add support to autrenew letsencrypt certificates, still testing
This commit is contained in:
nd
parent
12895a364f
commit
0e0c634e37
9 changed files with 179 additions and 23 deletions
|
|
@ -1,9 +1,9 @@
|
|||
- include_tasks: common_cert.yml
|
||||
|
||||
- set_fact:
|
||||
external_challange_type: "{{ map_challange_type_letsencrypt[cert_backend.challange]|d(cert_backend.challange) }}"
|
||||
external_challenge_type: "{{ map_challenge_type_letsencrypt[cert_backend.challenge]|d(cert_backend.challenge) }}"
|
||||
|
||||
- name: "get challange for {{ certname }}"
|
||||
- name: "get challenge for {{ certname }}"
|
||||
acme_certificate: &acmetask
|
||||
force: "{{ task_generate_csr is changed }}"
|
||||
acme_version: 2
|
||||
|
|
@ -14,43 +14,94 @@
|
|||
dest: "{{ cert.certpath }}"
|
||||
fullchain_dest: "{{ cert.chainpath }}"
|
||||
remaining_days: "{{ cert_backend.remainingdays }}"
|
||||
challenge: "{{ external_challange_type }}"
|
||||
challenge: "{{ external_challenge_type }}"
|
||||
deactivate_authzs: yes
|
||||
register: challenge
|
||||
|
||||
- name: "setup challenge server for {{ certname }} (dns challange)"
|
||||
- name: "setup autorenew for {{ certname }} (dns challenge)"
|
||||
when:
|
||||
- cert_backend.autorenew
|
||||
- cert_backend.challenge == "dns-01"
|
||||
block:
|
||||
- name: create token
|
||||
copy:
|
||||
dest: "/etc/letsencrypt/cert_{{ certname }}.token"
|
||||
mode: 0640
|
||||
owner: root
|
||||
group: root
|
||||
content: "{{ lookup('password', '/dev/null length=128 chars=ascii_letters,digits,hexdigits') }}"
|
||||
force: no
|
||||
- name: slurp up token
|
||||
slurp:
|
||||
src: "/etc/letsencrypt/cert_{{ certname }}.token"
|
||||
register: tokenfile
|
||||
- name: add renew ssh key to backend server
|
||||
delegate_to: "{{ item }}"
|
||||
loop: "{{ cert_backend.challengeserver }}"
|
||||
authorized_key:
|
||||
user: letsencrypt
|
||||
key: "{{ letsencrypt_renewkey.public_key }}"
|
||||
- name: add server token to record whitelist on backend server
|
||||
when:
|
||||
- challenge is changed
|
||||
delegate_to: "{{ item.0 }}"
|
||||
loop: "{{ cert_backend.challengeserver|product(challenge.challenge_data.keys()|list)|list }}"
|
||||
command:
|
||||
argv:
|
||||
- "/usr/local/bin/pdns.py"
|
||||
- "add_token"
|
||||
- "--"
|
||||
- "{{ tokenfile.content | b64decode }}"
|
||||
- "{{ challenge.challenge_data[item.1]['dns-01'].record }}"
|
||||
- name: create cert renew config
|
||||
template:
|
||||
src: letsencrypt_renew_config.j2
|
||||
dest: "/etc/letsencrypt/renew_{{ certname }}.config.sh"
|
||||
mode: 0750
|
||||
owner: root
|
||||
group: root
|
||||
- name: setup renew cronjob
|
||||
cron:
|
||||
job: "/usr/local/bin/letsencrypt_renew.sh /etc/letsencrypt/renew_{{ certname }}.config.sh"
|
||||
name: "letsencrypt: renew {{ certname }}"
|
||||
hour: "{{ 23 | random(seed=inventory_hostname + certname + 'renew') }}"
|
||||
minute: "{{ 59 | random(seed=inventory_hostname + certname + 'renew') }}"
|
||||
|
||||
- name: "setup challenge server for {{ certname }} (dns challenge)"
|
||||
when:
|
||||
- challenge is changed
|
||||
- cert_backend.challange == "dns-01"
|
||||
- cert_backend.challenge == "dns-01"
|
||||
delegate_to: "{{ item.0 }}"
|
||||
loop: "{{ cert_backend.challangeserver|product(challenge.challenge_data.keys()|list)|list }}"
|
||||
loop: "{{ cert_backend.challengeserver|product(challenge.challenge_data.keys()|list)|list }}"
|
||||
command:
|
||||
argv:
|
||||
- "/usr/local/bin/pdns.py"
|
||||
- "add_challenge"
|
||||
- "--"
|
||||
- "{{ challenge.challenge_data[item.1]['dns-01'].record }}"
|
||||
- "{{ challenge.challenge_data[item.1]['dns-01'].resource_value }}"
|
||||
|
||||
- name: "setup challenge server for {{ certname }} (manual dns challange)"
|
||||
- name: "setup challenge server for {{ certname }} (manual dns challenge)"
|
||||
when:
|
||||
- challenge is changed
|
||||
- cert_backend.challange == "dns-01-manual"
|
||||
- cert_backend.challenge == "dns-01-manual"
|
||||
loop: "{{ challenge.challenge_data_dns|d({})|dict2items }}"
|
||||
debug:
|
||||
msg: "add the following dns record: '{{ item.key }}.': { TXT: {{ item.value }} }"
|
||||
|
||||
- name: wait for challenges in dns (manual dns challange)
|
||||
- name: wait for challenges in dns (manual dns challenge)
|
||||
pause:
|
||||
prompt: "When the relevant lines were added to dns and synced, press enter"
|
||||
when:
|
||||
- challenge is changed
|
||||
- cert_backend.challange == "dns-01-manual"
|
||||
- cert_backend.challenge == "dns-01-manual"
|
||||
|
||||
- name: "setup challenge server for {{ certname }} (http challange)"
|
||||
- name: "setup challenge server for {{ certname }} (http challenge)"
|
||||
when:
|
||||
- challenge is changed
|
||||
- cert_backend.challange == "http-01"
|
||||
- cert_backend.challenge == "http-01"
|
||||
delegate_to: "{{ item.0 }}"
|
||||
loop: "{{ cert_backend.challangeserver|product(challenge.challenge_data.keys()|list)|list }}"
|
||||
loop: "{{ cert_backend.challengeserver|product(challenge.challenge_data.keys()|list)|list }}"
|
||||
copy:
|
||||
dest: "/var/www/letsencrypt/{{ challenge.challenge_data[item.1]['http-01'].resource | basename }}"
|
||||
content: "{{ challenge.challenge_data[item.1]['http-01'].resource_value }}"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue