From 7651f0ac0b67dd59f158f585bfae99c8cb735477 Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Wed, 6 Dec 2017 22:48:30 -0600 Subject: [PATCH] Issue #12: Add basic standalone certbot cert generation. --- defaults/main.yml | 16 ++++++++++++++++ tasks/create-cert-standalone.yml | 23 +++++++++++++++++++++++ tasks/main.yml | 4 ++++ tests/test-nginx-aws.yml | 28 ++++++++++++++++++++++++++++ 4 files changed, 71 insertions(+) create mode 100644 tasks/create-cert-standalone.yml create mode 100644 tests/test-nginx-aws.yml diff --git a/defaults/main.yml b/defaults/main.yml index 395b47d..a415375 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,6 +6,22 @@ certbot_auto_renew_hour: 3 certbot_auto_renew_minute: 30 certbot_auto_renew_options: "--quiet --no-self-upgrade" +# Parameters used when creating new Certbot certs. +certbot_admin_email: email@example.com +certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ item.email | default(certbot_admin_email) }} -d {{ item.domains | join(',') }}" +certbot_create_if_missing: no +certbot_create_stop_services: + - nginx + # - apache + # - varnish +certbot_certs: [] + # - email: janedoe@example.com + # domains: + # - example1.com + # - example2.com + # - domains: + # - example3.com + # To install from source (on older OSes or if you need a specific or newer # version of Certbot), set this variable to `yes` and configure other options. certbot_install_from_source: no diff --git a/tasks/create-cert-standalone.yml b/tasks/create-cert-standalone.yml new file mode 100644 index 0000000..f172774 --- /dev/null +++ b/tasks/create-cert-standalone.yml @@ -0,0 +1,23 @@ +--- +- name: Check if certificate already exists. + stat: + path: /etc/letsencrypt/live/{{ item.domains | first }}/cert.pem + register: letsencrypt_cert + +- name: Stop services to allow certbot to generate a cert. + service: + name: "{{ item }}" + state: stopped + when: not letsencrypt_cert.stat.exists + with_items: certbot_create_stop_services + +- name: Generate new certificate if one doesn't exist. + shell: "{{ certbot_create_command }}" + when: not letsencrypt_cert.stat.exists + +- name: Start services after cert has been generated. + service: + name: "{{ item }}" + state: started + when: not letsencrypt_cert.stat.exists + with_items: certbot_create_stop_services diff --git a/tasks/main.yml b/tasks/main.yml index 5324ff9..ed1ffef 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -7,5 +7,9 @@ - include: install-from-source.yml when: certbot_install_from_source +- include: create-cert-standalone.yml + with_items: "{{ certbot_certs }}" + when: certbot_create_if_missing + - include: renew-cron.yml when: certbot_auto_renew diff --git a/tests/test-nginx-aws.yml b/tests/test-nginx-aws.yml new file mode 100644 index 0000000..92eca60 --- /dev/null +++ b/tests/test-nginx-aws.yml @@ -0,0 +1,28 @@ +--- +- hosts: all + + vars: + certbot_admin_email: https@servercheck.in + certbot_create_if_missing: yes + certbot_create_stop_services: + - nginx + certbot_certs: + - domains: + - certbot-test.servercheck.in + + pre_tasks: + - name: Update apt cache. + apt: update_cache=yes cache_valid_time=600 + when: ansible_os_family == 'Debian' + changed_when: false + + - name: Install cron (RedHat). + yum: name=cronie state=present + when: ansible_os_family == 'RedHat' + + - name: Install cron (Debian). + apt: name=cron state=present + when: ansible_os_family == 'Debian' + + roles: + - role_under_test