Skip to content

Commit

Permalink
Convert role to use snapd version of letsencrypt (#8)
Browse files Browse the repository at this point in the history
* Let the role survive check mode

* Replace all old versions of certbot/certbot-auto with snapd version

* Remove obsolete flag

* Update meta

* Remove symlinks; snap doesnt recognize 'certbot-auto' as a valid app name

* Stop breaking mode on this dir; groups still need read/list, and new files should inherit group
  • Loading branch information
dale-c-anderson authored May 6, 2021
1 parent a4de1d2 commit 24b2577
Show file tree
Hide file tree
Showing 6 changed files with 30 additions and 63 deletions.
11 changes: 4 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,15 +1,16 @@
# Ansible role: letsencrypt

For use on shared hosting servers. The role:
- Installs LetsEncrypt,
- Installs certbot from LetsEncrypt (snapd version),
- Makes a `/.well-known/acme-challenge` virtual directory available to all virtual hosts on the server (including the default site), so all sites can regsiter and renew LE SSL certificates,
- Overwrites the default site config (after backing up the original), so it can be served with a valid LetsEncrypt certificate instead of the default snakeoil certificate.

As an added bonus, after this role is installed, you won't need to create new virtual hosts to register new LetsEncrypt certificates. Since the default site acts as a catch-all, as long as DNS points at your server, you can register a certificate for that name.

## Requirements

- (NGINX or Apache 2) on (Ubuntu >= 14.04 or CentOS/RedHat >= 6)
- Snapd + core must already be working
- (NGINX or Apache 2) on (Ubuntu >= 16.04 or CentOS/RedHat >= 7)
- Working DNS: The cert name you're registering must resolve to the machine you're registering the cert from
- A working fully qualified host name: If `hostname -f` on the machine doesn't correctly resolve to the machine from the outside world, you need to either fix it, or override it with one that does resolve with `default_site_fqdn` from your playbook instead.

Expand All @@ -31,14 +32,10 @@ As an added bonus, after this role is installed, you won't need to create new vi

Control what time the server attempts LE certificate renewal. These default to `5`, `7`, and `*`, respectively (ie. 7:05 AM daily, local server time).

- **letsencrypt_install_certbot_from_ppa**

Defaults to `false`, is only relevant to Debian/Ubuntu servers, and only exists here for legacy/compatibility purposes. Normally, installation of the self-updating script (the default behaviour) is the best choice in all scenarios.


## Dependencies

None
- [acromedia.nginx](https://github.com/AcroMedia/ansible-role-nginx)

## Example Playbook

Expand Down
5 changes: 3 additions & 2 deletions meta/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,16 @@ galaxy_info:
description: Prepares Letsencrypt for use on shared hosting servers
company: Acro Media Inc.
license: GPLv3
min_ansible_version: 2.0
min_ansible_version: 2.9
platforms:
- name: Ubuntu
versions:
- xenial
- bionic
- focal
- name: EL
versions:
- 6
- 7
- 8
galaxy_tags: []
dependencies: []
2 changes: 1 addition & 1 deletion tasks/apache.yml
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@
minute: "{{ letsencrypt_renew_cron_minute }}"
day: "{{ letsencrypt_renew_cron_day }}"
hour: "{{ letsencrypt_renew_cron_hour }}"
job: "/usr/local/bin/certbot-auto renew --quiet --no-self-upgrade --webroot-path {{ letsencrypt_webroot }} && /usr/sbin/apachectl configtest 2>&1 | /bin/grep -v 'Syntax OK' || {{ service_binary }} {{ apache2_name }} reload"
job: "/snap/bin/certbot renew --quiet --webroot-path {{ letsencrypt_webroot }} && /usr/sbin/apachectl configtest 2>&1 | /bin/grep -v 'Syntax OK' || {{ service_binary }} {{ apache2_name }} reload"
when: ansible_os_family == 'Debian'
tags:
- letsencrypt_cron
72 changes: 20 additions & 52 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,24 +23,6 @@
line: pong
create: yes

- block:
- name: Install Certbot PPA on U18
apt_repository:
repo: ppa:certbot/certbot
state: present
- name: Install LetsEncrypt on U18
apt:
name: letsencrypt
state: present
update_cache: true
- name: Create symlink to old certbot path for AAW's benefit
file:
state: link
src: /usr/bin/certbot
dest: /usr/local/bin/certbot-auto
when: ansible_distribution == 'Ubuntu'
and letsencrypt_install_certbot_from_ppa == true

- block:
- name: Remove obsolete PPA version of letsencrypt
apt:
Expand All @@ -57,53 +39,39 @@
state: absent
update_cache: true

- name: Remove certbot-auto when it's a symlink
shell: if [ -h /usr/local/bin/certbot-auto ] ; then rm -v /usr/local/bin/certbot-auto; else true; fi
register: rm_certbot_link_result
changed_when: "rm_certbot_link_result is defined
and rm_certbot_link_result.stdout is defined
and 'removed' in rm_certbot_link_result.stdout"

- name: Purge obsolete certbot virtual environment
shell: rm -rf /opt/eff.org
when: rm_certbot_link_result is defined
and rm_certbot_link_result.changed
file:
state: absent
path: /opt/eff.org/certbot

when: ansible_distribution == 'Ubuntu'
and letsencrypt_install_certbot_from_ppa == false

- name: Check if certbot-auto exists
stat: path=/usr/local/bin/certbot-auto
register: certbot_auto_file

- name: Download certbot-auto if it doesn't exist
get_url:
url: https://dl.eff.org/certbot-auto
# checksum="sha256:0103972f4d42704ff70ac855b502718fadf161925eaa7da16455fa55737c8887"
- name: Remove old "certbot-auto" scripts or symlinks; it won't work any more. The new snap version is just a symlink to the snap binary, and the name "certbot-auto" won't be recognized as a valid app. Legacy apps will need to call certbot instead.
file:
dest: /usr/local/bin/certbot-auto
mode: 0755
state: absent

- name: Remove old "certbot" script or symlink, just in case it wasn't removed by apt.
file:
dest: /usr/bin/certbot
state: absent

- name: Install certbot snap package
snap:
name: certbot
classic: true
notify: "restart {{ letsencrypt_webserver }}"
when: certbot_auto_file.stat.exists == false

- name: Automatically update certbot-auto once a month with cron on Ubuntu
- name: Remove old certbot-update job. Snaps update automatically.
cron:
state: absent
name: "Update certbot-auto once a month"
minute: "0"
hour: "0"
day: "1"
# The sed commands after the certbot script keep this job quiet when there is no upgrade and there are no errors.
job: >
/usr/local/bin/certbot-auto --version 2>&1 | /bin/sed -r 's/^certbot ([0-9]+)(\.[0-9]+)+$//' |/bin/sed '/^\s*$/d'
tags:
- letsencrypt_cron
when: ansible_distribution == 'Ubuntu'
and letsencrypt_install_certbot_from_ppa == false

- name: Create a destination for dhparams
file:
path: "/usr/local/ssl/private"
state: directory
mode: 0700
mode: "2750"

- name: Create dhparams.pem (can take several minutes)
shell: umask 077 && openssl dhparam -out /usr/local/ssl/private/dhparams.pem 2048
Expand All @@ -119,7 +87,7 @@
- name: Compose the certbot command string for the default site cert
set_fact:
certbot_command_string: >-
/usr/local/bin/certbot-auto certonly
/snap/bin/certbot certonly
--non-interactive
--agree-tos
--email {{ default_mail_recipient }}
Expand Down
2 changes: 1 addition & 1 deletion tasks/nginx.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,6 @@
minute: "{{ letsencrypt_renew_cron_minute }}"
day: "{{ letsencrypt_renew_cron_day }}"
hour: "{{ letsencrypt_renew_cron_hour }}"
job: "/usr/local/bin/certbot-auto renew --quiet --no-self-upgrade --webroot-path {{ letsencrypt_webroot }} && /usr/sbin/nginx -tq && {{ service_binary }} nginx reload > /dev/null"
job: "/snap/bin/certbot renew --quiet --webroot-path {{ letsencrypt_webroot }} && /usr/sbin/nginx -tq && {{ service_binary }} nginx reload > /dev/null"
tags:
- letsencrypt_cron
1 change: 1 addition & 0 deletions tasks/nginx_default_ssl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
backup: yes
notify: reload nginx
when: default_cert_retest.rc == 0
ignore_errors: "{{ ansible_check_mode }}"

0 comments on commit 24b2577

Please sign in to comment.