ansible-role-certificates/tasks/letsencrypt_cert.yml

- include_tasks: common_cert.yml

- name: store challenge type
  set_fact:
    external_challenge_type: "{{ map_challenge_type_letsencrypt[cert_backend.challenge]|d(cert_backend.challenge) }}"

- name: "get challenge for {{ certname }}"
  acme_certificate: &acmetask
    force: "{{ task_generate_csr is changed }}"
    acme_version: 2
    terms_agreed: yes
    acme_directory: "https://acme-v02.api.letsencrypt.org/directory"
    account_key: /etc/ssl/letsencrypt_account.key
    csr: "{{ cert.csrpath }}"
    dest: "{{ cert.certpath }}"
    fullchain_dest: "{{ cert.chainpath }}"
    remaining_days: "{{ cert_backend.remainingdays }}"
    challenge: "{{ external_challenge_type }}"
    deactivate_authzs: yes
  register: challenge

- name: "setup autorenew for {{ certname }} (dns challenge)"
  when:
  - cert_backend.autorenew
  - cert_backend.challenge == "dns-01"
  block:
  - name: create token
    copy:
      dest: "/etc/letsencrypt/cert_{{ certname }}.token"
      mode: 0640
      owner: root
      group: root
      content: "{{ lookup('password', '/dev/null length=128 chars=ascii_letters,digits,hexdigits') }}"
      force: no
  - name: slurp up token
    slurp:
      src: "/etc/letsencrypt/cert_{{ certname }}.token"
    register: tokenfile
  - name: add renew ssh key to backend server
    delegate_to: "{{ challengeserver }}"
    loop: "{{ cert_backend.challengeserver }}"
    loop_control:
      loop_var: challengeserver
    authorized_key:
      user: letsencrypt
      key: "{{ letsencrypt_renewkey.public_key }}"
      comment: "{{ inventory_hostname }}"
    when: not ansible_check_mode
  - name: add server token to record whitelist on backend server
    when:
    - challenge is changed
    delegate_to: "{{ serverchallengepair.0 }}"
    loop: "{{ cert_backend.challengeserver|product(challenge.challenge_data.keys()|list)|list }}"
    loop_control:
      loop_var: serverchallengepair
    command:
      argv:
      - "/usr/local/bin/pdns.py"
      - "add_token"
      - "--"
      - "{{ tokenfile.content | b64decode }}"
      - "{{ challenge.challenge_data[serverchallengepair.1]['dns-01'].record }}"
  - name: create cert renew config
    template:
      src: letsencrypt_renew_config.j2
      dest: "/etc/letsencrypt/renew_{{ certname }}.config.sh"
      mode: 0750
      owner: root
      group: root
  - name: setup renew cronjob
    cron:
      job: "/usr/local/bin/letsencrypt_renew.sh /etc/letsencrypt/renew_{{ certname }}.config.sh"
      name: "letsencrypt: renew {{ certname }}"
      hour: "{{ 23 | random(seed=inventory_hostname + certname + 'renew') }}"
      minute: "{{ 59 | random(seed=inventory_hostname + certname + 'renew') }}"
      day: "*/3"

- name: "setup challenge server for {{ certname }} (dns challenge)"
  when:
  - challenge is changed # noqa no-handler
  - cert_backend.challenge == "dns-01"
  delegate_to: "{{ serverchallengepair.0 }}"
  loop: "{{ cert_backend.challengeserver|product(challenge.challenge_data.keys()|list)|list }}"
  loop_control:
    loop_var: serverchallengepair
  command:
    argv:
    - "/usr/local/bin/pdns.py"
    - "add_challenge"
    - "--"
    - "{{ challenge.challenge_data[serverchallengepair.1]['dns-01'].record }}"
    - "{{ challenge.challenge_data[serverchallengepair.1]['dns-01'].resource_value }}"

- name: "setup challenge server for {{ certname }} (manual dns challenge)"
  when:
  - challenge is changed # noqa no-handler
  - cert_backend.challenge == "dns-01-manual"
  loop: "{{ challenge.challenge_data_dns|d({})|dict2items }}"
  loop_control:
    loop_var: challengedata
  debug:
    msg: "add the following dns record: '{{ challengedata.key }}.': { TXT: {{ challengedata.value }} }"

- name: wait for challenges in dns (manual dns challenge)
  pause:
    prompt: "When the relevant lines were added to dns and synced, press enter"
  when:
  - challenge is changed # noqa no-handler
  - cert_backend.challenge == "dns-01-manual"

- name: "setup challenge server for {{ certname }} (http challenge)"
  when:
  - challenge is changed # noqa no-handler
  - cert_backend.challenge == "http-01"
  delegate_to: "{{ serverchallengepair.0 }}"
  loop: "{{ cert_backend.challengeserver|product(challenge.challenge_data.keys()|list)|list }}"
  loop_control:
    loop_var: serverchallengepair
  copy:
    dest: "/var/www/letsencrypt/{{ challenge.challenge_data[serverchallengepair.1]['http-01'].resource | basename }}"
    content: "{{ challenge.challenge_data[serverchallengepair.1]['http-01'].resource_value }}"
    mode: 0666

- name: "get certificate {{ certname }}"
  acme_certificate:
    <<: *acmetask
    data: "{{ challenge }}"

- name: store if the cert was changed
  set_fact:
    certchanged: "{{ challenge is changed }}"
- name: handle postflight
  include_tasks: common_post.yml