added support to restart services and for manual letsencrypt challange

README.md

@@ -53,6 +53,9 @@ cn: ~
 
 # subject alt names (list of strings)
 san: []
+
+# services to restart if this certificate changes
+depending_services: []
 ```
 
 ### Backends
@@ -66,6 +69,7 @@ remainingdays: 28
 
 # challange type to use, can be:
 # 'dns-01': use the dns challange and a custom power dns backend
+# 'dns-01-manual': use the dns challange and manualy set the dns record
 # 'http-01: use the http challange and deploy the challanges to a webserver
 challange: dns-01
 

defaults/main.yml

@@ -14,4 +14,5 @@ certificates:
     ou: "cyber"
     cn: ~
     san: []
+    depending_services: []
   certs: {}

tasks/common_post.yml

@@ -0,0 +1,7 @@
+- name: restart depending services
+  when:
+    - certchanged
+  loop: "{{ cert.depending_services }}"
+  service:
+    name: "{{ item }}"
+    state: restarted

tasks/letsencrypt_cert.yml

@@ -1,5 +1,8 @@
 - include_tasks: common_cert.yml
 
+- set_fact:
+    external_challange_type: "{{ map_challange_type_letsencrypt[certificates.backends.letsencrypt.challange]|d(certificates.backends.letsencrypt.challange) }}"
+
 - name: "get challange for {{ certname }}"
   acme_certificate: &acmetask
     force: "{{ task_generate_csr is changed }}"
@@ -11,7 +14,7 @@
     dest: "{{ cert.certpath }}"
     fullchain_dest: "{{ cert.chainpath }}"
     remaining_days: "{{ certificates.backends.letsencrypt.remainingdays }}"
-    challenge: "{{ certificates.backends.letsencrypt.challange }}"
+    challenge: "{{ external_challange_type }}"
     deactivate_authzs: yes
   register: challenge
 
@@ -27,6 +30,21 @@
     - "{{ challenge.challenge_data[item.1]['dns-01'].record }}"
     - "{{ challenge.challenge_data[item.1]['dns-01'].resource_value }}"
 
+- name: "setup challenge server for {{ certname }} (manual dns challange)"
+  when:
+  - challenge is changed
+  - certificates.backends.letsencrypt.challange == "dns-01-manual"
+  loop: "{{ challenge.challenge_data_dns|d({})|dict2items }}"
+  debug:
+    msg: "add the following dns record: '{{ item.key }}.': { TXT: '{{ item.value[0] }}' }"
+
+- name: wait for challenges in dns (manual dns challange)
+  pause:
+    prompt: "When the relevant lines were added to dns and synced, press enter"
+  when:
+  - challenge is changed
+  - certificates.backends.letsencrypt.challange == "dns-01-manual"
+
 - name: "setup challenge server for {{ certname }} (http challange)"
   when:
   - challenge is changed
@@ -41,3 +59,8 @@
   acme_certificate:
     <<: *acmetask
     data: "{{ challenge }}"
+
+- set_fact:
+    certchanged: "{{ challenge is changed }}"
+- name: handle postflight
+  include: common_post.yml

vars/main.yml

@@ -0,0 +1,3 @@
+map_challange_type_letsencrypt:
+  'dns-01-manual': 'dns-01'
+