.github/stale.yml

@@ -0,0 +1,56 @@
+# Configuration for probot-stale - https://github.com/probot/stale
+
+# Number of days of inactivity before an Issue or Pull Request becomes stale
+daysUntilStale: 90
+
+# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
+# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
+daysUntilClose: 30
+
+# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled)
+onlyLabels: []
+
+# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
+exemptLabels:
+  - pinned
+  - security
+  - planned
+
+# Set to true to ignore issues in a project (defaults to false)
+exemptProjects: false
+
+# Set to true to ignore issues in a milestone (defaults to false)
+exemptMilestones: false
+
+# Set to true to ignore issues with an assignee (defaults to false)
+exemptAssignees: false
+
+# Label to use when marking as stale
+staleLabel: stale
+
+# Limit the number of actions per hour, from 1-30. Default is 30
+limitPerRun: 30
+
+pulls:
+  markComment: |-
+    This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution!
+
+    Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale.
+
+  unmarkComment: >-
+    This pull request is no longer marked for closure.
+
+  closeComment: >-
+    This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details.
+
+issues:
+  markComment: |-
+    This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
+
+    Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
+
+  unmarkComment: >-
+    This issue is no longer marked for closure.
+
+  closeComment: >-
+    This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.

.github/workflows/ci.yml

@@ -19,12 +19,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the codebase.
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
         with:
           path: 'geerlingguy.certbot'
 
       - name: Set up Python 3.
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v2
         with:
           python-version: '3.x'
 
@@ -41,33 +41,39 @@ jobs:
     strategy:
       matrix:
         include:
-          - distro: rockylinux9
+          - distro: centos8
             playbook: converge.yml
             experimental: false
-          - distro: ubuntu2404
+          - distro: centos7
             playbook: converge.yml
             experimental: false
-          - distro: debian12
+          - distro: ubuntu1804
             playbook: converge.yml
             experimental: false
+          - distro: debian10
+            playbook: converge.yml
+            experimental: false
+          - distro: centos7
+            playbook: playbook-source-install.yml
+            experimental: false
 
-          - distro: rockylinux9
+          - distro: centos7
             playbook: playbook-snap-install.yml
             experimental: true
 
     steps:
       - name: Check out the codebase.
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
         with:
           path: 'geerlingguy.certbot'
 
       - name: Set up Python 3.
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v2
         with:
           python-version: '3.x'
 
       - name: Install test dependencies.
-        run: pip3 install ansible molecule molecule-plugins[docker] docker
+        run: pip3 install ansible molecule[docker] docker
 
       - name: Run Molecule tests.
         run: molecule test

.github/workflows/release.yml

@@ -22,19 +22,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the codebase.
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
         with:
           path: 'geerlingguy.certbot'
 
       - name: Set up Python 3.
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v2
         with:
           python-version: '3.x'
 
       - name: Install Ansible.
-        run: pip3 install ansible-core
+        run: pip3 install ansible-base
 
       - name: Trigger a new import on Galaxy.
-        run: >-
-          ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }}
-          $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)
+        run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)

.github/workflows/stale.yml

@@ -1,34 +0,0 @@
----
-name: Close inactive issues
-'on':
-  schedule:
-    - cron: "55 12 * * 1"  # semi-random time
-
-jobs:
-  close-issues:
-    runs-on: ubuntu-latest
-    permissions:
-      issues: write
-      pull-requests: write
-    steps:
-      - uses: actions/stale@v8
-        with:
-          days-before-stale: 120
-          days-before-close: 60
-          exempt-issue-labels: bug,pinned,security,planned
-          exempt-pr-labels: bug,pinned,security,planned
-          stale-issue-label: "stale"
-          stale-pr-label: "stale"
-          stale-issue-message: |
-            This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
-            
-            Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
-          close-issue-message: |
-            This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
-          stale-pr-message: |
-            This pr has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
-            
-            Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
-          close-pr-message: |
-            This pr has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
-          repo-token: ${{ secrets.GITHUB_TOKEN }}

.yamllint

@@ -3,11 +3,8 @@ extends: default
 
 rules:
   line-length:
-    max: 180
+    max: 120
     level: warning
-  indentation:
-    spaces: 2
-    indent-sequences: consistent
 
 ignore: |
-  .github/workflows/stale.yml
+  .github/stale.yml

README.md

@@ -1,6 +1,6 @@
 # Ansible Role: Certbot (for Let's Encrypt)
 
-[![CI](https://github.com/geerlingguy/ansible-role-certbot/actions/workflows/ci.yml/badge.svg)](https://github.com/geerlingguy/ansible-role-certbot/actions/workflows/ci.yml)
+[![CI](https://github.com/geerlingguy/ansible-role-certbot/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-certbot/actions?query=workflow%3ACI)
 
 Installs and configures Certbot (for Let's Encrypt).
 
@@ -20,31 +20,20 @@ Controls how Certbot is installed. Available options are 'package', 'snap', and
     certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}"
     certbot_auto_renew_hour: "3"
     certbot_auto_renew_minute: "30"
-    certbot_auto_renew_options: "--quiet"
+    certbot_auto_renew_options: "--quiet --no-self-upgrade"
 
 By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.
 
 ### Automatic Certificate Generation
 
-Currently the `standalone` and `webroot` method are supported for generating new certificates using this role.
+Currently there is one built-in method for generating new certificates using this role: `standalone`. Other methods (e.g. using nginx or apache and a webroot) may be added in the future.
 
 **For a complete example**: see the fully functional test playbook in [molecule/default/playbook-standalone-nginx-aws.yml](molecule/default/playbook-standalone-nginx-aws.yml).
 
     certbot_create_if_missing: false
-
-Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. 
-
     certbot_create_method: standalone
 
-Set the method used for generating certs with the `certbot_create_method` variable — current allowed values are: `standalone` or `webroot`.
-
-    certbot_testmode: false
-
-Enable test mode to only run a test request without actually creating certificates.
-
-    certbot_hsts: false
-
-Enable (HTTP Strict Transport Security) for the certificate generation.
+Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. Set the method used for generating certs with the `certbot_create_method` variable—current allowed values include: `standalone`.
 
     certbot_admin_email: email@example.com
 
@@ -52,18 +41,17 @@ The email address used to agree to Let's Encrypt's TOS and subscribe to cert-rel
 
     certbot_certs: []
       # - email: janedoe@example.com
-      #   webroot: "/var/www/html"
       #   domains:
       #     - example1.com
       #     - example2.com
       # - domains:
       #     - example3.com
 
-A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`. When using the `webroot` creation method, a `webroot` item has to be provided, specifying which directory to use for the authentication. Make sure your webserver correctly delivers contents from this directory.
+A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`.
 
     certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"
 
-The `certbot_create_command` defines the command used to generate the cert. See the full default command inside `defaults/main.yml` for a full example—and you can easily add in extra arguments that are not in the default command with the `certbot_create_extra_args` variable.
+The `certbot_create_command` defines the command used to generate the cert.
 
 #### Standalone Certificate Generation
 
@@ -82,10 +70,6 @@ Setting `certbot_install_method: snap` configures this role to install Certbot v
 
 This install method is currently experimental and may or may not work across all Linux distributions.
 
-#### Webroot Certificate Generation
-
-When using the `webroot` creation method, a `webroot` item has to be provided for every `certbot_certs` item, specifying which directory to use for the authentication. Also, make sure your webserver correctly delivers contents from this directory.
-
 ### Source Installation from Git
 
 You can install Certbot from it's Git source repository if desired with `certbot_install_method: source`. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).

defaults/main.yml

@@ -4,54 +4,23 @@ certbot_auto_renew: true
 certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}"
 certbot_auto_renew_hour: "3"
 certbot_auto_renew_minute: "30"
-certbot_auto_renew_options: "--quiet"
-
-certbot_testmode: false
-certbot_hsts: false
-
+certbot_auto_renew_options: "--quiet --no-self-upgrade"
 
 # Parameters used when creating new Certbot certs.
 certbot_create_if_missing: false
 certbot_create_method: standalone
-certbot_create_extra_args: ""
 certbot_admin_email: email@example.com
-certbot_expand: false
-
-# Default webroot, overwritten by individual per-cert webroot directories
-certbot_webroot: /var/www/letsencrypt
-
 certbot_certs: []
-# - name: example.com
-#   email: janedoe@example.com
-#   webroot: "/var/www/html/"
+# - email: janedoe@example.com
 #   domains:
 #     - example1.com
 #     - example2.com
 # - domains:
 #     - example3.com
-
 certbot_create_command: >-
-  {{ certbot_script }} certonly --{{ certbot_create_method  }}
-  {{ '--hsts' if certbot_hsts else '' }}
-  {{ '--test-cert' if certbot_testmode else '' }}
-  --noninteractive --agree-tos
+  {{ certbot_script }} certonly --standalone --noninteractive --agree-tos
   --email {{ cert_item.email | default(certbot_admin_email) }}
-  {{ '--expand' if certbot_expand else '' }}
-  {{ '--webroot-path ' if certbot_create_method == 'webroot'  else '' }}
-  {{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }}
-  {{ certbot_create_extra_args }}
-  --cert-name {{ cert_item_name }}
   -d {{ cert_item.domains | join(',') }}
-  {{ '--expand' if certbot_expand else '' }}
-  {{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services'
-    if certbot_create_standalone_stop_services and certbot_create_method == 'standalone'
-  else '' }}
-  {{ '--post-hook /etc/letsencrypt/renewal-hooks/post/start_services'
-    if certbot_create_standalone_stop_services and certbot_create_method == 'standalone'
-  else '' }}
-  {{ "--deploy-hook '" ~ cert_item.deploy_hook ~ "'"
-    if 'deploy_hook' in cert_item
-  else '' }}
 
 certbot_create_standalone_stop_services:
   - nginx

meta/main.yml

@@ -7,8 +7,12 @@ galaxy_info:
   description: "Installs and configures Certbot (for Let's Encrypt)."
   company: "Midwestern Mac, LLC"
   license: "license (BSD, MIT)"
-  min_ansible_version: 2.10
+  min_ansible_version: 2.4
   platforms:
+    - name: EL
+      versions:
+        - 7
+        - 8
     - name: Fedora
       versions:
         - all

molecule/default/converge.yml

@@ -1,7 +1,7 @@
 ---
 - name: Converge
   hosts: all
-  # become: true
+  become: true
 
   vars:
     certbot_auto_renew_user: root

molecule/default/molecule.yml

@@ -1,18 +1,14 @@
 ---
-role_name_check: 1
 dependency:
   name: galaxy
-  options:
-    ignore-errors: true
 driver:
   name: docker
 platforms:
   - name: instance
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux9}-ansible:latest"
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:rw
-    cgroupns_mode: host
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
     privileged: true
     pre_build_image: true
 provisioner:

molecule/default/playbook-snap-install.yml

@@ -1,7 +1,7 @@
 ---
 - name: Converge
   hosts: all
-  #become: true
+  become: true
 
   vars:
     certbot_install_method: 'snap'

molecule/default/playbook-source-install.yml

@@ -1,7 +1,7 @@
 ---
 - name: Converge
   hosts: all
-  #become: true
+  become: true
 
   vars:
     certbot_install_method: 'source'

molecule/default/playbook-standalone-nginx-aws.yml

@@ -91,8 +91,7 @@
     certbot_create_if_missing: true
     certbot_create_standalone_stop_services: []
     certbot_certs:
-      - name: certbot-test.servercheck.in
-        domains:
+      - domains:
           - certbot-test.servercheck.in
     nginx_vhosts:
       - listen: "443 ssl http2"

tasks/create-cert-standalone.yml

@@ -1,63 +1,23 @@
 ---
-- name: Determine certificate name
-  set_fact:
-    cert_item_name: "{{ cert_item.name | default(cert_item.domains | first | replace('*.', '')) }}"
-
 - name: Check if certificate already exists.
   stat:
-    path: /etc/letsencrypt/live/{{ cert_item_name }}/cert.pem
+    path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem
   register: letsencrypt_cert
 
-- name: Ensure pre and post hook folders exist.
-  file:
-    path: /etc/letsencrypt/renewal-hooks/{{ item }}
-    state: directory
-    mode: 0755
-    owner: root
-    group: root
-  with_items:
-    - pre
-    - post
-
-- name: Create pre hook to stop services.
-  template:
-    src: stop_services.j2
-    dest: /etc/letsencrypt/renewal-hooks/pre/stop_services
-    owner: root
-    group: root
-    mode: 0750
-  when:
-    - certbot_create_standalone_stop_services is defined
-    - certbot_create_standalone_stop_services
-
-- name: Create post hook to start services.
-  template:
-    src: start_services.j2
-    dest: /etc/letsencrypt/renewal-hooks/post/start_services
-    owner: root
-    group: root
-    mode: 0750
-  when:
-    - certbot_create_standalone_stop_services is defined
-    - certbot_create_standalone_stop_services
-
-- name: Check if domains have changed
-  block:
-    - name: Register certificate domains
-      shell: "{{ certbot_script }} certificates --cert-name {{ cert_item_name }} | grep Domains | cut -d':' -f2"
-      changed_when: false
-      register: letsencrypt_cert_domains_dirty
-
-    - name: Cleanup domain list
-      set_fact:
-        letsencrypt_cert_domains: "{{ letsencrypt_cert_domains_dirty.stdout | trim | split(' ') | map('trim') | select('!=', '') | list | sort }}"
-
-    - name: Determine if domains have changed
-      set_fact:
-        letsencrypt_cert_domains_changed: "{{ letsencrypt_cert_domains != (cert_item.domains | map('trim') | select('!=', '') | list | sort) }}"
-
-  when: letsencrypt_cert.stat.exists
+- name: Stop services to allow certbot to generate a cert.
+  service:
+    name: "{{ item }}"
+    state: stopped
+  when: not letsencrypt_cert.stat.exists
+  with_items: "{{ certbot_create_standalone_stop_services }}"
 
 - name: Generate new certificate if one doesn't exist.
   command: "{{ certbot_create_command }}"
-  when: not letsencrypt_cert.stat.exists or letsencrypt_cert_domains_changed | default(false)
+  when: not letsencrypt_cert.stat.exists
+
+- name: Start services after cert has been generated.
+  service:
+    name: "{{ item }}"
+    state: started
+  when: not letsencrypt_cert.stat.exists
+  with_items: "{{ certbot_create_standalone_stop_services }}"

tasks/create-cert-webroot.yml

@@ -1,35 +0,0 @@
----
-- name: Determine certificate name
-  set_fact:
-    cert_item_name: "{{ cert_item.name | default(cert_item.domains | first | replace('*.', '')) }}"
-
-- name: Check if certificate already exists.
-  stat:
-    path: /etc/letsencrypt/live/{{ cert_item_name }}/cert.pem
-  register: letsencrypt_cert
-
-- name: Create webroot directory if it doesn't exist yet
-  file:
-    path: "{{ cert_item.webroot | default(certbot_webroot) }}"
-    state: directory
-
-- name: Check if domains have changed
-  block:
-    - name: Register certificate domains
-      shell: "{{ certbot_script }} certificates --cert-name {{ cert_item_name }} | grep Domains | cut -d':' -f2"
-      changed_when: false
-      register: letsencrypt_cert_domains_dirty
-
-    - name: Cleanup domain list
-      set_fact:
-        letsencrypt_cert_domains: "{{ letsencrypt_cert_domains_dirty.stdout | trim | split(' ') | map('trim') | select('!=', '') | list | sort }}"
-
-    - name: Determine if domains have changed
-      set_fact:
-        letsencrypt_cert_domains_changed: "{{ letsencrypt_cert_domains != (cert_item.domains | map('trim') | select('!=', '') | list | sort) }}"
-
-  when: letsencrypt_cert.stat.exists
-
-- name: Generate new certificate if one doesn't exist.
-  command: "{{ certbot_create_command }}"
-  when: not letsencrypt_cert.stat.exists or letsencrypt_cert_domains_changed | default(false)

tasks/install-with-snap.yml

@@ -9,14 +9,12 @@
   systemd:
     name: snapd.socket
     enabled: true
-    state: started
 
 - name: Enable classic snap support.
   file:
     src: /var/lib/snapd/snap
     dest: /snap
     state: link
-  when: ansible_os_family != "Debian"
 
 - name: Update snap after install.
   shell: snap install core; snap refresh core
@@ -34,7 +32,6 @@
     src: /snap/bin/certbot
     dest: /usr/bin/certbot
     state: link
-  ignore_errors: "{{ ansible_check_mode }}"
 
 - name: Set Certbot script variable.
   set_fact:

tasks/main.yml

@@ -21,13 +21,5 @@
   loop_control:
     loop_var: cert_item
 
-- include_tasks: create-cert-webroot.yml
-  with_items: "{{ certbot_certs }}"
-  when:
-    - certbot_create_if_missing
-    - certbot_create_method == 'webroot'
-  loop_control:
-    loop_var: cert_item
-
 - import_tasks: renew-cron.yml
   when: certbot_auto_renew

tasks/setup-RedHat.yml

@@ -1,11 +1,20 @@
 ---
 # See: https://github.com/geerlingguy/ansible-role-certbot/issues/107
-- name: Ensure dnf-plugins are installed on Rocky/AlmaLinux.
-  yum:
-    name: dnf-plugins-core
-    state: present
+- block:
 
-- name: Enable DNF module for Rocky/AlmaLinux.
-  shell: |
-    dnf config-manager --set-enabled crb
-  changed_when: false
+  - name: Ensure dnf-plugins are installed on CentOS 8+.
+    yum:
+      name: dnf-plugins-core
+      state: present
+
+  - name: Enable DNF module for CentOS 8+.
+    shell: |
+      dnf config-manager --set-enabled powertools
+    args:
+      warn: false
+    register: dnf_module_enable
+    changed_when: false
+
+  when:
+    - ansible_distribution == 'CentOS'
+    - ansible_distribution_major_version | int >= 8

templates/start_services.j2

@@ -1,15 +0,0 @@
-#!/bin/bash
-# {{ ansible_managed }}
-
-{% for item in certbot_create_standalone_stop_services %}
-echo "starting service {{ item }}"
-{% if ansible_service_mgr == 'systemd' %}
-systemctl start {{ item }}
-{% elif ansible_service_mgr == 'upstart' %}
-initctl start {{ item }}
-{% elif ansible_service_mgr == 'openrc' %}
-rc-service {{ item }} start
-{% else %}
-service {{ item }} start
-{% endif %}
-{% endfor %}

templates/stop_services.j2

@@ -1,15 +0,0 @@
-#!/bin/bash
-# {{ ansible_managed }}
-
-{% for item in certbot_create_standalone_stop_services %}
-echo "stopping service {{ item }}"
-{% if ansible_service_mgr == 'systemd' %}
-systemctl stop {{ item }}
-{% elif ansible_service_mgr == 'upstart' %}
-initctl stop {{ item }}
-{% elif ansible_service_mgr == 'openrc' %}
-rc-service {{ item }} stop
-{% else %}
-service {{ item }} stop
-{% endif %}
-{% endfor %}