Merge

.gitignore

@@ -1,2 +1,3 @@
 *.retry
-tests/test.sh
+*/__pycache__
+*.pyc

.travis.yml

@@ -1,23 +1,33 @@
 ---
+language: python
 services: docker
 
 env:
-  - distro: centos7
-  - distro: centos6
-    playbook: test-source-install.yml
-  - distro: ubuntu1604
-  - distro: ubuntu1404
-    playbook: test-source-install.yml
-  - distro: debian8
-    playbook: test-source-install.yml
+  global:
+    - ROLE_NAME: certbot
+  matrix:
+    - MOLECULE_DISTRO: centos7
+    - MOLECULE_DISTRO: centos6
+      MOLECULE_PLAYBOOK: playbook-source-install.yml
+    - MOLECULE_DISTRO: ubuntu1804
+    - MOLECULE_DISTRO: ubuntu1604
+    - MOLECULE_DISTRO: ubuntu1404
+      MOLECULE_PLAYBOOK: playbook-source-install.yml
+    - MOLECULE_DISTRO: debian9
+
+install:
+  # Install test dependencies.
+  - pip install molecule docker
+
+before_script:
+  # Use actual Ansible Galaxy role name for the project directory.
+  - cd ../
+  - mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME
+  - cd geerlingguy.$ROLE_NAME
 
 script:
-  # Download test shim.
-  - wget -O ${PWD}/tests/test.sh https://gist.githubusercontent.com/geerlingguy/73ef1e5ee45d8694570f334be385e181/raw/
-  - chmod +x ${PWD}/tests/test.sh
-
   # Run tests.
-  - ${PWD}/tests/test.sh
+  - molecule test
 
 notifications:
   webhooks: https://galaxy.ansible.com/api/v1/notifications/

README.md

@@ -15,7 +15,7 @@ Generally, installing from source (see section `Source Installation from Git`) l
 The variable `certbot_install_from_source` controls whether to install Certbot from Git or package management. The latter is the default, so the variable defaults to `no`.
 
     certbot_auto_renew: true
-    certbot_auto_renew_user: "{{ ansible_user }}"
+    certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}"
     certbot_auto_renew_hour: 3
     certbot_auto_renew_minute: 30
     certbot_auto_renew_options: "--quiet --no-self-upgrade"
@@ -26,9 +26,9 @@ By default, this role configures a cron job to run under the provided user accou
 
 Currently there is one built-in method for generating new certificates using this role: `standalone`. Other methods (e.g. using nginx or apache and a webroot) may be added in the future.
 
-**For a complete example**: see the fully functional test playbook in [tests/test-standalone-nginx-aws.yml](tests/test-standalone-nginx-aws.yml).
+**For a complete example**: see the fully functional test playbook in [molecule/default/playbook-standalone-nginx-aws.yml](molecule/default/playbook-standalone-nginx-aws.yml).
 
-    certbot_create_if_missing: no
+    certbot_create_if_missing: false
     certbot_create_method: standalone
 
 Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. Set the method used for generating certs with the `certbot_create_method` variable—current allowed values include: `standalone`.
@@ -64,10 +64,10 @@ These services will only be stopped the first time a new cert is generated.
 
 You can install Certbot from it's Git source repository if desired. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).
 
-    certbot_install_from_source: no
+    certbot_install_from_source: false
     certbot_repo: https://github.com/certbot/certbot.git
     certbot_version: master
-    certbot_keep_updated: yes
+    certbot_keep_updated: true
 
 Certbot Git repository options. To install from source, set `certbot_install_from_source` to `yes`. This clones the configured `certbot_repo`, respecting the `certbot_version` setting. If `certbot_keep_updated` is set to `yes`, the repository is updated every time this role runs.
 
@@ -75,6 +75,12 @@ Certbot Git repository options. To install from source, set `certbot_install_fro
 
 The directory inside which Certbot will be cloned.
 
+### Wildcard Certificates
+
+Let's Encrypt supports [generating wildcard certificates](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579), but the process for generating and using them is slightly more involved. See comments in [this pull request](https://github.com/geerlingguy/ansible-role-certbot/pull/60#issuecomment-423919284) for an example of how to use this role to maintain wildcard certs.
+
+Michael Porter also has a walkthrough of [Creating A Let’s Encrypt Wildcard Cert With Ansible](https://www.michaelpporter.com/2018/09/creating-a-wildcard-cert-with-ansible/), specifically with Cloudflare.
+
 ## Dependencies
 
 None.

defaults/main.yml

@@ -1,23 +1,27 @@
 ---
 # Certbot auto-renew cron job configuration (for certificate renewals).
 certbot_auto_renew: true
-certbot_auto_renew_user: "{{ ansible_user }}"
+certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}"
 certbot_auto_renew_hour: 3
 certbot_auto_renew_minute: 30
 certbot_auto_renew_options: "--quiet --no-self-upgrade"
 
 # Parameters used when creating new Certbot certs.
-certbot_create_if_missing: no
+certbot_create_if_missing: false
 certbot_create_method: standalone
 certbot_admin_email: email@example.com
 certbot_certs: []
-  # - email: janedoe@example.com
-  #   domains:
-  #     - example1.com
-  #     - example2.com
-  # - domains:
-  #     - example3.com
-certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --expand --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"
+# - email: janedoe@example.com
+#   domains:
+#     - example1.com
+#     - example2.com
+# - domains:
+#     - example3.com
+certbot_create_command: >-
+  {{ certbot_script }} certonly --standalone --noninteractive --agree-tos
+  --expand --email {{ cert_item.email | default(certbot_admin_email) }}
+  -d {{ cert_item.domains | join(',') }}
+
 certbot_create_standalone_stop_services:
   - nginx
   # - apache
@@ -25,10 +29,10 @@ certbot_create_standalone_stop_services:
 
 # To install from source (on older OSes or if you need a specific or newer
 # version of Certbot), set this variable to `yes` and configure other options.
-certbot_install_from_source: no
+certbot_install_from_source: false
 certbot_repo: https://github.com/certbot/certbot.git
 certbot_version: master
-certbot_keep_updated: yes
+certbot_keep_updated: true
 
 # Where to put Certbot when installing from source.
 certbot_dir: /opt/certbot

molecule/default/molecule.yml

@@ -0,0 +1,29 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+lint:
+  name: yamllint
+  options:
+    config-file: molecule/default/yaml-lint.yml
+platforms:
+  - name: instance
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+  lint:
+    name: ansible-lint
+  playbooks:
+    converge: ${MOLECULE_PLAYBOOK:-playbook.yml}
+scenario:
+  name: default
+verifier:
+  name: testinfra
+  lint:
+    name: flake8

molecule/default/playbook-source-install.yml

@@ -1,8 +1,11 @@
 ---
-- hosts: all
+- name: Converge
+  hosts: all
+  become: true
 
   vars:
-    certbot_install_from_source: yes
+    certbot_install_from_source: true
+    certbot_auto_renew_user: root
 
   pre_tasks:
     - name: Update apt cache.
@@ -20,4 +23,4 @@
 
   roles:
     - geerlingguy.git
-    - role_under_test
+    - geerlingguy.certbot

molecule/default/playbook-standalone-nginx-aws.yml

@@ -9,7 +9,7 @@
 # Play 1: Provision EC2 instance and A record.
 - hosts: localhost
   connection: local
-  gather_facts: no
+  gather_facts: false
 
   tasks:
     - name: Configure EC2 Security Group.
@@ -50,9 +50,10 @@
           Name: "certbot-standalone-nginx-test"
         group: ['default', 'certbot_test_http']
         instance_type: t2.micro
-        image: ami-02e98f78 # CentOS Linux 7 x86_64 HVM EBS
+        # CentOS Linux 7 x86_64 HVM EBS
+        image: ami-02e98f78
         region: "us-east-1"
-        wait: yes
+        wait: true
         wait_timeout: 500
         exact_count: 1
         count_tag:
@@ -68,25 +69,25 @@
         type: A
         ttl: 300
         value: "{{ created_instance.tagged_instances.0.public_ip }}"
-        wait: yes
-        overwrite: yes
+        wait: true
+        overwrite: true
 
     - name: Add EC2 instance to inventory groups.
       add_host:
         name: "certbot-test.servercheck.in"
         groups: "aws,aws_nginx"
         ansible_ssh_user: centos
-        host_key_checking: False
+        host_key_checking: false
       when: created_instance.tagged_instances.0.id is defined
 
 # Play 2: Configure EC2 instance with Certbot and Nginx.
 - hosts: aws_nginx
-  gather_facts: yes
-  become: yes
+  gather_facts: true
+  become: true
 
   vars:
     certbot_admin_email: https@servercheck.in
-    certbot_create_if_missing: yes
+    certbot_create_if_missing: true
     certbot_create_standalone_stop_services: []
     certbot_certs:
       - domains:
@@ -107,7 +108,7 @@
 
   pre_tasks:
     - name: Update apt cache.
-      apt: update_cache=yes cache_valid_time=600
+      apt: update_cache=true cache_valid_time=600
       when: ansible_os_family == 'Debian'
       changed_when: false
 
@@ -135,12 +136,12 @@
         url: https://certbot-test.servercheck.in/
         status_code: 200
       delegate_to: localhost
-      become: no
+      become: false
 
 # Play 3: Tear down EC2 instance and A record.
 - hosts: localhost
   connection: local
-  gather_facts: no
+  gather_facts: false
 
   tasks:
     - name: Destroy EC2 instance.
@@ -149,7 +150,7 @@
         instance_ids: ["{{ created_instance.tagged_instances.0.id }}"]
         region: "us-east-1"
         state: absent
-        wait: yes
+        wait: true
         wait_timeout: 500
 
     - name: Delete Security Group.

molecule/default/playbook.yml

@@ -1,5 +1,10 @@
 ---
-- hosts: all
+- name: Converge
+  hosts: all
+  become: true
+
+  vars:
+    certbot_auto_renew_user: root
 
   pre_tasks:
     - name: Update apt cache.
@@ -19,4 +24,4 @@
       when: ansible_os_family == 'Debian'
 
   roles:
-    - role_under_test
+    - geerlingguy.certbot

molecule/default/tests/test_default.py

@@ -0,0 +1,14 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+
+def test_hosts_file(host):
+    f = host.file('/etc/hosts')
+
+    assert f.exists
+    assert f.user == 'root'
+    assert f.group == 'root'

molecule/default/yaml-lint.yml

@@ -0,0 +1,6 @@
+---
+extends: default
+rules:
+  line-length:
+    max: 120
+    level: warning

tasks/install-from-source.yml

@@ -5,7 +5,7 @@
     dest: "{{ certbot_dir }}"
     version: "{{ certbot_version }}"
     update: "{{ certbot_keep_updated }}"
-    force: yes
+    force: true
 
 - name: Set Certbot script variable.
   set_fact:

tasks/test-cert-exists.yml

@@ -1,12 +1,12 @@
 ---
 - name: Check if certificate already exists.
   stat:
-    path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem
+    path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem
   register: letsencrypt_cert_exists
 
 - name: Check if certificate domain list has changed.
   lineinfile:
-    path: /etc/letsencrypt/domains-{{ cert_item.domains | first }}.json
+    path: /etc/letsencrypt/domains-{{ cert_item.domains | first | replace('*.', '' }}.json
     line: " {{ cert_item.domains | to_json }}"
     state: present
     create: yes

tests/README.md

@@ -1,11 +0,0 @@
-# Ansible Role tests
-
-To run the test playbook(s) in this directory:
-
-  1. Install and start Docker.
-  1. Download the test shim (see .travis.yml file for the URL) into `tests/test.sh`:
-    - `wget -O tests/test.sh https://gist.githubusercontent.com/geerlingguy/73ef1e5ee45d8694570f334be385e181/raw/`
-  1. Make the test shim executable: `chmod +x tests/test.sh`.
-  1. Run (from the role root directory) `distro=[distro] playbook=[playbook] ./tests/test.sh`
-
-If you don't want the container to be automatically deleted after the test playbook is run, add the following environment variables: `cleanup=false container_id=$(date +%s)`

vars/Ubuntu-16.04.yml

@@ -1 +1,2 @@
+---
 certbot_package: letsencrypt