Merge pull request #97 from simonspa/webroot

Allow Webroot Certificate Creation
pull/166/head
Jeff Geerling 3 years ago committed by GitHub
commit de4cb90984
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 22
      README.md
  2. 17
      defaults/main.yml
  3. 14
      tasks/create-cert-webroot.yml
  4. 8
      tasks/main.yml

@ -26,14 +26,25 @@ By default, this role configures a cron job to run under the provided user accou
### Automatic Certificate Generation ### Automatic Certificate Generation
Currently there is one built-in method for generating new certificates using this role: `standalone`. Other methods (e.g. using nginx or apache and a webroot) may be added in the future. Currently the `standalone` and `webroot` method are supported for generating new certificates using this role.
**For a complete example**: see the fully functional test playbook in [molecule/default/playbook-standalone-nginx-aws.yml](molecule/default/playbook-standalone-nginx-aws.yml). **For a complete example**: see the fully functional test playbook in [molecule/default/playbook-standalone-nginx-aws.yml](molecule/default/playbook-standalone-nginx-aws.yml).
certbot_create_if_missing: false certbot_create_if_missing: false
Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs.
certbot_create_method: standalone certbot_create_method: standalone
Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. Set the method used for generating certs with the `certbot_create_method` variable—current allowed values include: `standalone`. Set the method used for generating certs with the `certbot_create_method` variable — current allowed values are: `standalone` or `webroot`.
certbot_testmode: false
Enable test mode to only run a test request without actually creating certificates.
certbot_hsts: false
Enable (HTTP Strict Transport Security) for the certificate generation.
certbot_admin_email: email@example.com certbot_admin_email: email@example.com
@ -41,13 +52,14 @@ The email address used to agree to Let's Encrypt's TOS and subscribe to cert-rel
certbot_certs: [] certbot_certs: []
# - email: janedoe@example.com # - email: janedoe@example.com
# webroot: "/var/www/html"
# domains: # domains:
# - example1.com # - example1.com
# - example2.com # - example2.com
# - domains: # - domains:
# - example3.com # - example3.com
A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`. A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`. When using the `webroot` creation method, a `webroot` item has to be provided, specifying which directory to use for the authentication. Make sure your webserver correctly delivers contents from this directory.
certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}" certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"
@ -70,6 +82,10 @@ Setting `certbot_install_method: snap` configures this role to install Certbot v
This install method is currently experimental and may or may not work across all Linux distributions. This install method is currently experimental and may or may not work across all Linux distributions.
#### Webroot Certificate Generation
When using the `webroot` creation method, a `webroot` item has to be provided for every `certbot_certs` item, specifying which directory to use for the authentication. Also, make sure your webserver correctly delivers contents from this directory.
### Source Installation from Git ### Source Installation from Git
You can install Certbot from it's Git source repository if desired with `certbot_install_method: source`. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8). You can install Certbot from it's Git source repository if desired with `certbot_install_method: source`. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).

@ -6,20 +6,35 @@ certbot_auto_renew_hour: "3"
certbot_auto_renew_minute: "30" certbot_auto_renew_minute: "30"
certbot_auto_renew_options: "--quiet --no-self-upgrade" certbot_auto_renew_options: "--quiet --no-self-upgrade"
certbot_testmode: false
certbot_hsts: false
# Parameters used when creating new Certbot certs. # Parameters used when creating new Certbot certs.
certbot_create_if_missing: false certbot_create_if_missing: false
certbot_create_method: standalone certbot_create_method: standalone
certbot_admin_email: email@example.com certbot_admin_email: email@example.com
# Default webroot, overwritten by individual per-cert webroot directories
certbot_webroot: /var/www/letsencrypt
certbot_certs: [] certbot_certs: []
# - email: janedoe@example.com # - email: janedoe@example.com
# webroot: "/var/www/html/"
# domains: # domains:
# - example1.com # - example1.com
# - example2.com # - example2.com
# - domains: # - domains:
# - example3.com # - example3.com
certbot_create_command: >- certbot_create_command: >-
{{ certbot_script }} certonly --standalone --noninteractive --agree-tos {{ certbot_script }} certonly --{{ certbot_create_method }}
{{ '--hsts' if certbot_hsts else '' }}
{{ '--test-cert' if certbot_testmode else '' }}
--noninteractive --agree-tos
--email {{ cert_item.email | default(certbot_admin_email) }} --email {{ cert_item.email | default(certbot_admin_email) }}
{{ '--webroot-path ' if certbot_create_method == 'webroot' else '' }}
{{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }}
-d {{ cert_item.domains | join(',') }} -d {{ cert_item.domains | join(',') }}
{{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services' {{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services'
if certbot_create_standalone_stop_services if certbot_create_standalone_stop_services

@ -0,0 +1,14 @@
---
- name: Check if certificate already exists.
stat:
path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem
register: letsencrypt_cert
- name: Create webroot directory if it doesn't exist yet
file:
path: "{{ cert_item.webroot | default(certbot_webroot) }}"
state: directory
- name: Generate new certificate if one doesn't exist.
command: "{{ certbot_create_command }}"
when: not letsencrypt_cert.stat.exists

@ -21,5 +21,13 @@
loop_control: loop_control:
loop_var: cert_item loop_var: cert_item
- include_tasks: create-cert-webroot.yml
with_items: "{{ certbot_certs }}"
when:
- certbot_create_if_missing
- certbot_create_method == 'webroot'
loop_control:
loop_var: cert_item
- import_tasks: renew-cron.yml - import_tasks: renew-cron.yml
when: certbot_auto_renew when: certbot_auto_renew

Loading…
Cancel
Save