to use this role's built in functionality, you can do so using the command line options to register, accept the terms of service, and then generate a cert using the standalone server:
1. Make sure any services listening on ports 80 and 443 (Apache, Nginx, Varnish, etc.) are stopped.
2. Register with something like `certbot register --agree-tos --email [your-email@example.com]`
- Note: You won't need to do this step in the future, when generating additional certs on the same server.
3. Generate a cert for a domain whose DNS points to this server: `certbot certonly --noninteractive --standalone -d example.com -d www.example.com`
4. Re-start whatever was listening on ports 80 and 443 before.
5. Update your webserver's virtualhost TLS configuration to point at the new certificate (`fullchain.pem`) and private key (`privkey.pem`) Certbot just generated for the domain you passed in the `certbot` command.
6. Reload or restart your webserver so it uses the new HTTPS virtualhost configuration.
1. Make sure any services listening on ports 80 and 443 (Apache, Nginx, Varnish, etc.) are stopped.
2. Register with something like `certbot register --agree-tos --email [your-email@example.com]`
- Note: You won't need to do this step in the future, when generating additional certs on the same server.
3. Generate a cert for a domain whose DNS points to this server: `certbot certonly --noninteractive --standalone -d example.com -d www.example.com`
4. Re-start whatever was listening on ports 80 and 443 before.
5. Update your webserver's virtualhost TLS configuration to point at the new certificate (`fullchain.pem`) and private key (`privkey.pem`) Certbot just generated for the domain you passed in the `certbot` command.
6. Reload or restart your webserver so it uses the new HTTPS virtualhost configuration.
### Certbot certificate auto-renewal

5
defaults/main.yml
View File

@ -36,3 +36,8 @@ certbot_keep_updated: true
# Where to put Certbot when installing from source.
certbot_dir: /opt/certbot
certbot_pkg_mgr: "{{ ansible_pkg_mgr }}"
certbot_pip_version: 1.3.0
certbot_pip_executable: pip
certbot_use_ppa: false

31
molecule/default/playbook-pip-install.yml Normal file
View File

@ -0,0 +1,31 @@
---
- name: Converge
hosts: all
become: true
vars:
certbot_auto_renew_user: root
pre_tasks:
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian'
changed_when: false
- name: Install dependencies (RedHat).
yum: name={{ item }} state=present
with_items:
- cronie
- epel-release
when: ansible_os_family == 'RedHat'
- name: Install cron (Debian).
apt: name=cron state=present
when: ansible_os_family == 'Debian'
roles:
- role: geerlingguy.pip
- role: geerlingguy.certbot
certbot_install_from_source: false
certbot_pkg_mgr: pip
certbot_plugins: ['dns-route53']

32
molecule/default/playbook-plugin-install.yml Normal file
View File

@ -0,0 +1,32 @@
---
- name: Converge
hosts: all
become: true
vars:
certbot_auto_renew_user: root
pre_tasks:
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian'
changed_when: false
- name: Install dependencies (RedHat).
yum: name={{ item }} state=present
with_items:
- cronie
- epel-release
when: ansible_os_family == 'RedHat'
- name: Install cron (Debian).
apt: name={{ item }} state=present
when: ansible_os_family == 'Debian'
with_items:
- cron
- gnupg
roles:
- role: geerlingguy.certbot
certbot_plugins:
- nginx

33
molecule/default/playbook-ppa-install.yml Normal file
View File

@ -0,0 +1,33 @@
---
- name: Converge
hosts: all
become: true
vars:
certbot_auto_renew_user: root
pre_tasks:
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian'
changed_when: false
- name: Install dependencies (RedHat).
yum: name={{ item }} state=present
with_items:
- cronie
- epel-release
when: ansible_os_family == 'RedHat'
- name: Install cron (Debian).
apt: name={{ item }} state=present
when: ansible_os_family == 'Debian'
with_items:
- cron
- gnupg
roles:
- role: geerlingguy.certbot
certbot_use_ppa: true
certbot_plugins:
- nginx

2
molecule/default/playbook-standalone-nginx-aws.yml
View File

@ -115,10 +115,10 @@
- name: Install dependencies (RedHat).
yum: name={{ item }} state=present
when: ansible_os_family == 'RedHat'
with_items:
- cronie
- epel-release
when: ansible_os_family == 'RedHat'
- name: Install cron (Debian).
apt: name=cron state=present

1
molecule/default/requirements.yml
View File

@ -1,3 +1,4 @@
---
- src: geerlingguy.git
- src: geerlingguy.nginx
- src: geerlingguy.pip

25
tasks/apt/install.yml Normal file
View File

@ -0,0 +1,25 @@
---
- name: Requirement for Debian 9 support
block:
- name: certbot | Debian | Install the Debian Backports repository
apt_repository:
repo: deb http://ftp.debian.org/debian stretch-backports main
when:
- ansible_distribution == 'Debian'
- ansible_distribution_major_version == '9'
- block:
- name: Install the Ubuntu certbot/certbot PPA Apt Key
apt_key:
keyserver: keyserver.ubuntu.com
id: 7BF576066ADA65728FC7E70A8C47BE8E75BCA694
- name: Install the Ubuntu certbot/certbot PPA
apt_repository:
repo: ppa:certbot/certbot
codename: "{{ ansible_distribution_release }}"
- name: Set the package certbot_python to python3 (ppa uses python3)
set_fact:
certbot_python: python3
when:
- ansible_distribution == 'Ubuntu'
- certbot_use_ppa

21
tasks/dnf/install.yml Normal file
View File

@ -0,0 +1,21 @@
---
# See: https://github.com/geerlingguy/ansible-role-certbot/issues/107
- block:
- name: Ensure dnf-plugins are installed on CentOS 8+.
yum:
name: dnf-plugins-core
state: present
- name: Enable DNF module for CentOS 8+.
shell: |
dnf config-manager --set-enabled PowerTools
args:
warn: false
register: dnf_module_enable
changed_when: false
- name: Set the certbot_python to python3 (Certbot in RHEL 8 uses Python3)
set_fact:
certbot_python: python3
when:
- ansible_os_family == 'RedHat'
- ansible_distribution_major_version | int >= 8

25
tasks/install-with-package.yml
View File

@ -1,6 +1,27 @@
---
- name: Install Certbot.
package: "name={{ certbot_package }} state=present"
- name: Starting the Certbot Install via {{ certbot_pkg_mgr }}
include_tasks: "{{ certbot_pkg_mgr|lower }}/install.yml"
- block:
- name: Install certbot package
package: name={{ certbot_package }}
register: task_result
until: task_result is success
retries: 10
delay: 2
when:
- certbot_plugins is undefined
- name: Install certbot plugins
apt:
name: "{{ certbot_python }}-certbot-{{ item }}"
register: task_result
until: task_result is success
retries: 10
delay: 2
loop: "{{ certbot_plugins }}"
when: certbot_plugins is defined
when: certbot_pkg_mgr != 'pip'
- name: Set Certbot script variable.
set_fact:

3
tasks/main.yml
View File

@ -1,9 +1,6 @@
---
- import_tasks: include-vars.yml
- import_tasks: setup-RedHat.yml
when: ansible_os_family == 'RedHat'
- import_tasks: install-with-package.yml
when: not certbot_install_from_source

21
tasks/pip/install.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: certbot | PyPI | Upgrade pip, setuptools, and pyopenssl as required
pip:
name: "{{ item }}"
executable: "{{ certbot_pip_executable }}"
loop:
- pip
- setuptools
- pyopenssl
- name: certbot | PyPI | Install certbot {{ certbot_pip_version }}
pip:
name: certbot=={{ certbot_pip_version }}
executable: "{{ certbot_pip_executable }}"
- name: certbot | PyPI | Install certbot plugins
pip:
name: "certbot-{{ item }}=={{ certbot_pip_version }}"
executable: "{{ certbot_pip_executable }}"
loop: "{{ certbot_plugins }}"
when: certbot_plugins is defined

20
tasks/setup-RedHat.yml
View File

@ -1,20 +0,0 @@
---
# See: https://github.com/geerlingguy/ansible-role-certbot/issues/107
- block:
- name: Ensure dnf-plugins are installed on CentOS 8+.
yum:
name: dnf-plugins-core
state: present
- name: Enable DNF module for CentOS 8+.
shell: |
dnf config-manager --set-enabled PowerTools
args:
warn: false
register: dnf_module_enable
changed_when: false
when:
- ansible_os_family == 'RedHat'
- ansible_distribution_major_version | int >= 8

7
tasks/yum/install.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Set the certbot_python to python3 (Certbot in RHEL 7 uses Python3)
set_fact:
certbot_python: python2
when:
- ansible_os_family == 'RedHat'
- ansible_distribution_major_version | int <= 7