Merge pull request #97 from simonspa/webroot

Allow Webroot Certificate Creation

README.md

@@ -26,14 +26,25 @@ By default, this role configures a cron job to run under the provided user accou
 
 ### Automatic Certificate Generation
 
-Currently there is one built-in method for generating new certificates using this role: `standalone`. Other methods (e.g. using nginx or apache and a webroot) may be added in the future.
+Currently the `standalone` and `webroot` method are supported for generating new certificates using this role.
 
 **For a complete example**: see the fully functional test playbook in [molecule/default/playbook-standalone-nginx-aws.yml](molecule/default/playbook-standalone-nginx-aws.yml).
 
     certbot_create_if_missing: false
-    certbot_create_method: standalone
 
-Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. Set the method used for generating certs with the `certbot_create_method` variable—current allowed values include: `standalone`.
+Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. 
+
+	certbot_create_method: standalone
+
+Set the method used for generating certs with the `certbot_create_method` variable — current allowed values are: `standalone` or `webroot`.
+
+	certbot_testmode: false
+
+Enable test mode to only run a test request without actually creating certificates.
+
+	certbot_hsts: false
+
+Enable (HTTP Strict Transport Security) for the certificate generation.
 
     certbot_admin_email: email@example.com
 
@@ -41,13 +52,14 @@ The email address used to agree to Let's Encrypt's TOS and subscribe to cert-rel
 
     certbot_certs: []
       # - email: janedoe@example.com
+      #   webroot: "/var/www/html"
       #   domains:
       #     - example1.com
       #     - example2.com
       # - domains:
       #     - example3.com
 
-A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`.
+A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`. When using the `webroot` creation method, a `webroot` item has to be provided, specifying which directory to use for the authentication. Make sure your webserver correctly delivers contents from this directory.
 
     certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"
 
@@ -70,6 +82,10 @@ Setting `certbot_install_method: snap` configures this role to install Certbot v
 
 This install method is currently experimental and may or may not work across all Linux distributions.
 
+#### Webroot Certificate Generation
+
+When using the `webroot` creation method, a `webroot` item has to be provided for every `certbot_certs` item, specifying which directory to use for the authentication. Also, make sure your webserver correctly delivers contents from this directory.
+
 ### Source Installation from Git
 
 You can install Certbot from it's Git source repository if desired with `certbot_install_method: source`. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).

defaults/main.yml

@@ -6,20 +6,35 @@ certbot_auto_renew_hour: "3"
 certbot_auto_renew_minute: "30"
 certbot_auto_renew_options: "--quiet --no-self-upgrade"
 
+certbot_testmode: false
+certbot_hsts: false
+
+
 # Parameters used when creating new Certbot certs.
 certbot_create_if_missing: false
 certbot_create_method: standalone
 certbot_admin_email: email@example.com
+
+# Default webroot, overwritten by individual per-cert webroot directories
+certbot_webroot: /var/www/letsencrypt
+
 certbot_certs: []
 # - email: janedoe@example.com
+#   webroot: "/var/www/html/"
 #   domains:
 #     - example1.com
 #     - example2.com
 # - domains:
 #     - example3.com
+
 certbot_create_command: >-
-  {{ certbot_script }} certonly --standalone --noninteractive --agree-tos
+  {{ certbot_script }} certonly --{{ certbot_create_method  }}
+  {{ '--hsts' if certbot_hsts else '' }}
+  {{ '--test-cert' if certbot_testmode else '' }}
+  --noninteractive --agree-tos
   --email {{ cert_item.email | default(certbot_admin_email) }}
+  {{ '--webroot-path ' if certbot_create_method == 'webroot'  else '' }}
+  {{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }}
   -d {{ cert_item.domains | join(',') }}
   {{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services'
     if certbot_create_standalone_stop_services

tasks/create-cert-webroot.yml

@@ -0,0 +1,14 @@
+---
+- name: Check if certificate already exists.
+  stat:
+    path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem
+  register: letsencrypt_cert
+
+- name: Create webroot directory if it doesn't exist yet
+  file:
+    path: "{{ cert_item.webroot | default(certbot_webroot) }}"
+    state: directory
+
+- name: Generate new certificate if one doesn't exist.
+  command: "{{ certbot_create_command }}"
+  when: not letsencrypt_cert.stat.exists

tasks/main.yml

@@ -21,5 +21,13 @@
   loop_control:
     loop_var: cert_item
 
+- include_tasks: create-cert-webroot.yml
+  with_items: "{{ certbot_certs }}"
+  when:
+    - certbot_create_if_missing
+    - certbot_create_method == 'webroot'
+  loop_control:
+    loop_var: cert_item
+
 - import_tasks: renew-cron.yml
   when: certbot_auto_renew