diff --git a/README.md b/README.md index a516ccb..024c365 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Ansible role: letsencrypt For use on shared hosting servers. The role: -- Installs LetsEncrypt, +- Installs certbot from LetsEncrypt (snapd version), - Makes a `/.well-known/acme-challenge` virtual directory available to all virtual hosts on the server (including the default site), so all sites can regsiter and renew LE SSL certificates, - Overwrites the default site config (after backing up the original), so it can be served with a valid LetsEncrypt certificate instead of the default snakeoil certificate. @@ -9,7 +9,8 @@ As an added bonus, after this role is installed, you won't need to create new vi ## Requirements -- (NGINX or Apache 2) on (Ubuntu >= 14.04 or CentOS/RedHat >= 6) +- Snapd + core must already be working +- (NGINX or Apache 2) on (Ubuntu >= 16.04 or CentOS/RedHat >= 7) - Working DNS: The cert name you're registering must resolve to the machine you're registering the cert from - A working fully qualified host name: If `hostname -f` on the machine doesn't correctly resolve to the machine from the outside world, you need to either fix it, or override it with one that does resolve with `default_site_fqdn` from your playbook instead. @@ -31,14 +32,10 @@ As an added bonus, after this role is installed, you won't need to create new vi Control what time the server attempts LE certificate renewal. These default to `5`, `7`, and `*`, respectively (ie. 7:05 AM daily, local server time). -- **letsencrypt_install_certbot_from_ppa** - - Defaults to `false`, is only relevant to Debian/Ubuntu servers, and only exists here for legacy/compatibility purposes. Normally, installation of the self-updating script (the default behaviour) is the best choice in all scenarios. - ## Dependencies -None +- [acromedia.nginx](https://github.com/AcroMedia/ansible-role-nginx) ## Example Playbook diff --git a/meta/main.yml b/meta/main.yml index bf8b579..b05d767 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -4,15 +4,16 @@ galaxy_info: description: Prepares Letsencrypt for use on shared hosting servers company: Acro Media Inc. license: GPLv3 - min_ansible_version: 2.0 + min_ansible_version: 2.9 platforms: - name: Ubuntu versions: - xenial - bionic + - focal - name: EL versions: - - 6 - 7 + - 8 galaxy_tags: [] dependencies: [] diff --git a/tasks/apache.yml b/tasks/apache.yml index b11d378..67b9b68 100644 --- a/tasks/apache.yml +++ b/tasks/apache.yml @@ -85,7 +85,7 @@ minute: "{{ letsencrypt_renew_cron_minute }}" day: "{{ letsencrypt_renew_cron_day }}" hour: "{{ letsencrypt_renew_cron_hour }}" - job: "/usr/local/bin/certbot-auto renew --quiet --no-self-upgrade --webroot-path {{ letsencrypt_webroot }} && /usr/sbin/apachectl configtest 2>&1 | /bin/grep -v 'Syntax OK' || {{ service_binary }} {{ apache2_name }} reload" + job: "/snap/bin/certbot renew --quiet --webroot-path {{ letsencrypt_webroot }} && /usr/sbin/apachectl configtest 2>&1 | /bin/grep -v 'Syntax OK' || {{ service_binary }} {{ apache2_name }} reload" when: ansible_os_family == 'Debian' tags: - letsencrypt_cron diff --git a/tasks/main.yml b/tasks/main.yml index 50a1f9f..fe11ae1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -23,24 +23,6 @@ line: pong create: yes -- block: - - name: Install Certbot PPA on U18 - apt_repository: - repo: ppa:certbot/certbot - state: present - - name: Install LetsEncrypt on U18 - apt: - name: letsencrypt - state: present - update_cache: true - - name: Create symlink to old certbot path for AAW's benefit - file: - state: link - src: /usr/bin/certbot - dest: /usr/local/bin/certbot-auto - when: ansible_distribution == 'Ubuntu' - and letsencrypt_install_certbot_from_ppa == true - - block: - name: Remove obsolete PPA version of letsencrypt apt: @@ -57,53 +39,39 @@ state: absent update_cache: true - - name: Remove certbot-auto when it's a symlink - shell: if [ -h /usr/local/bin/certbot-auto ] ; then rm -v /usr/local/bin/certbot-auto; else true; fi - register: rm_certbot_link_result - changed_when: "rm_certbot_link_result is defined - and rm_certbot_link_result.stdout is defined - and 'removed' in rm_certbot_link_result.stdout" - - name: Purge obsolete certbot virtual environment - shell: rm -rf /opt/eff.org - when: rm_certbot_link_result is defined - and rm_certbot_link_result.changed + file: + state: absent + path: /opt/eff.org/certbot when: ansible_distribution == 'Ubuntu' - and letsencrypt_install_certbot_from_ppa == false -- name: Check if certbot-auto exists - stat: path=/usr/local/bin/certbot-auto - register: certbot_auto_file - -- name: Download certbot-auto if it doesn't exist - get_url: - url: https://dl.eff.org/certbot-auto - # checksum="sha256:0103972f4d42704ff70ac855b502718fadf161925eaa7da16455fa55737c8887" +- name: Remove old "certbot-auto" scripts or symlinks; it won't work any more. The new snap version is just a symlink to the snap binary, and the name "certbot-auto" won't be recognized as a valid app. Legacy apps will need to call certbot instead. + file: dest: /usr/local/bin/certbot-auto - mode: 0755 + state: absent + +- name: Remove old "certbot" script or symlink, just in case it wasn't removed by apt. + file: + dest: /usr/bin/certbot + state: absent + +- name: Install certbot snap package + snap: + name: certbot + classic: true notify: "restart {{ letsencrypt_webserver }}" - when: certbot_auto_file.stat.exists == false -- name: Automatically update certbot-auto once a month with cron on Ubuntu +- name: Remove old certbot-update job. Snaps update automatically. cron: + state: absent name: "Update certbot-auto once a month" - minute: "0" - hour: "0" - day: "1" - # The sed commands after the certbot script keep this job quiet when there is no upgrade and there are no errors. - job: > - /usr/local/bin/certbot-auto --version 2>&1 | /bin/sed -r 's/^certbot ([0-9]+)(\.[0-9]+)+$//' |/bin/sed '/^\s*$/d' - tags: - - letsencrypt_cron - when: ansible_distribution == 'Ubuntu' - and letsencrypt_install_certbot_from_ppa == false - name: Create a destination for dhparams file: path: "/usr/local/ssl/private" state: directory - mode: 0700 + mode: "2750" - name: Create dhparams.pem (can take several minutes) shell: umask 077 && openssl dhparam -out /usr/local/ssl/private/dhparams.pem 2048 @@ -119,7 +87,7 @@ - name: Compose the certbot command string for the default site cert set_fact: certbot_command_string: >- - /usr/local/bin/certbot-auto certonly + /snap/bin/certbot certonly --non-interactive --agree-tos --email {{ default_mail_recipient }} diff --git a/tasks/nginx.yml b/tasks/nginx.yml index 5322ebd..11a70c7 100644 --- a/tasks/nginx.yml +++ b/tasks/nginx.yml @@ -49,6 +49,6 @@ minute: "{{ letsencrypt_renew_cron_minute }}" day: "{{ letsencrypt_renew_cron_day }}" hour: "{{ letsencrypt_renew_cron_hour }}" - job: "/usr/local/bin/certbot-auto renew --quiet --no-self-upgrade --webroot-path {{ letsencrypt_webroot }} && /usr/sbin/nginx -tq && {{ service_binary }} nginx reload > /dev/null" + job: "/snap/bin/certbot renew --quiet --webroot-path {{ letsencrypt_webroot }} && /usr/sbin/nginx -tq && {{ service_binary }} nginx reload > /dev/null" tags: - letsencrypt_cron diff --git a/tasks/nginx_default_ssl.yml b/tasks/nginx_default_ssl.yml index 8657e4d..19f2b4c 100644 --- a/tasks/nginx_default_ssl.yml +++ b/tasks/nginx_default_ssl.yml @@ -6,3 +6,4 @@ backup: yes notify: reload nginx when: default_cert_retest.rc == 0 + ignore_errors: "{{ ansible_check_mode }}"