gregandev/ansible-role-certbot
gregandev/ansible-role-certbot
1
0
Fork 0
mirror of https://github.com/geerlingguy/ansible-role-certbot.git synced 2025-09-13 09:31:11 +02:00
Code Issues Projects Releases Wiki Activity

Remove webroot/standalone http methods

Browse Source
This commit is contained in:
Simon Caron 2025-08-20 21:04:19 -04:00
parent 8adc76f237
commit df984c8d7d
6 changed files with 16 additions and 340 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
README.md
View File

@ -23,17 +23,12 @@ By default, this role configures a cron job to run under the provided user accou
### Automatic Certificate Generation
Currently the `standalone`, `webroot`, and `dns-cloudflare` methods are supported for generating new certificates using this role.
**For a complete example**: see the fully functional test playbook in [molecule/default/playbook-standalone-nginx-aws.yml](molecule/default/playbook-standalone-nginx-aws.yml).
This role supports generating new certificates using the `dns-cloudflare` method with Cloudflare DNS-01 challenge.
certbot_create_if_missing: false
Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs.
certbot_create_method: standalone
Set the method used for generating certs with the `certbot_create_method` variable — current allowed values are: `standalone`, `webroot`, or `dns-cloudflare`.
certbot_testmode: false
@ -49,27 +44,15 @@ The email address used to agree to Let's Encrypt's TOS and subscribe to cert-rel
certbot_certs: []
# - email: janedoe@example.com
# webroot: "/var/www/html"
# domains:
# - example1.com
# - example2.com
# - domains:
# - example3.com
A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`. When using the `webroot` creation method, a `webroot` item has to be provided, specifying which directory to use for the authentication. Make sure your webserver correctly delivers contents from this directory.
A list of domains (and other data) for which certs should be generated using Cloudflare DNS-01 challenge. You can add an `email` key to any list item to override the `certbot_admin_email`.
certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"
The `certbot_create_command` defines the command used to generate the cert. See the full default command inside `defaults/main.yml` for a full example—and you can easily add in extra arguments that are not in the default command with the `certbot_create_extra_args` variable.
#### Standalone Certificate Generation
certbot_create_stop_services:
- nginx
Services that should be stopped while `certbot` runs it's own standalone server on ports 80 and 443. If you're running Apache, set this to `apache2` (Ubuntu), or `httpd` (RHEL), or if you have Nginx on port 443 and something else on port 80 (e.g. Varnish, a Java app, or something else), add it to the list so it is stopped when the certificate is generated.
These services will only be stopped the first time a new cert is generated.
The `certbot_create_command` defines the command used to generate certificates using Cloudflare DNS-01 challenge. See the full default command inside `defaults/main.yml` for a full example—and you can easily add in extra arguments that are not in the default command with the `certbot_create_extra_args` variable.
### Snap Installation
@ -79,13 +62,9 @@ Setting `certbot_install_method: snap` configures this role to install Certbot v
This install method is currently experimental and may or may not work across all Linux distributions.
#### Webroot Certificate Generation
### DNS-01 Challenge with Cloudflare
When using the `webroot` creation method, a `webroot` item has to be provided for every `certbot_certs` item, specifying which directory to use for the authentication. Also, make sure your webserver correctly delivers contents from this directory.
#### DNS-01 Challenge with Cloudflare
When using the `dns-cloudflare` creation method, you need to configure Cloudflare DNS credentials:
You need to configure Cloudflare DNS credentials:
certbot_cloudflare_email: "your-email@example.com"
certbot_cloudflare_api_key: "your-global-api-key"
@ -102,6 +81,13 @@ For API token setup:
This method supports wildcard certificates and doesn't require your server to be publicly accessible on ports 80/443.
### Service Management During Certificate Generation
certbot_create_stop_services:
- nginx
Services that can be stopped during certificate generation if needed. While DNS-01 challenge doesn't require stopping services (since it doesn't use ports 80/443), you may want to restart services after certificate deployment using deploy hooks.
### Wildcard Certificates

19
defaults/main.yml
View File

@ -12,7 +12,6 @@ certbot_hsts: false
# Parameters used when creating new Certbot certs.
certbot_create_if_missing: false
certbot_create_method: dns-cloudflare
certbot_create_extra_args: ""
certbot_admin_email: email@example.com
certbot_expand: false
@ -23,13 +22,10 @@ certbot_cloudflare_api_key: ""
certbot_cloudflare_api_token: ""
certbot_cloudflare_propagation_seconds: 60
# Default webroot, overwritten by individual per-cert webroot directories (not used with DNS-01)
certbot_webroot: /var/www/letsencrypt
certbot_certs: []
# - name: example.com
# email: janedoe@example.com
# webroot: "/var/www/html/"
# domains:
# - example1.com
# - example2.com
@ -37,26 +33,17 @@ certbot_certs: []
# - example3.com
certbot_create_command: >-
{{ certbot_script }} certonly --{{ certbot_create_method }}
{{ certbot_script }} certonly --dns-cloudflare
{{ '--hsts' if certbot_hsts else '' }}
{{ '--test-cert' if certbot_testmode else '' }}
--noninteractive --agree-tos
--email {{ cert_item.email | default(certbot_admin_email) }}
{{ '--expand' if certbot_expand else '' }}
{{ '--webroot-path ' if certbot_create_method == 'webroot' else '' }}
{{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }}
{{ '--dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini' if certbot_create_method == 'dns-cloudflare' else '' }}
{{ '--dns-cloudflare-propagation-seconds ' + (certbot_cloudflare_propagation_seconds | string) if certbot_create_method == 'dns-cloudflare' else '' }}
--dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini
--dns-cloudflare-propagation-seconds {{ certbot_cloudflare_propagation_seconds }}
{{ certbot_create_extra_args }}
--cert-name {{ cert_item_name }}
-d {{ cert_item.domains | join(',') }}
{{ '--expand' if certbot_expand else '' }}
{{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services'
if certbot_create_stop_services and certbot_create_method == 'standalone'
else '' }}
{{ '--post-hook /etc/letsencrypt/renewal-hooks/post/start_services'
if certbot_create_stop_services and certbot_create_method == 'standalone'
else '' }}
{{ "--deploy-hook '" ~ cert_item.deploy_hook ~ "'"
if 'deploy_hook' in cert_item
else '' }}

181
molecule/default/playbook-standalone-nginx-aws.yml
View File

@ -1,181 +0,0 @@
---
# To run:
# 1. Ensure Ansible and Boto are installed (pip install ansible boto).
# 2. Ensure you have AWS credentials stored where Boto can find them, and they
# are under the profile 'mm'.
# 3. Ensure you have a pubkey available at ~/.ssh/id_rsa.pub.
# 3. Run the playbook: ansible-playbook test-standalone-nginx-aws.yml
# Play 1: Provision EC2 instance and A record.
- hosts: localhost
connection: local
gather_facts: false
tasks:
- name: Configure EC2 Security Group.
ec2_group:
profile: mm
name: certbot_test_http
description: HTTP security group for Certbot testing.
region: "us-east-1"
state: present
rules:
- proto: tcp
from_port: 80
to_port: 80
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 443
to_port: 443
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 22
to_port: 22
cidr_ip: 0.0.0.0/0
rules_egress: []
- name: Add EC2 Key Pair.
ec2_key:
profile: mm
region: "us-east-1"
name: certbot_test
key_material: "{{ item }}"
with_file:
- ~/.ssh/id_rsa.pub
- name: Provision EC2 instance.
ec2:
profile: mm
key_name: certbot_test
instance_tags:
Name: "certbot-standalone-nginx-test"
group: ['default', 'certbot_test_http']
instance_type: t2.micro
# CentOS Linux 7 x86_64 HVM EBS
image: ami-02e98f78
region: "us-east-1"
wait: true
wait_timeout: 500
exact_count: 1
count_tag:
Name: "certbot-standalone-nginx-test"
register: created_instance
- name: Add A record for the new EC2 instance IP in Route53.
route53:
profile: mm
command: create
zone: servercheck.in
record: certbot-test.servercheck.in
type: A
ttl: 300
value: "{{ created_instance.tagged_instances.0.public_ip }}"
wait: true
overwrite: true
- name: Add EC2 instance to inventory groups.
add_host:
name: "certbot-test.servercheck.in"
groups: "aws,aws_nginx"
ansible_ssh_user: centos
host_key_checking: false
when: created_instance.tagged_instances.0.id is defined
# Play 2: Configure EC2 instance with Certbot and Nginx.
- hosts: aws_nginx
gather_facts: true
become: true
vars:
certbot_admin_email: https@servercheck.in
certbot_create_if_missing: true
certbot_create_stop_services: []
certbot_certs:
- name: certbot-test.servercheck.in
domains:
- certbot-test.servercheck.in
nginx_vhosts:
- listen: "443 ssl http2"
server_name: "certbot-test.servercheck.in"
root: "/usr/share/nginx/html"
index: "index.html index.htm"
state: "present"
template: "{{ nginx_vhost_template }}"
filename: "certbot_test.conf"
extra_parameters: |
ssl_certificate /etc/letsencrypt/live/certbot-test.servercheck.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/certbot-test.servercheck.in/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
pre_tasks:
- name: Update apt cache.
apt: update_cache=true cache_valid_time=600
when: ansible_os_family == 'Debian'
changed_when: false
- name: Install dependencies (RedHat).
yum: name={{ item }} state=present
when: ansible_os_family == 'RedHat'
with_items:
- cronie
- epel-release
- name: Install cron (Debian).
apt: name=cron state=present
when: ansible_os_family == 'Debian'
roles:
- simoncaron.certbot
- geerlingguy.nginx
tasks:
- name: Flush handlers in case any configs have changed.
meta: flush_handlers
- name: Test secure connection to SSL domain.
uri:
url: https://certbot-test.servercheck.in/
status_code: 200
delegate_to: localhost
become: false
# Play 3: Tear down EC2 instance and A record.
- hosts: localhost
connection: local
gather_facts: false
tasks:
- name: Destroy EC2 instance.
ec2:
profile: mm
instance_ids: ["{{ created_instance.tagged_instances.0.id }}"]
region: "us-east-1"
state: absent
wait: true
wait_timeout: 500
- name: Delete Security Group.
ec2_group:
profile: mm
name: certbot_test_http
region: "us-east-1"
state: absent
- name: Delete Key Pair.
ec2_key:
profile: mm
name: certbot_test
region: "us-east-1"
state: absent
- name: Delete Route53 record.
route53:
profile: mm
state: delete
zone: servercheck.in
record: certbot-test.servercheck.in
type: A
ttl: 300
# See: https://github.com/ansible/ansible/pull/32297
value: []

63
tasks/create-cert-standalone.yml
View File

@ -1,63 +0,0 @@
---
- name: Determine certificate name
set_fact:
cert_item_name: "{{ cert_item.name | default(cert_item.domains | first | replace('*.', '')) }}"
- name: Check if certificate already exists.
stat:
path: /etc/letsencrypt/live/{{ cert_item_name }}/cert.pem
register: letsencrypt_cert
- name: Ensure pre and post hook folders exist.
file:
path: /etc/letsencrypt/renewal-hooks/{{ item }}
state: directory
mode: 0755
owner: root
group: root
with_items:
- pre
- post
- name: Create pre hook to stop services.
template:
src: stop_services.j2
dest: /etc/letsencrypt/renewal-hooks/pre/stop_services
owner: root
group: root
mode: 0750
when:
- certbot_create_stop_services is defined
- certbot_create_stop_services
- name: Create post hook to start services.
template:
src: start_services.j2
dest: /etc/letsencrypt/renewal-hooks/post/start_services
owner: root
group: root
mode: 0750
when:
- certbot_create_stop_services is defined
- certbot_create_stop_services
- name: Check if domains have changed
block:
- name: Register certificate domains
shell: "{{ certbot_script }} certificates --cert-name {{ cert_item_name }} | grep Domains | cut -d':' -f2"
changed_when: false
register: letsencrypt_cert_domains_dirty
- name: Cleanup domain list
set_fact:
letsencrypt_cert_domains: "{{ letsencrypt_cert_domains_dirty.stdout | trim | split(' ') | map('trim') | select('!=', '') | list | sort }}"
- name: Determine if domains have changed
set_fact:
letsencrypt_cert_domains_changed: "{{ letsencrypt_cert_domains != (cert_item.domains | map('trim') | select('!=', '') | list | sort) }}"
when: letsencrypt_cert.stat.exists
- name: Generate new certificate if one doesn't exist.
command: "{{ certbot_create_command }}"
when: not letsencrypt_cert.stat.exists or letsencrypt_cert_domains_changed | default(false)

35
tasks/create-cert-webroot.yml
View File

@ -1,35 +0,0 @@
---
- name: Determine certificate name
set_fact:
cert_item_name: "{{ cert_item.name | default(cert_item.domains | first | replace('*.', '')) }}"
- name: Check if certificate already exists.
stat:
path: /etc/letsencrypt/live/{{ cert_item_name }}/cert.pem
register: letsencrypt_cert
- name: Create webroot directory if it doesn't exist yet
file:
path: "{{ cert_item.webroot | default(certbot_webroot) }}"
state: directory
- name: Check if domains have changed
block:
- name: Register certificate domains
shell: "{{ certbot_script }} certificates --cert-name {{ cert_item_name }} | grep Domains | cut -d':' -f2"
changed_when: false
register: letsencrypt_cert_domains_dirty
- name: Cleanup domain list
set_fact:
letsencrypt_cert_domains: "{{ letsencrypt_cert_domains_dirty.stdout | trim | split(' ') | map('trim') | select('!=', '') | list | sort }}"
- name: Determine if domains have changed
set_fact:
letsencrypt_cert_domains_changed: "{{ letsencrypt_cert_domains != (cert_item.domains | map('trim') | select('!=', '') | list | sort) }}"
when: letsencrypt_cert.stat.exists
- name: Generate new certificate if one doesn't exist.
command: "{{ certbot_create_command }}"
when: not letsencrypt_cert.stat.exists or letsencrypt_cert_domains_changed | default(false)

20
tasks/main.yml
View File

@ -11,27 +11,9 @@
when: certbot_install_method == 'snap'
- include_tasks: create-cert-standalone.yml
with_items: "{{ certbot_certs }}"
when:
- certbot_create_if_missing
- certbot_create_method == 'standalone'
loop_control:
loop_var: cert_item
- include_tasks: create-cert-webroot.yml
with_items: "{{ certbot_certs }}"
when:
- certbot_create_if_missing
- certbot_create_method == 'webroot'
loop_control:
loop_var: cert_item
- include_tasks: create-cert-dns-cloudflare.yml
with_items: "{{ certbot_certs }}"
when:
- certbot_create_if_missing
- certbot_create_method == 'dns-cloudflare'
when: certbot_create_if_missing
loop_control:
loop_var: cert_item