Issue #12: Add basic standalone certbot cert generation.

7 years ago · 7651f0ac0b
parent 574c0843c8
commit 7651f0ac0b
4 changed files with 71 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -6,6 +6,22 @@ certbot_auto_renew_hour: 3
 certbot_auto_renew_minute: 30
 certbot_auto_renew_options: "--quiet --no-self-upgrade"

+# Parameters used when creating new Certbot certs.
+certbot_admin_email: email@example.com
+certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ item.email | default(certbot_admin_email) }} -d {{ item.domains | join(',') }}"
+certbot_create_if_missing: no
+certbot_create_stop_services:
+  - nginx
+  # - apache
+  # - varnish
+certbot_certs: []
+  # - email: janedoe@example.com
+  #   domains:
+  #     - example1.com
+  #     - example2.com
+  # - domains:
+  #     - example3.com
+
 # To install from source (on older OSes or if you need a specific or newer
 # version of Certbot), set this variable to `yes` and configure other options.
 certbot_install_from_source: no
--- a/tasks/create-cert-standalone.yml
+++ b/tasks/create-cert-standalone.yml
@ -0,0 +1,23 @@
+---
+- name: Check if certificate already exists.
+  stat:
+    path: /etc/letsencrypt/live/{{ item.domains | first }}/cert.pem
+  register: letsencrypt_cert
+
+- name: Stop services to allow certbot to generate a cert.
+  service:
+    name: "{{ item }}"
+    state: stopped
+  when: not letsencrypt_cert.stat.exists
+  with_items: certbot_create_stop_services
+
+- name: Generate new certificate if one doesn't exist.
+  shell: "{{ certbot_create_command }}"
+  when: not letsencrypt_cert.stat.exists
+
+- name: Start services after cert has been generated.
+  service:
+    name: "{{ item }}"
+    state: started
+  when: not letsencrypt_cert.stat.exists
+  with_items: certbot_create_stop_services
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -7,5 +7,9 @@
 - include: install-from-source.yml
  when: certbot_install_from_source

+- include: create-cert-standalone.yml
+  with_items: "{{ certbot_certs }}"
+  when: certbot_create_if_missing
+
 - include: renew-cron.yml
  when: certbot_auto_renew
--- a/tests/test-nginx-aws.yml
+++ b/tests/test-nginx-aws.yml
@ -0,0 +1,28 @@
+---
+- hosts: all
+
+  vars:
+    certbot_admin_email: https@servercheck.in
+    certbot_create_if_missing: yes
+    certbot_create_stop_services:
+      - nginx
+    certbot_certs:
+      - domains:
+          - certbot-test.servercheck.in
+
+  pre_tasks:
+    - name: Update apt cache.
+      apt: update_cache=yes cache_valid_time=600
+      when: ansible_os_family == 'Debian'
+      changed_when: false
+
+    - name: Install cron (RedHat).
+      yum: name=cronie state=present
+      when: ansible_os_family == 'RedHat'
+
+    - name: Install cron (Debian).
+      apt: name=cron state=present
+      when: ansible_os_family == 'Debian'
+
+  roles:
+    - role_under_test