- include_tasks: common_cert.yml - set_fact: external_challenge_type: "{{ map_challenge_type_letsencrypt[cert_backend.challenge]|d(cert_backend.challenge) }}" - name: "get challenge for {{ certname }}" acme_certificate: &acmetask force: "{{ task_generate_csr is changed }}" acme_version: 2 terms_agreed: yes acme_directory: "https://acme-v02.api.letsencrypt.org/directory" account_key: /etc/ssl/letsencrypt_account.key csr: "{{ cert.csrpath }}" dest: "{{ cert.certpath }}" fullchain_dest: "{{ cert.chainpath }}" remaining_days: "{{ cert_backend.remainingdays }}" challenge: "{{ external_challenge_type }}" deactivate_authzs: yes register: challenge - name: "setup autorenew for {{ certname }} (dns challenge)" when: - cert_backend.autorenew - cert_backend.challenge == "dns-01" block: - name: create token copy: dest: "/etc/letsencrypt/cert_{{ certname }}.token" mode: 0640 owner: root group: root content: "{{ lookup('password', '/dev/null length=128 chars=ascii_letters,digits,hexdigits') }}" force: no - name: slurp up token slurp: src: "/etc/letsencrypt/cert_{{ certname }}.token" register: tokenfile - name: add renew ssh key to backend server delegate_to: "{{ item }}" loop: "{{ cert_backend.challengeserver }}" authorized_key: user: letsencrypt key: "{{ letsencrypt_renewkey.public_key }}" - name: add server token to record whitelist on backend server when: - challenge is changed delegate_to: "{{ item.0 }}" loop: "{{ cert_backend.challengeserver|product(challenge.challenge_data.keys()|list)|list }}" command: argv: - "/usr/local/bin/pdns.py" - "add_token" - "--" - "{{ tokenfile.content | b64decode }}" - "{{ challenge.challenge_data[item.1]['dns-01'].record }}" - name: create cert renew config template: src: letsencrypt_renew_config.j2 dest: "/etc/letsencrypt/renew_{{ certname }}.config.sh" mode: 0750 owner: root group: root - name: setup renew cronjob cron: job: "/usr/local/bin/letsencrypt_renew.sh /etc/letsencrypt/renew_{{ certname }}.config.sh" name: "letsencrypt: renew {{ certname }}" hour: "{{ 23 | random(seed=inventory_hostname + certname + 'renew') }}" minute: "{{ 59 | random(seed=inventory_hostname + certname + 'renew') }}" - name: "setup challenge server for {{ certname }} (dns challenge)" when: - challenge is changed - cert_backend.challenge == "dns-01" delegate_to: "{{ item.0 }}" loop: "{{ cert_backend.challengeserver|product(challenge.challenge_data.keys()|list)|list }}" command: argv: - "/usr/local/bin/pdns.py" - "add_challenge" - "--" - "{{ challenge.challenge_data[item.1]['dns-01'].record }}" - "{{ challenge.challenge_data[item.1]['dns-01'].resource_value }}" - name: "setup challenge server for {{ certname }} (manual dns challenge)" when: - challenge is changed - cert_backend.challenge == "dns-01-manual" loop: "{{ challenge.challenge_data_dns|d({})|dict2items }}" debug: msg: "add the following dns record: '{{ item.key }}.': { TXT: {{ item.value }} }" - name: wait for challenges in dns (manual dns challenge) pause: prompt: "When the relevant lines were added to dns and synced, press enter" when: - challenge is changed - cert_backend.challenge == "dns-01-manual" - name: "setup challenge server for {{ certname }} (http challenge)" when: - challenge is changed - cert_backend.challenge == "http-01" delegate_to: "{{ item.0 }}" loop: "{{ cert_backend.challengeserver|product(challenge.challenge_data.keys()|list)|list }}" copy: dest: "/var/www/letsencrypt/{{ challenge.challenge_data[item.1]['http-01'].resource | basename }}" content: "{{ challenge.challenge_data[item.1]['http-01'].resource_value }}" mode: 0666 - name: "get certificate {{ certname }}" acme_certificate: <<: *acmetask data: "{{ challenge }}" - set_fact: certchanged: "{{ challenge is changed }}" - name: handle postflight include: common_post.yml