From 23f593aaaf88a934a7d68db49d8ffd0af180464f Mon Sep 17 00:00:00 2001 From: Ryan Faircloth Date: Tue, 16 Jan 2018 17:37:00 +0000 Subject: [PATCH 01/22] Fixes #39 adding new script for webroot Fixes #41 support deployhook (webroot only) Fixes #41 support for test CA --- defaults/main.yml | 10 ++++++++++ tasks/create-cert-webroot.yml | 22 ++++++++++++++++++++++ tasks/main.yml | 8 ++++++++ 3 files changed, 40 insertions(+) create mode 100644 tasks/create-cert-webroot.yml diff --git a/defaults/main.yml b/defaults/main.yml index 02134ba..9448de9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,6 +5,9 @@ certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}" certbot_auto_renew_hour: "3" certbot_auto_renew_minute: "30" certbot_auto_renew_options: "--quiet --no-self-upgrade" +certbot_testmode: false +certbot_hsts: false + # Parameters used when creating new Certbot certs. certbot_create_if_missing: false @@ -19,6 +22,8 @@ certbot_certs: [] # - example3.com certbot_create_command: >- {{ certbot_script }} certonly --standalone --noninteractive --agree-tos + --{{ certbot_create_method }} {{ certbot_webroot_arg if certbot_create_method == 'webroot' else '' }} {{ '--hsts' if certbot_hsts else '' }} + {{ '--test-cert' if certbot_testmode else '' }} --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }} {{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services' @@ -43,3 +48,8 @@ certbot_keep_updated: true # Where to put Certbot when installing from source. certbot_dir: /opt/certbot + +# Where the web root is +certbot_webroot: "/var/www/html" +certbot_webroot_arg: "-w {{ certbot_webroot }}" + diff --git a/tasks/create-cert-webroot.yml b/tasks/create-cert-webroot.yml new file mode 100644 index 0000000..5b5e946 --- /dev/null +++ b/tasks/create-cert-webroot.yml @@ -0,0 +1,22 @@ +--- +- name: Check if certificate already exists. + stat: + path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem + register: letsencrypt_cert + +- name: Create deploy hook + copy: + content: "{{ certbot_deployhook }}" + dest: /etc/letsencrypt/renewal-hooks/deploy/ansible.sh + mode: u+rwx + run_once: yes + when: certbot_deployhook is defined + +- debug: + var: certbot_create_command + verbosity: 2 + +- name: Generate new certificate if one doesn't exist. + shell: "{{ certbot_create_command }}" + when: not letsencrypt_cert.stat.exists + diff --git a/tasks/main.yml b/tasks/main.yml index acd2426..894143c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -21,5 +21,13 @@ loop_control: loop_var: cert_item +- include_tasks: create-cert-webroot.yml + with_items: "{{ certbot_certs }}" + when: + - certbot_create_if_missing + - certbot_create_method == 'webroot' + loop_control: + loop_var: cert_item + - import_tasks: renew-cron.yml when: certbot_auto_renew From c7e5eec8ccc4b771408319e3d4153021cdb27404 Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Tue, 27 Nov 2018 06:49:28 -0500 Subject: [PATCH 02/22] Update create-cert-webroot.yml Removed debug logging of var as it could have protected information --- tasks/create-cert-webroot.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tasks/create-cert-webroot.yml b/tasks/create-cert-webroot.yml index 5b5e946..fd43f41 100644 --- a/tasks/create-cert-webroot.yml +++ b/tasks/create-cert-webroot.yml @@ -12,10 +12,6 @@ run_once: yes when: certbot_deployhook is defined -- debug: - var: certbot_create_command - verbosity: 2 - - name: Generate new certificate if one doesn't exist. shell: "{{ certbot_create_command }}" when: not letsencrypt_cert.stat.exists From 061509319f1f7634ebeabd099418b016aa2ea7b1 Mon Sep 17 00:00:00 2001 From: Simon Spannagel Date: Thu, 31 Oct 2019 13:28:08 +0100 Subject: [PATCH 03/22] Allow specification of different webroots per certificate --- defaults/main.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9448de9..dd9d815 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,6 +5,7 @@ certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}" certbot_auto_renew_hour: "3" certbot_auto_renew_minute: "30" certbot_auto_renew_options: "--quiet --no-self-upgrade" + certbot_testmode: false certbot_hsts: false @@ -15,14 +16,18 @@ certbot_create_method: standalone certbot_admin_email: email@example.com certbot_certs: [] # - email: janedoe@example.com +# webroot: "/var/www/html/" # domains: # - example1.com # - example2.com # - domains: # - example3.com + certbot_create_command: >- {{ certbot_script }} certonly --standalone --noninteractive --agree-tos - --{{ certbot_create_method }} {{ certbot_webroot_arg if certbot_create_method == 'webroot' else '' }} {{ '--hsts' if certbot_hsts else '' }} + --{{ certbot_create_method }} {{ `-w ` if certbot_create_method == 'webroot' else '' }} + {{ cert_item.webroot if certbot_create_method == 'webroot' else '' }} + {{ '--hsts' if certbot_hsts else '' }} {{ '--test-cert' if certbot_testmode else '' }} --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }} @@ -49,7 +54,3 @@ certbot_keep_updated: true # Where to put Certbot when installing from source. certbot_dir: /opt/certbot -# Where the web root is -certbot_webroot: "/var/www/html" -certbot_webroot_arg: "-w {{ certbot_webroot }}" - From 34949a63d9a05c1a1cdc0133a31ef505594af70a Mon Sep 17 00:00:00 2001 From: Simon Spannagel Date: Thu, 31 Oct 2019 13:28:35 +0100 Subject: [PATCH 04/22] Document webroot functionality --- README.md | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 7ca52f0..7c50289 100644 --- a/README.md +++ b/README.md @@ -26,14 +26,25 @@ By default, this role configures a cron job to run under the provided user accou ### Automatic Certificate Generation -Currently there is one built-in method for generating new certificates using this role: `standalone`. Other methods (e.g. using nginx or apache and a webroot) may be added in the future. +Currently the `standalone` and `webroot` method are supported for generating new certificates using this role. **For a complete example**: see the fully functional test playbook in [molecule/default/playbook-standalone-nginx-aws.yml](molecule/default/playbook-standalone-nginx-aws.yml). certbot_create_if_missing: false - certbot_create_method: standalone -Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. Set the method used for generating certs with the `certbot_create_method` variable—current allowed values include: `standalone`. +Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. + + certbot_create_method: standalone + +Set the method used for generating certs with the `certbot_create_method` variable — current allowed values are: `standalone` or `webroot`. + + certbot_testmode: false + +Enable test mode to only run a test request without actually creating certificates. + + certbot_hsts: false + +Enable (HTTP Strict Transport Security) for the certificate generation. certbot_admin_email: email@example.com @@ -41,13 +52,14 @@ The email address used to agree to Let's Encrypt's TOS and subscribe to cert-rel certbot_certs: [] # - email: janedoe@example.com - # domains: + # - webroot: "/var/www/html" + # - domains: # - example1.com # - example2.com # - domains: # - example3.com -A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`. +A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`. When using the `webroot` creation method, a `webroot` item has to be provided, specifying which directory to use for the authentication. Make sure your webserver correctly delivers contents from this directory. certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}" From 5f476f829ca431018f0b41b04e13e672e8655569 Mon Sep 17 00:00:00 2001 From: Simon Spannagel Date: Thu, 31 Oct 2019 13:35:14 +0100 Subject: [PATCH 05/22] Add default and document certbot_deployhook --- README.md | 8 ++++++++ defaults/main.yml | 2 ++ 2 files changed, 10 insertions(+) diff --git a/README.md b/README.md index 7c50289..78b967a 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,14 @@ Setting `certbot_install_method: snap` configures this role to install Certbot v This install method is currently experimental and may or may not work across all Linux distributions. +#### Webroot Certificate Generation + + certbot_deployhook: "service {{certbot_create_standalone_stop_services }} restart" + +Script content for the deploy hook called by certbot after successfully obtaining the certificate + +When using the `webroot` creation method, a `webroot` item has to be provided for every `certbot_certs` item, specifying which directory to use for the authentication. Also, make sure your webserver correctly delivers contents from this directory. + ### Source Installation from Git You can install Certbot from it's Git source repository if desired with `certbot_install_method: source`. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8). diff --git a/defaults/main.yml b/defaults/main.yml index dd9d815..2a116b8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -54,3 +54,5 @@ certbot_keep_updated: true # Where to put Certbot when installing from source. certbot_dir: /opt/certbot +# Restart this service after successfull certificate creation: +certbot_deployhook: "service {{certbot_create_standalone_stop_services }} restart" \ No newline at end of file From ca46eab49fa6ab0cc98ebeddc4d2d2d1a4107eb8 Mon Sep 17 00:00:00 2001 From: Simon Spannagel Date: Fri, 8 Nov 2019 18:56:22 +0100 Subject: [PATCH 06/22] Fix linting issues --- defaults/main.yml | 7 ++++--- tasks/create-cert-webroot.yml | 3 +-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2a116b8..6cb2cec 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -24,11 +24,12 @@ certbot_certs: [] # - example3.com certbot_create_command: >- - {{ certbot_script }} certonly --standalone --noninteractive --agree-tos - --{{ certbot_create_method }} {{ `-w ` if certbot_create_method == 'webroot' else '' }} + {{ certbot_script }} certonly --{{ certbot_create_method }} + {{ `-w ` if certbot_create_method == 'webroot' else '' }} {{ cert_item.webroot if certbot_create_method == 'webroot' else '' }} {{ '--hsts' if certbot_hsts else '' }} {{ '--test-cert' if certbot_testmode else '' }} + --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }} {{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services' @@ -55,4 +56,4 @@ certbot_keep_updated: true certbot_dir: /opt/certbot # Restart this service after successfull certificate creation: -certbot_deployhook: "service {{certbot_create_standalone_stop_services }} restart" \ No newline at end of file +certbot_deployhook: "service {{certbot_create_standalone_stop_services }} restart" diff --git a/tasks/create-cert-webroot.yml b/tasks/create-cert-webroot.yml index fd43f41..71509b5 100644 --- a/tasks/create-cert-webroot.yml +++ b/tasks/create-cert-webroot.yml @@ -9,10 +9,9 @@ content: "{{ certbot_deployhook }}" dest: /etc/letsencrypt/renewal-hooks/deploy/ansible.sh mode: u+rwx - run_once: yes + run_once: true when: certbot_deployhook is defined - name: Generate new certificate if one doesn't exist. shell: "{{ certbot_create_command }}" when: not letsencrypt_cert.stat.exists - From e669ab0ac4c3bc56d4132f975fc2cb356b050582 Mon Sep 17 00:00:00 2001 From: Simon Spannagel Date: Fri, 8 Nov 2019 19:17:22 +0100 Subject: [PATCH 07/22] Replace shell with command module --- tasks/create-cert-webroot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/create-cert-webroot.yml b/tasks/create-cert-webroot.yml index 71509b5..dd47827 100644 --- a/tasks/create-cert-webroot.yml +++ b/tasks/create-cert-webroot.yml @@ -13,5 +13,5 @@ when: certbot_deployhook is defined - name: Generate new certificate if one doesn't exist. - shell: "{{ certbot_create_command }}" + command: "{{ certbot_create_command }}" when: not letsencrypt_cert.stat.exists From 2e13cb13cffa30f335fbf0dbd4e522aeaa059fb0 Mon Sep 17 00:00:00 2001 From: simonspa <1677436+simonspa@users.noreply.github.com> Date: Mon, 16 Dec 2019 13:25:43 +0100 Subject: [PATCH 08/22] Update default deploy hook Co-Authored-By: Kieren Evans --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6cb2cec..76f1221 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -56,4 +56,4 @@ certbot_keep_updated: true certbot_dir: /opt/certbot # Restart this service after successfull certificate creation: -certbot_deployhook: "service {{certbot_create_standalone_stop_services }} restart" +certbot_deployhook: "service {{ certbot_create_standalone_stop_services | join(' restart && service ') }} restart" From 50d8921ec2bc9bab59a7937829977b8af899cac6 Mon Sep 17 00:00:00 2001 From: Simon Spannagel Date: Tue, 14 Jan 2020 13:50:39 +0100 Subject: [PATCH 09/22] Create webroot directory if it doesn't exist --- tasks/create-cert-webroot.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tasks/create-cert-webroot.yml b/tasks/create-cert-webroot.yml index dd47827..83a8a2a 100644 --- a/tasks/create-cert-webroot.yml +++ b/tasks/create-cert-webroot.yml @@ -12,6 +12,11 @@ run_once: true when: certbot_deployhook is defined +- name: Create webroot directory if it doesn't exist yet + file: + path: "{{ cert_item.webroot }}" + state: directory + - name: Generate new certificate if one doesn't exist. command: "{{ certbot_create_command }}" when: not letsencrypt_cert.stat.exists From 23447ec217ef62292de6efb2566e8a2731baa249 Mon Sep 17 00:00:00 2001 From: Simon Spannagel Date: Fri, 7 Feb 2020 18:16:39 +0100 Subject: [PATCH 10/22] Fix issue in certificate creation command --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 76f1221..acebe0e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -25,7 +25,7 @@ certbot_certs: [] certbot_create_command: >- {{ certbot_script }} certonly --{{ certbot_create_method }} - {{ `-w ` if certbot_create_method == 'webroot' else '' }} + {{ '-w ' if certbot_create_method == 'webroot' else '' }} {{ cert_item.webroot if certbot_create_method == 'webroot' else '' }} {{ '--hsts' if certbot_hsts else '' }} {{ '--test-cert' if certbot_testmode else '' }} From b37af735003b0e4dbc9f07223ab91ac102cac8ac Mon Sep 17 00:00:00 2001 From: Simon Spannagel Date: Fri, 7 Feb 2020 19:00:42 +0100 Subject: [PATCH 11/22] Move webroot definition further down --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index acebe0e..8f32634 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -25,12 +25,12 @@ certbot_certs: [] certbot_create_command: >- {{ certbot_script }} certonly --{{ certbot_create_method }} - {{ '-w ' if certbot_create_method == 'webroot' else '' }} - {{ cert_item.webroot if certbot_create_method == 'webroot' else '' }} {{ '--hsts' if certbot_hsts else '' }} {{ '--test-cert' if certbot_testmode else '' }} --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} + {{ '--webroot-path ' if certbot_create_method == 'webroot' else '' }} + {{ cert_item.webroot if certbot_create_method == 'webroot' else '' }} -d {{ cert_item.domains | join(',') }} {{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services' if certbot_create_standalone_stop_services From e1013946c5397ace94e581070412d6dcb73d08ae Mon Sep 17 00:00:00 2001 From: Simon Spannagel Date: Thu, 7 May 2020 07:50:11 +0200 Subject: [PATCH 12/22] Webroot: allow to set default webroot path, overwritten by per-cert path --- defaults/main.yml | 6 +++++- tasks/create-cert-webroot.yml | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8f32634..20a3a0a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -14,6 +14,10 @@ certbot_hsts: false certbot_create_if_missing: false certbot_create_method: standalone certbot_admin_email: email@example.com + +# Default webroot, overwritten by individual per-cert webroot directories +certbot_webroot: /var/www/letsencrypt + certbot_certs: [] # - email: janedoe@example.com # webroot: "/var/www/html/" @@ -30,7 +34,7 @@ certbot_create_command: >- --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} {{ '--webroot-path ' if certbot_create_method == 'webroot' else '' }} - {{ cert_item.webroot if certbot_create_method == 'webroot' else '' }} + {{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }} -d {{ cert_item.domains | join(',') }} {{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services' if certbot_create_standalone_stop_services diff --git a/tasks/create-cert-webroot.yml b/tasks/create-cert-webroot.yml index 83a8a2a..5d0ac6d 100644 --- a/tasks/create-cert-webroot.yml +++ b/tasks/create-cert-webroot.yml @@ -14,7 +14,7 @@ - name: Create webroot directory if it doesn't exist yet file: - path: "{{ cert_item.webroot }}" + path: "{{ cert_item.webroot | default(certbot_webroot) }}" state: directory - name: Generate new certificate if one doesn't exist. From 123facdbab50f0cdc353993df35c95b50196dfc5 Mon Sep 17 00:00:00 2001 From: Simon Spannagel Date: Thu, 7 May 2020 09:30:40 +0200 Subject: [PATCH 13/22] Ensure deploy hook directory exists before using --- tasks/create-cert-webroot.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tasks/create-cert-webroot.yml b/tasks/create-cert-webroot.yml index 5d0ac6d..63466c8 100644 --- a/tasks/create-cert-webroot.yml +++ b/tasks/create-cert-webroot.yml @@ -4,6 +4,12 @@ path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem register: letsencrypt_cert +- name: Ensure deploy hook directory exists + file: + path: /etc/letsencrypt/renewal-hooks/deploy + state: directory + mode: 0755 + - name: Create deploy hook copy: content: "{{ certbot_deployhook }}" From bd58f8e72c4e9511c27def9e9efea36d4005adce Mon Sep 17 00:00:00 2001 From: Romain Porte Date: Sat, 9 May 2020 16:44:27 +0200 Subject: [PATCH 14/22] optimize renewal-hook creation: run it only once and not per domain --- tasks/create-cert-webroot.yml | 14 -------------- tasks/install-deploy-hook.yml | 14 ++++++++++++++ tasks/main.yml | 4 ++++ 3 files changed, 18 insertions(+), 14 deletions(-) create mode 100644 tasks/install-deploy-hook.yml diff --git a/tasks/create-cert-webroot.yml b/tasks/create-cert-webroot.yml index 63466c8..8399872 100644 --- a/tasks/create-cert-webroot.yml +++ b/tasks/create-cert-webroot.yml @@ -4,20 +4,6 @@ path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem register: letsencrypt_cert -- name: Ensure deploy hook directory exists - file: - path: /etc/letsencrypt/renewal-hooks/deploy - state: directory - mode: 0755 - -- name: Create deploy hook - copy: - content: "{{ certbot_deployhook }}" - dest: /etc/letsencrypt/renewal-hooks/deploy/ansible.sh - mode: u+rwx - run_once: true - when: certbot_deployhook is defined - - name: Create webroot directory if it doesn't exist yet file: path: "{{ cert_item.webroot | default(certbot_webroot) }}" diff --git a/tasks/install-deploy-hook.yml b/tasks/install-deploy-hook.yml new file mode 100644 index 0000000..5bd8a01 --- /dev/null +++ b/tasks/install-deploy-hook.yml @@ -0,0 +1,14 @@ +- name: Ensure deploy hook directory exists + file: + path: /etc/letsencrypt/renewal-hooks/deploy + state: directory + mode: 0755 + when: certbot_deployhook is defined + +- name: Create deploy hook + copy: + content: "{{ certbot_deployhook }}" + dest: /etc/letsencrypt/renewal-hooks/deploy/ansible.sh + mode: u+rwx + when: certbot_deployhook is defined + diff --git a/tasks/main.yml b/tasks/main.yml index 894143c..cd6eb3b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -29,5 +29,9 @@ loop_control: loop_var: cert_item +- include_tasks: install-deploy-hook.yml + when: + - certbot_create_method == 'webroot' + - import_tasks: renew-cron.yml when: certbot_auto_renew From 40c4c1b43356829c1fe22bb6da3fe78988180ab8 Mon Sep 17 00:00:00 2001 From: Romain Porte Date: Sun, 19 Jul 2020 00:10:56 +0200 Subject: [PATCH 15/22] webroot: install hook before creating certificates The command that will create the certificates need the hook script ansible.sh to exist before it is run, elsewise an error will occur in case of first run on a new host. (cherry picked from commit 2346cd52a262bf2fa89419f29abba0e8ea95cdb7) --- tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index cd6eb3b..fcec6ff 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -21,6 +21,10 @@ loop_control: loop_var: cert_item +- include_tasks: install-deploy-hook.yml + when: + - certbot_create_method == 'webroot' + - include_tasks: create-cert-webroot.yml with_items: "{{ certbot_certs }}" when: @@ -29,9 +33,5 @@ loop_control: loop_var: cert_item -- include_tasks: install-deploy-hook.yml - when: - - certbot_create_method == 'webroot' - - import_tasks: renew-cron.yml when: certbot_auto_renew From 7a7c1f8b0635924e9e80b2c4e630b37f1b0991a5 Mon Sep 17 00:00:00 2001 From: Simon Spannagel Date: Wed, 31 Mar 2021 06:58:09 +0200 Subject: [PATCH 16/22] Fix linter suggestions --- .github/workflows/release.yml | 6 +++++- tasks/install-deploy-hook.yml | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7e855b0..19152ac 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -35,4 +35,8 @@ jobs: run: pip3 install ansible-base - name: Trigger a new import on Galaxy. - run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) + run: >- + ansible-galaxy role import + --api-key ${{ secrets.GALAXY_API_KEY }} + $(echo ${{ github.repository }} | cut -d/ -f1) + $(echo ${{ github.repository }} | cut -d/ -f2) diff --git a/tasks/install-deploy-hook.yml b/tasks/install-deploy-hook.yml index 5bd8a01..e50375c 100644 --- a/tasks/install-deploy-hook.yml +++ b/tasks/install-deploy-hook.yml @@ -1,3 +1,4 @@ +--- - name: Ensure deploy hook directory exists file: path: /etc/letsencrypt/renewal-hooks/deploy @@ -11,4 +12,3 @@ dest: /etc/letsencrypt/renewal-hooks/deploy/ansible.sh mode: u+rwx when: certbot_deployhook is defined - From 52a96f9bdea218525a188d6a679ccde4b1fc5f48 Mon Sep 17 00:00:00 2001 From: simonspa <1677436+simonspa@users.noreply.github.com> Date: Tue, 27 Jul 2021 16:55:03 +0200 Subject: [PATCH 17/22] Check for systemd list-unit-files before restarting services Co-authored-by: Karl M. Davis --- defaults/main.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 20a3a0a..a194816 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -60,4 +60,9 @@ certbot_keep_updated: true certbot_dir: /opt/certbot # Restart this service after successfull certificate creation: -certbot_deployhook: "service {{ certbot_create_standalone_stop_services | join(' restart && service ') }} restart" +certbot_deployhook: | + {% for service in certbot_create_standalone_stop_services %} + if systemctl list-unit-files | grep -q "^{{ service }}.service"; then + systemctl restart {{ service }} + fi + {% endfor %} From 2cad2addcde73a859e4dddc78fc3a5620b637b8f Mon Sep 17 00:00:00 2001 From: simonspa <1677436+simonspa@users.noreply.github.com> Date: Sun, 15 Aug 2021 19:35:50 +0200 Subject: [PATCH 18/22] Update defaults/main.yml Co-authored-by: Jeff Geerling --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index a194816..16a7177 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -59,7 +59,7 @@ certbot_keep_updated: true # Where to put Certbot when installing from source. certbot_dir: /opt/certbot -# Restart this service after successfull certificate creation: +# Restart this service after successful certificate creation: certbot_deployhook: | {% for service in certbot_create_standalone_stop_services %} if systemctl list-unit-files | grep -q "^{{ service }}.service"; then From 854a36e048cd07c5cb6c47e47605f2a5922bb72e Mon Sep 17 00:00:00 2001 From: Simon Spannagel Date: Sun, 15 Aug 2021 19:37:13 +0200 Subject: [PATCH 19/22] Rever changes made by linter to github workflow yaml --- .github/workflows/release.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 19152ac..7e855b0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -35,8 +35,4 @@ jobs: run: pip3 install ansible-base - name: Trigger a new import on Galaxy. - run: >- - ansible-galaxy role import - --api-key ${{ secrets.GALAXY_API_KEY }} - $(echo ${{ github.repository }} | cut -d/ -f1) - $(echo ${{ github.repository }} | cut -d/ -f2) + run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) From e35a5d0fb96e5f6ba74626ab1aa3755e2178901e Mon Sep 17 00:00:00 2001 From: Simon Spannagel Date: Sun, 15 Aug 2021 19:38:56 +0200 Subject: [PATCH 20/22] Remove excess whitespace --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 16a7177..f5c2f44 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -34,7 +34,7 @@ certbot_create_command: >- --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} {{ '--webroot-path ' if certbot_create_method == 'webroot' else '' }} - {{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }} + {{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }} -d {{ cert_item.domains | join(',') }} {{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services' if certbot_create_standalone_stop_services From a9a3ef77a3d314225be67a62dbe689d95adbbc04 Mon Sep 17 00:00:00 2001 From: Simon Spannagel Date: Mon, 22 Nov 2021 07:27:48 +0100 Subject: [PATCH 21/22] Remove old deploy hook method superseded by pre-hook and post-hook methods --- defaults/main.yml | 8 -------- tasks/install-deploy-hook.yml | 14 -------------- tasks/main.yml | 4 ---- 3 files changed, 26 deletions(-) delete mode 100644 tasks/install-deploy-hook.yml diff --git a/defaults/main.yml b/defaults/main.yml index f5c2f44..bba711a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -58,11 +58,3 @@ certbot_keep_updated: true # Where to put Certbot when installing from source. certbot_dir: /opt/certbot - -# Restart this service after successful certificate creation: -certbot_deployhook: | - {% for service in certbot_create_standalone_stop_services %} - if systemctl list-unit-files | grep -q "^{{ service }}.service"; then - systemctl restart {{ service }} - fi - {% endfor %} diff --git a/tasks/install-deploy-hook.yml b/tasks/install-deploy-hook.yml deleted file mode 100644 index e50375c..0000000 --- a/tasks/install-deploy-hook.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: Ensure deploy hook directory exists - file: - path: /etc/letsencrypt/renewal-hooks/deploy - state: directory - mode: 0755 - when: certbot_deployhook is defined - -- name: Create deploy hook - copy: - content: "{{ certbot_deployhook }}" - dest: /etc/letsencrypt/renewal-hooks/deploy/ansible.sh - mode: u+rwx - when: certbot_deployhook is defined diff --git a/tasks/main.yml b/tasks/main.yml index fcec6ff..894143c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -21,10 +21,6 @@ loop_control: loop_var: cert_item -- include_tasks: install-deploy-hook.yml - when: - - certbot_create_method == 'webroot' - - include_tasks: create-cert-webroot.yml with_items: "{{ certbot_certs }}" when: From 955ec8b17e227115039941ea8b704f5ab240cbf1 Mon Sep 17 00:00:00 2001 From: Simon Spannagel Date: Mon, 22 Nov 2021 07:35:38 +0100 Subject: [PATCH 22/22] Update documentation --- README.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 78b967a..9c48a45 100644 --- a/README.md +++ b/README.md @@ -52,8 +52,8 @@ The email address used to agree to Let's Encrypt's TOS and subscribe to cert-rel certbot_certs: [] # - email: janedoe@example.com - # - webroot: "/var/www/html" - # - domains: + # webroot: "/var/www/html" + # domains: # - example1.com # - example2.com # - domains: @@ -84,10 +84,6 @@ This install method is currently experimental and may or may not work across all #### Webroot Certificate Generation - certbot_deployhook: "service {{certbot_create_standalone_stop_services }} restart" - -Script content for the deploy hook called by certbot after successfully obtaining the certificate - When using the `webroot` creation method, a `webroot` item has to be provided for every `certbot_certs` item, specifying which directory to use for the authentication. Also, make sure your webserver correctly delivers contents from this directory. ### Source Installation from Git