Merge pull request #38 from geerlingguy/12-standalone-cert-generation

Issue #12: Add basic standalone certbot cert generation.
pull/24/head
Jeff Geerling 7 years ago committed by GitHub
commit 9a8c9ae417
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 54
      README.md
  2. 17
      defaults/main.yml
  3. 2
      meta/main.yml
  4. 23
      tasks/create-cert-standalone.yml
  5. 16
      tasks/main.yml
  6. 1
      tests/requirements.yml
  7. 178
      tests/test-standalone-nginx-aws.yml
  8. 7
      tests/test.yml

@ -20,6 +20,44 @@ The variable `certbot_install_from_source` controls whether to install Certbot f
By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account. By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.
### Automatic Certificate Generation
Currently there is one built-in method for generating new certificates using this role: `standalone`. Other methods (e.g. using nginx or apache and a webroot) may be added in the future.
**For a complete example**: see the fully functional test playbook in [tests/test-standalone-nginx-aws.yml](tests/test-standalone-nginx-aws.yml).
certbot_create_if_missing: no
certbot_create_method: standalone
Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. Set the method used for generating certs with the `certbot_create_method` variable—current allowed values include: `standalone`.
certbot_admin_email: email@example.com
The email address used to agree to Let's Encrypt's TOS and subscribe to cert-related notifications. This should be customized and set to an email address that you or your organization regularly monitors.
certbot_certs: []
# - email: janedoe@example.com
# domains:
# - example1.com
# - example2.com
# - domains:
# - example3.com
A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`.
certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"
The `certbot_create_command` defines the command used to generate the cert.
#### Standalone Certificate Generation
certbot_create_standalone_stop_services:
- nginx
Services that should be stopped while `certbot` runs it's own standalone server on ports 80 and 443. If you're running Apache, set this to `apache2` (Ubuntu), or `httpd` (RHEL), or if you have Nginx on port 443 and something else on port 80 (e.g. Varnish, a Java app, or something else), add it to the list so it is stopped when the certificate is generated.
These services will only be stopped the first time a new cert is generated.
### Source Installation from Git ### Source Installation from Git
You can install Certbot from it's Git source repository if desired. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8). You can install Certbot from it's Git source repository if desired. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).
@ -51,9 +89,13 @@ None.
roles: roles:
- geerlingguy.certbot - geerlingguy.certbot
### Creating certificates with certbot See other examples in the `tests/` directory.
### Manually creating certificates with certbot
_Note: You can have this role automatically generate certificates; see the "Automatic Certificate Generation" documentation above._
After installation, you can create certificates using the `certbot` (or `certbot-auto`) script (use `letsencrypt` on Ubuntu 16.04, or use `/opt/certbot/certbot-auto` if installing from source/Git. Here are some example commands to configure certificates with Certbot: You can manually create certificates using the `certbot` (or `certbot-auto`) script (use `letsencrypt` on Ubuntu 16.04, or use `/opt/certbot/certbot-auto` if installing from source/Git. Here are some example commands to configure certificates with Certbot:
# Automatically add certs for all Apache virtualhosts (use with caution!). # Automatically add certs for all Apache virtualhosts (use with caution!).
certbot --apache certbot --apache
@ -61,15 +103,15 @@ After installation, you can create certificates using the `certbot` (or `certbot
# Generate certs, but don't modify Apache configuration (safer). # Generate certs, but don't modify Apache configuration (safer).
certbot --apache certonly certbot --apache certonly
If you want to fully automate the process of adding a new certificate, you can do so using the command line options to register, accept the terms of service, and then generate a cert using the standalone server: If you want to fully automate the process of adding a new certificate, but don't want to use this role's built in functionality, you can do so using the command line options to register, accept the terms of service, and then generate a cert using the standalone server:
1. Make sure any services listening on port 80 (Apache, Nginx, Varnish, etc.) are stopped. 1. Make sure any services listening on ports 80 and 443 (Apache, Nginx, Varnish, etc.) are stopped.
2. Register with something like `certbot register --agree-tos --email [your-email@example.com]` 2. Register with something like `certbot register --agree-tos --email [your-email@example.com]`
- Note: You won't need to do this step in the future, when generating additional certs on the same server. - Note: You won't need to do this step in the future, when generating additional certs on the same server.
3. Generate a cert for a domain whose DNS points to this server: `certbot certonly --noninteractive --standalone -d example.com -d www.example.com` 3. Generate a cert for a domain whose DNS points to this server: `certbot certonly --noninteractive --standalone -d example.com -d www.example.com`
4. Re-start whatever was listening on port 80 before. 4. Re-start whatever was listening on ports 80 and 443 before.
5. Update your webserver's virtualhost TLS configuration to point at the new certificate (`fullchain.pem`) and private key (`privkey.pem`) Certbot just generated for the domain you passed in the `certbot` command. 5. Update your webserver's virtualhost TLS configuration to point at the new certificate (`fullchain.pem`) and private key (`privkey.pem`) Certbot just generated for the domain you passed in the `certbot` command.
6. Restart your webserver so it uses the new HTTPS virtualhost configuration. 6. Reload or restart your webserver so it uses the new HTTPS virtualhost configuration.
### Certbot certificate auto-renewal ### Certbot certificate auto-renewal

@ -6,6 +6,23 @@ certbot_auto_renew_hour: 3
certbot_auto_renew_minute: 30 certbot_auto_renew_minute: 30
certbot_auto_renew_options: "--quiet --no-self-upgrade" certbot_auto_renew_options: "--quiet --no-self-upgrade"
# Parameters used when creating new Certbot certs.
certbot_create_if_missing: no
certbot_create_method: standalone
certbot_admin_email: email@example.com
certbot_certs: []
# - email: janedoe@example.com
# domains:
# - example1.com
# - example2.com
# - domains:
# - example3.com
certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"
certbot_create_standalone_stop_services:
- nginx
# - apache
# - varnish
# To install from source (on older OSes or if you need a specific or newer # To install from source (on older OSes or if you need a specific or newer
# version of Certbot), set this variable to `yes` and configure other options. # version of Certbot), set this variable to `yes` and configure other options.
certbot_install_from_source: no certbot_install_from_source: no

@ -6,7 +6,7 @@ galaxy_info:
description: "Installs and configures Certbot (for Let's Encrypt)." description: "Installs and configures Certbot (for Let's Encrypt)."
company: "Midwestern Mac, LLC" company: "Midwestern Mac, LLC"
license: "license (BSD, MIT)" license: "license (BSD, MIT)"
min_ansible_version: 2.0 min_ansible_version: 2.4
platforms: platforms:
- name: EL - name: EL
versions: versions:

@ -0,0 +1,23 @@
---
- name: Check if certificate already exists.
stat:
path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem
register: letsencrypt_cert
- name: Stop services to allow certbot to generate a cert.
service:
name: "{{ item }}"
state: stopped
when: not letsencrypt_cert.stat.exists
with_items: "{{ certbot_create_standalone_stop_services }}"
- name: Generate new certificate if one doesn't exist.
shell: "{{ certbot_create_command }}"
when: not letsencrypt_cert.stat.exists
- name: Start services after cert has been generated.
service:
name: "{{ item }}"
state: started
when: not letsencrypt_cert.stat.exists
with_items: "{{ certbot_create_standalone_stop_services }}"

@ -1,11 +1,19 @@
--- ---
- include: include-vars.yml - import_tasks: include-vars.yml
- include: install-with-package.yml - import_tasks: install-with-package.yml
when: not certbot_install_from_source when: not certbot_install_from_source
- include: install-from-source.yml - import_tasks: install-from-source.yml
when: certbot_install_from_source when: certbot_install_from_source
- include: renew-cron.yml - include_tasks: create-cert-standalone.yml
with_items: "{{ certbot_certs }}"
when:
- certbot_create_if_missing
- certbot_create_method == 'standalone'
loop_control:
loop_var: cert_item
- import_tasks: renew-cron.yml
when: certbot_auto_renew when: certbot_auto_renew

@ -1,2 +1,3 @@
--- ---
- src: geerlingguy.git - src: geerlingguy.git
- src: geerlingguy.nginx

@ -0,0 +1,178 @@
---
# To run:
# 1. Ensure Ansible and Boto are installed (pip install ansible boto).
# 2. Ensure you have AWS credentials stored where Boto can find them, and they
# are under the profile 'mm'.
# 3. Ensure you have a pubkey available at ~/.ssh/id_rsa.pub.
# 3. Run the playbook: ansible-playbook test-standalone-nginx-aws.yml
# Play 1: Provision EC2 instance and A record.
- hosts: localhost
connection: local
gather_facts: no
tasks:
- name: Configure EC2 Security Group.
ec2_group:
profile: mm
name: certbot_test_http
description: HTTP security group for Certbot testing.
region: "us-east-1"
state: present
rules:
- proto: tcp
from_port: 80
to_port: 80
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 443
to_port: 443
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 22
to_port: 22
cidr_ip: 0.0.0.0/0
rules_egress: []
- name: Add EC2 Key Pair.
ec2_key:
profile: mm
region: "us-east-1"
name: certbot_test
key_material: "{{ item }}"
with_file: ~/.ssh/id_rsa.pub
- name: Provision EC2 instance.
ec2:
profile: mm
key_name: certbot_test
instance_tags:
Name: "certbot-standalone-nginx-test"
group: ['default', 'certbot_test_http']
instance_type: t2.micro
image: ami-02e98f78 # CentOS Linux 7 x86_64 HVM EBS
region: "us-east-1"
wait: yes
wait_timeout: 500
exact_count: 1
count_tag:
Name: "certbot-standalone-nginx-test"
register: created_instance
- name: Add A record for the new EC2 instance IP in Route53.
route53:
profile: mm
command: create
zone: servercheck.in
record: certbot-test.servercheck.in
type: A
ttl: 300
value: "{{ created_instance.tagged_instances.0.public_ip }}"
wait: yes
overwrite: yes
- name: Add EC2 instance to inventory groups.
add_host:
name: "certbot-test.servercheck.in"
groups: "aws,aws_nginx"
ansible_ssh_user: centos
host_key_checking: False
when: created_instance.tagged_instances.0.id is defined
# Play 2: Configure EC2 instance with Certbot and Nginx.
- hosts: aws_nginx
gather_facts: yes
become: yes
vars:
certbot_admin_email: https@servercheck.in
certbot_create_if_missing: yes
certbot_create_standalone_stop_services: []
certbot_certs:
- domains:
- certbot-test.servercheck.in
nginx_vhosts:
- listen: "443 ssl http2"
server_name: "certbot-test.servercheck.in"
root: "/usr/share/nginx/html"
index: "index.html index.htm"
state: "present"
template: "{{ nginx_vhost_template }}"
filename: "certbot_test.conf"
extra_parameters: |
ssl_certificate /etc/letsencrypt/live/certbot-test.servercheck.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/certbot-test.servercheck.in/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
pre_tasks:
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian'
changed_when: false
- name: Install dependencies (RedHat).
yum: name={{ item }} state=present
when: ansible_os_family == 'RedHat'
with_items:
- cronie
- epel-release
- name: Install cron (Debian).
apt: name=cron state=present
when: ansible_os_family == 'Debian'
roles:
- geerlingguy.certbot
- geerlingguy.nginx
tasks:
- name: Flush handlers in case any configs have changed.
meta: flush_handlers
- name: Test secure connection to SSL domain.
uri:
url: https://certbot-test.servercheck.in/
status_code: 200
delegate_to: localhost
become: no
# Play 3: Tear down EC2 instance and A record.
- hosts: localhost
connection: local
gather_facts: no
tasks:
- name: Destroy EC2 instance.
ec2:
profile: mm
instance_ids: ["{{ created_instance.tagged_instances.0.id }}"]
region: "us-east-1"
state: absent
wait: yes
wait_timeout: 500
- name: Delete Security Group.
ec2_group:
profile: mm
name: certbot_test_http
region: "us-east-1"
state: absent
- name: Delete Key Pair.
ec2_key:
profile: mm
name: certbot_test
region: "us-east-1"
state: absent
- name: Delete Route53 record.
route53:
profile: mm
state: delete
zone: servercheck.in
record: certbot-test.servercheck.in
type: A
ttl: 300
# See: https://github.com/ansible/ansible/pull/32297
value: []

@ -7,9 +7,12 @@
when: ansible_os_family == 'Debian' when: ansible_os_family == 'Debian'
changed_when: false changed_when: false
- name: Install cron (RedHat). - name: Install dependencies (RedHat).
yum: name=cronie state=present yum: name={{ item }} state=present
when: ansible_os_family == 'RedHat' when: ansible_os_family == 'RedHat'
with_items:
- cronie
- epel-release
- name: Install cron (Debian). - name: Install cron (Debian).
apt: name=cron state=present apt: name=cron state=present

Loading…
Cancel
Save