infra/ansible-role-certificates
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

added support to restart services and for manual letsencrypt challange

Browse source
This commit is contained in:
nd 2020-04-18 12:27:27 +02:00
parent 819293f8fd
commit abb03d4435
No known key found for this signature in database
GPG key ID: 21B5CD4DEE3670E9
5 changed files with 39 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -53,6 +53,9 @@ cn: ~
# subject alt names (list of strings) # subject alt names (list of strings)
san: [] san: []
# services to restart if this certificate changes
depending_services: []
``` ```
### Backends ### Backends
@ -66,6 +69,7 @@ remainingdays: 28
# challange type to use, can be: # challange type to use, can be:
# 'dns-01': use the dns challange and a custom power dns backend # 'dns-01': use the dns challange and a custom power dns backend
# 'dns-01-manual': use the dns challange and manualy set the dns record
# 'http-01: use the http challange and deploy the challanges to a webserver # 'http-01: use the http challange and deploy the challanges to a webserver
challange: dns-01 challange: dns-01

1
defaults/main.yml
View file

@ -14,4 +14,5 @@ certificates:
ou: "cyber" ou: "cyber"
cn: ~ cn: ~
san: [] san: []
depending_services: []
certs: {} certs: {}

7
tasks/common_post.yml Normal file
View file

@ -0,0 +1,7 @@
- name: restart depending services
when:
- certchanged
loop: "{{ cert.depending_services }}"
service:
name: "{{ item }}"
state: restarted

25
tasks/letsencrypt_cert.yml
View file

@ -1,5 +1,8 @@
- include_tasks: common_cert.yml - include_tasks: common_cert.yml
- set_fact:
external_challange_type: "{{ map_challange_type_letsencrypt[certificates.backends.letsencrypt.challange]|d(certificates.backends.letsencrypt.challange) }}"
- name: "get challange for {{ certname }}" - name: "get challange for {{ certname }}"
acme_certificate: &acmetask acme_certificate: &acmetask
force: "{{ task_generate_csr is changed }}" force: "{{ task_generate_csr is changed }}"
@ -11,7 +14,7 @@
dest: "{{ cert.certpath }}" dest: "{{ cert.certpath }}"
fullchain_dest: "{{ cert.chainpath }}" fullchain_dest: "{{ cert.chainpath }}"
remaining_days: "{{ certificates.backends.letsencrypt.remainingdays }}" remaining_days: "{{ certificates.backends.letsencrypt.remainingdays }}"
challenge: "{{ certificates.backends.letsencrypt.challange }}" challenge: "{{ external_challange_type }}"
deactivate_authzs: yes deactivate_authzs: yes
register: challenge register: challenge
@ -27,6 +30,21 @@
- "{{ challenge.challenge_data[item.1]['dns-01'].record }}" - "{{ challenge.challenge_data[item.1]['dns-01'].record }}"
- "{{ challenge.challenge_data[item.1]['dns-01'].resource_value }}" - "{{ challenge.challenge_data[item.1]['dns-01'].resource_value }}"
- name: "setup challenge server for {{ certname }} (manual dns challange)"
when:
- challenge is changed
- certificates.backends.letsencrypt.challange == "dns-01-manual"
loop: "{{ challenge.challenge_data_dns|d({})|dict2items }}"
debug:
msg: "add the following dns record: '{{ item.key }}.': { TXT: '{{ item.value[0] }}' }"
- name: wait for challenges in dns (manual dns challange)
pause:
prompt: "When the relevant lines were added to dns and synced, press enter"
when:
- challenge is changed
- certificates.backends.letsencrypt.challange == "dns-01-manual"
- name: "setup challenge server for {{ certname }} (http challange)" - name: "setup challenge server for {{ certname }} (http challange)"
when: when:
- challenge is changed - challenge is changed
@ -41,3 +59,8 @@
acme_certificate: acme_certificate:
<<: *acmetask <<: *acmetask
data: "{{ challenge }}" data: "{{ challenge }}"
- set_fact:
certchanged: "{{ challenge is changed }}"
- name: handle postflight
include: common_post.yml

3
vars/main.yml Normal file
View file

@ -0,0 +1,3 @@
map_challange_type_letsencrypt:
'dns-01-manual': 'dns-01'