Merge pull request #97 from simonspa/webroot

Allow Webroot Certificate Creation
3 years ago · de4cb90984
parent 027af9b3b3 955ec8b17e
commit de4cb90984
4 changed files with 58 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -26,14 +26,25 @@ By default, this role configures a cron job to run under the provided user accou

 ### Automatic Certificate Generation

-Currently there is one built-in method for generating new certificates using this role: `standalone`. Other methods (e.g. using nginx or apache and a webroot) may be added in the future.
+Currently the `standalone` and `webroot` method are supported for generating new certificates using this role.

 **For a complete example**: see the fully functional test playbook in [molecule/default/playbook-standalone-nginx-aws.yml](molecule/default/playbook-standalone-nginx-aws.yml).

    certbot_create_if_missing: false
+
+Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. 
+
 	certbot_create_method: standalone

-Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. Set the method used for generating certs with the `certbot_create_method` variable—current allowed values include: `standalone`.
+Set the method used for generating certs with the `certbot_create_method` variable — current allowed values are: `standalone` or `webroot`.
+
+	certbot_testmode: false
+
+Enable test mode to only run a test request without actually creating certificates.
+
+	certbot_hsts: false
+
+Enable (HTTP Strict Transport Security) for the certificate generation.

    certbot_admin_email: email@example.com

@ -41,13 +52,14 @@ The email address used to agree to Let's Encrypt's TOS and subscribe to cert-rel

    certbot_certs: []
      # - email: janedoe@example.com
+      #   webroot: "/var/www/html"
      #   domains:
      #     - example1.com
      #     - example2.com
      # - domains:
      #     - example3.com

-A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`.
+A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`. When using the `webroot` creation method, a `webroot` item has to be provided, specifying which directory to use for the authentication. Make sure your webserver correctly delivers contents from this directory.

    certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"

@ -70,6 +82,10 @@ Setting `certbot_install_method: snap` configures this role to install Certbot v

 This install method is currently experimental and may or may not work across all Linux distributions.

+#### Webroot Certificate Generation
+
+When using the `webroot` creation method, a `webroot` item has to be provided for every `certbot_certs` item, specifying which directory to use for the authentication. Also, make sure your webserver correctly delivers contents from this directory.
+
 ### Source Installation from Git

 You can install Certbot from it's Git source repository if desired with `certbot_install_method: source`. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -6,20 +6,35 @@ certbot_auto_renew_hour: "3"
 certbot_auto_renew_minute: "30"
 certbot_auto_renew_options: "--quiet --no-self-upgrade"

+certbot_testmode: false
+certbot_hsts: false
+
+
 # Parameters used when creating new Certbot certs.
 certbot_create_if_missing: false
 certbot_create_method: standalone
 certbot_admin_email: email@example.com
+
+# Default webroot, overwritten by individual per-cert webroot directories
+certbot_webroot: /var/www/letsencrypt
+
 certbot_certs: []
 # - email: janedoe@example.com
+#   webroot: "/var/www/html/"
 #   domains:
 #     - example1.com
 #     - example2.com
 # - domains:
 #     - example3.com
+
 certbot_create_command: >-
-  {{ certbot_script }} certonly --standalone --noninteractive --agree-tos
+  {{ certbot_script }} certonly --{{ certbot_create_method  }}
+  {{ '--hsts' if certbot_hsts else '' }}
+  {{ '--test-cert' if certbot_testmode else '' }}
+  --noninteractive --agree-tos
  --email {{ cert_item.email | default(certbot_admin_email) }}
+  {{ '--webroot-path ' if certbot_create_method == 'webroot'  else '' }}
+  {{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }}
  -d {{ cert_item.domains | join(',') }}
  {{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services'
    if certbot_create_standalone_stop_services
--- a/tasks/create-cert-webroot.yml
+++ b/tasks/create-cert-webroot.yml
@ -0,0 +1,14 @@
+---
+- name: Check if certificate already exists.
+  stat:
+    path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem
+  register: letsencrypt_cert
+
+- name: Create webroot directory if it doesn't exist yet
+  file:
+    path: "{{ cert_item.webroot | default(certbot_webroot) }}"
+    state: directory
+
+- name: Generate new certificate if one doesn't exist.
+  command: "{{ certbot_create_command }}"
+  when: not letsencrypt_cert.stat.exists
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -21,5 +21,13 @@
  loop_control:
    loop_var: cert_item

+- include_tasks: create-cert-webroot.yml
+  with_items: "{{ certbot_certs }}"
+  when:
+    - certbot_create_if_missing
+    - certbot_create_method == 'webroot'
+  loop_control:
+    loop_var: cert_item
+
 - import_tasks: renew-cron.yml
  when: certbot_auto_renew