Merge pull request #97 from simonspa/webroot

Allow Webroot Certificate Creation
pull/166/head
Jeff Geerling 3 years ago committed by GitHub
commit de4cb90984
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 22
      README.md
  2. 17
      defaults/main.yml
  3. 14
      tasks/create-cert-webroot.yml
  4. 8
      tasks/main.yml

@ -26,14 +26,25 @@ By default, this role configures a cron job to run under the provided user accou
### Automatic Certificate Generation
Currently there is one built-in method for generating new certificates using this role: `standalone`. Other methods (e.g. using nginx or apache and a webroot) may be added in the future.
Currently the `standalone` and `webroot` method are supported for generating new certificates using this role.
**For a complete example**: see the fully functional test playbook in [molecule/default/playbook-standalone-nginx-aws.yml](molecule/default/playbook-standalone-nginx-aws.yml).
certbot_create_if_missing: false
Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs.
certbot_create_method: standalone
Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. Set the method used for generating certs with the `certbot_create_method` variable—current allowed values include: `standalone`.
Set the method used for generating certs with the `certbot_create_method` variable — current allowed values are: `standalone` or `webroot`.
certbot_testmode: false
Enable test mode to only run a test request without actually creating certificates.
certbot_hsts: false
Enable (HTTP Strict Transport Security) for the certificate generation.
certbot_admin_email: email@example.com
@ -41,13 +52,14 @@ The email address used to agree to Let's Encrypt's TOS and subscribe to cert-rel
certbot_certs: []
# - email: janedoe@example.com
# webroot: "/var/www/html"
# domains:
# - example1.com
# - example2.com
# - domains:
# - example3.com
A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`.
A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`. When using the `webroot` creation method, a `webroot` item has to be provided, specifying which directory to use for the authentication. Make sure your webserver correctly delivers contents from this directory.
certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"
@ -70,6 +82,10 @@ Setting `certbot_install_method: snap` configures this role to install Certbot v
This install method is currently experimental and may or may not work across all Linux distributions.
#### Webroot Certificate Generation
When using the `webroot` creation method, a `webroot` item has to be provided for every `certbot_certs` item, specifying which directory to use for the authentication. Also, make sure your webserver correctly delivers contents from this directory.
### Source Installation from Git
You can install Certbot from it's Git source repository if desired with `certbot_install_method: source`. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).

@ -6,20 +6,35 @@ certbot_auto_renew_hour: "3"
certbot_auto_renew_minute: "30"
certbot_auto_renew_options: "--quiet --no-self-upgrade"
certbot_testmode: false
certbot_hsts: false
# Parameters used when creating new Certbot certs.
certbot_create_if_missing: false
certbot_create_method: standalone
certbot_admin_email: email@example.com
# Default webroot, overwritten by individual per-cert webroot directories
certbot_webroot: /var/www/letsencrypt
certbot_certs: []
# - email: janedoe@example.com
# webroot: "/var/www/html/"
# domains:
# - example1.com
# - example2.com
# - domains:
# - example3.com
certbot_create_command: >-
{{ certbot_script }} certonly --standalone --noninteractive --agree-tos
{{ certbot_script }} certonly --{{ certbot_create_method }}
{{ '--hsts' if certbot_hsts else '' }}
{{ '--test-cert' if certbot_testmode else '' }}
--noninteractive --agree-tos
--email {{ cert_item.email | default(certbot_admin_email) }}
{{ '--webroot-path ' if certbot_create_method == 'webroot' else '' }}
{{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }}
-d {{ cert_item.domains | join(',') }}
{{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services'
if certbot_create_standalone_stop_services

@ -0,0 +1,14 @@
---
- name: Check if certificate already exists.
stat:
path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem
register: letsencrypt_cert
- name: Create webroot directory if it doesn't exist yet
file:
path: "{{ cert_item.webroot | default(certbot_webroot) }}"
state: directory
- name: Generate new certificate if one doesn't exist.
command: "{{ certbot_create_command }}"
when: not letsencrypt_cert.stat.exists

@ -21,5 +21,13 @@
loop_control:
loop_var: cert_item
- include_tasks: create-cert-webroot.yml
with_items: "{{ certbot_certs }}"
when:
- certbot_create_if_missing
- certbot_create_method == 'webroot'
loop_control:
loop_var: cert_item
- import_tasks: renew-cron.yml
when: certbot_auto_renew

Loading…
Cancel
Save