From d3f98e4258502556a0537c7ef2978a38d86d23ca Mon Sep 17 00:00:00 2001
From: Jeff Geerling <geerlingguy@mac.com>
Date: Mon, 11 Dec 2017 22:17:25 -0600
Subject: [PATCH] Fixes #12: Document how to generate certs automatically using
 certbot --standalone.

---
 README.md                           | 52 +++++++++++++++++++++++++----
 defaults/main.yml                   | 13 ++++----
 tasks/create-cert-standalone.yml    |  4 +--
 tasks/main.yml                      | 14 ++++----
 tests/test-standalone-nginx-aws.yml |  6 ++--
 5 files changed, 65 insertions(+), 24 deletions(-)

diff --git a/README.md b/README.md
index bd6106e..84e16b2 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,41 @@ By default, this role configures a cron job to run under the provided user accou
 
 ### Automatic Certificate Generation
 
-TODO: Add new variables and documentation here.
+Currently there is one built-in method for generating new certificates using this role: `standalone`. Other methods (e.g. using nginx or apache and a webroot) may be added in the future.
+
+**For a complete example**: see the fully functional test playbook in [tests/test-standalone-nginx-aws.yml](tests/test-standalone-nginx-aws.yml).
+
+    certbot_create_if_missing: no
+    certbot_create_method: standalone
+
+Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. Set the method used for generating certs with the `certbot_create_method` variable—current allowed values include: `standalone`.
+
+    certbot_admin_email: email@example.com
+
+The email address used to agree to Let's Encrypt's TOS and subscribe to cert-related notifications. This should be customized and set to an email address that you or your organization regularly monitors.
+
+    certbot_certs: []
+      # - email: janedoe@example.com
+      #   domains:
+      #     - example1.com
+      #     - example2.com
+      # - domains:
+      #     - example3.com
+
+A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`.
+
+    certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"
+
+The `certbot_create_command` defines the command used to generate the cert.
+
+#### Standalone Certificate Generation
+
+    certbot_create_standalone_stop_services:
+      - nginx
+
+Services that should be stopped while `certbot` runs it's own standalone server on ports 80 and 443. If you're running Apache, set this to `apache2` (Ubuntu), or `httpd` (RHEL), or if you have Nginx on port 443 and something else on port 80 (e.g. Varnish, a Java app, or something else), add it to the list so it is stopped when the certificate is generated.
+
+These services will only be stopped the first time a new cert is generated.
 
 ### Source Installation from Git
 
@@ -55,9 +89,13 @@ None.
       roles:
         - geerlingguy.certbot
 
-### Creating certificates with certbot
+See other examples in the `tests/` directory.
+
+### Manually creating certificates with certbot
+
+_Note: You can have this role automatically generate certificates; see the "Automatic Certificate Generation" documentation above._
 
-After installation, you can create certificates using the `certbot` (or `certbot-auto`) script (use `letsencrypt` on Ubuntu 16.04, or use `/opt/certbot/certbot-auto` if installing from source/Git. Here are some example commands to configure certificates with Certbot:
+You can manually create certificates using the `certbot` (or `certbot-auto`) script (use `letsencrypt` on Ubuntu 16.04, or use `/opt/certbot/certbot-auto` if installing from source/Git. Here are some example commands to configure certificates with Certbot:
 
     # Automatically add certs for all Apache virtualhosts (use with caution!).
     certbot --apache
@@ -65,15 +103,15 @@ After installation, you can create certificates using the `certbot` (or `certbot
     # Generate certs, but don't modify Apache configuration (safer).
     certbot --apache certonly
 
-If you want to fully automate the process of adding a new certificate, you can do so using the command line options to register, accept the terms of service, and then generate a cert using the standalone server:
+If you want to fully automate the process of adding a new certificate, but don't want to use this role's built in functionality, you can do so using the command line options to register, accept the terms of service, and then generate a cert using the standalone server:
 
-  1. Make sure any services listening on port 80 (Apache, Nginx, Varnish, etc.) are stopped.
+  1. Make sure any services listening on ports 80 and 443 (Apache, Nginx, Varnish, etc.) are stopped.
   2. Register with something like `certbot register --agree-tos --email [your-email@example.com]`
     - Note: You won't need to do this step in the future, when generating additional certs on the same server.
   3. Generate a cert for a domain whose DNS points to this server: `certbot certonly --noninteractive --standalone -d example.com -d www.example.com`
-  4. Re-start whatever was listening on port 80 before.
+  4. Re-start whatever was listening on ports 80 and 443 before.
   5. Update your webserver's virtualhost TLS configuration to point at the new certificate (`fullchain.pem`) and private key (`privkey.pem`) Certbot just generated for the domain you passed in the `certbot` command.
-  6. Restart your webserver so it uses the new HTTPS virtualhost configuration.
+  6. Reload or restart your webserver so it uses the new HTTPS virtualhost configuration.
 
 ### Certbot certificate auto-renewal
 
diff --git a/defaults/main.yml b/defaults/main.yml
index f2e8719..2e79029 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -7,13 +7,9 @@ certbot_auto_renew_minute: 30
 certbot_auto_renew_options: "--quiet --no-self-upgrade"
 
 # Parameters used when creating new Certbot certs.
-certbot_admin_email: email@example.com
-certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"
 certbot_create_if_missing: no
-certbot_create_stop_services:
-  - nginx
-  # - apache
-  # - varnish
+certbot_create_method: standalone
+certbot_admin_email: email@example.com
 certbot_certs: []
   # - email: janedoe@example.com
   #   domains:
@@ -21,6 +17,11 @@ certbot_certs: []
   #     - example2.com
   # - domains:
   #     - example3.com
+certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"
+certbot_create_standalone_stop_services:
+  - nginx
+  # - apache
+  # - varnish
 
 # To install from source (on older OSes or if you need a specific or newer
 # version of Certbot), set this variable to `yes` and configure other options.
diff --git a/tasks/create-cert-standalone.yml b/tasks/create-cert-standalone.yml
index 749c1e1..b92faec 100644
--- a/tasks/create-cert-standalone.yml
+++ b/tasks/create-cert-standalone.yml
@@ -9,7 +9,7 @@
     name: "{{ item }}"
     state: stopped
   when: not letsencrypt_cert.stat.exists
-  with_items: "{{ certbot_create_stop_services }}"
+  with_items: "{{ certbot_create_standalone_stop_services }}"
 
 - name: Generate new certificate if one doesn't exist.
   shell: "{{ certbot_create_command }}"
@@ -20,4 +20,4 @@
     name: "{{ item }}"
     state: started
   when: not letsencrypt_cert.stat.exists
-  with_items: "{{ certbot_create_stop_services }}"
+  with_items: "{{ certbot_create_standalone_stop_services }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index 466def7..680aeda 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,17 +1,19 @@
 ---
-- include: include-vars.yml
+- import_tasks: include-vars.yml
 
-- include: install-with-package.yml
+- import_tasks: install-with-package.yml
   when: not certbot_install_from_source
 
-- include: install-from-source.yml
+- import_tasks: install-from-source.yml
   when: certbot_install_from_source
 
-- include: create-cert-standalone.yml
+- include_tasks: create-cert-standalone.yml
   with_items: "{{ certbot_certs }}"
-  when: certbot_create_if_missing
+  when:
+    - certbot_create_if_missing
+    - certbot_create_method == 'standalone'
   loop_control:
     loop_var: cert_item
 
-- include: renew-cron.yml
+- import_tasks: renew-cron.yml
   when: certbot_auto_renew
diff --git a/tests/test-standalone-nginx-aws.yml b/tests/test-standalone-nginx-aws.yml
index 6916171..a546169 100644
--- a/tests/test-standalone-nginx-aws.yml
+++ b/tests/test-standalone-nginx-aws.yml
@@ -87,12 +87,10 @@
   vars:
     certbot_admin_email: https@servercheck.in
     certbot_create_if_missing: yes
-    certbot_create_stop_services:
-      - nginx
+    certbot_create_standalone_stop_services: []
     certbot_certs:
       - domains:
           - certbot-test.servercheck.in
-    certbot_create_stop_services: []
     nginx_vhosts:
       - listen: "443 ssl http2"
         server_name: "certbot-test.servercheck.in"
@@ -176,3 +174,5 @@
         record: certbot-test.servercheck.in
         type: A
         ttl: 300
+        # See: https://github.com/ansible/ansible/pull/32297
+        value: []