From ae14f50a4f0faaa0a7f79aa625eba66b891573ea Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Tue, 28 Sep 2021 13:43:38 +0200
Subject: [PATCH] Set the root CA option into the main script.

---
 defaults/main.yml                                |  2 +-
 tasks/main.yml                                   | 16 +++++++++++++---
 .../acme-sh-cron-command.sh.j2                   |  0
 .../acme-sh-cron-script.sh.j2                    |  2 ++
 .../acme-sh-request-cert.sh.j2                   |  4 ++--
 templates/acme_sh_request_env.j2                 |  2 +-
 6 files changed, 19 insertions(+), 7 deletions(-)
 rename files/acme-sh-cron-command => templates/acme-sh-cron-command.sh.j2 (100%)
 rename files/acme-sh-cron-script => templates/acme-sh-cron-script.sh.j2 (91%)
 rename files/acme-sh-request-cert => templates/acme-sh-request-cert.sh.j2 (85%)

diff --git a/defaults/main.yml b/defaults/main.yml
index 2565e1d..a5852c9 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -56,7 +56,7 @@ letsencrypt_acme_sh_ecc_key_lenght: ec-384
 letsencrypt_acme_sh_rsa_key_lenght: 4096
 letsencrypt_acme_sh_ocsp_must_staple: False
 # Default: ISRG Root X1
-letsencrypt_acme_sh_specific_root_ca: "--preferred-chain  'ISRG Root X1'"
+letsencrypt_acme_sh_specific_root_ca: '--preferred-chain "ISRG Root X1"'
 letsencrypt_acme_email: sysadmin@example.com
 letsencrypt_acme_sh_email: '{{ letsencrypt_acme_email }}'
 letsencrypt_acme_standalone_port: 4402
diff --git a/tasks/main.yml b/tasks/main.yml
index b5f7825..e888b2c 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -38,7 +38,12 @@
     tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts' ]
 
   - name: Install a script that issues the certificates
-    copy: src=acme-sh-request-cert dest=/usr/local/bin/acme-sh-request-cert owner=root group=acme mode=0750
+    template:
+      src: acme-sh-request-cert.sh.j2
+      dest: /usr/local/bin/acme-sh-request-cert
+      owner: root
+      group: acme
+      mode: 0750
     tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts' ]
 
   - name: Install a script that installs the issued certificates
@@ -49,8 +54,13 @@
     template: src=acme-services-hook.j2 dest=/usr/local/bin/acme-services-hook owner=root group=acme mode=0750
 
   - name: Install the scripts that will be run as a cron job
-    copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=acme mode=0750
-    with_items:
+    template:
+      src: '{{ item }}.sh.j2'
+      dest: '/usr/local/bin/{{ item }}'
+      owner: root
+      group: acme
+      mode: 0750
+    loop:
       - acme-sh-cron-script
       - acme-sh-cron-command
     tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts' ]
diff --git a/files/acme-sh-cron-command b/templates/acme-sh-cron-command.sh.j2
similarity index 100%
rename from files/acme-sh-cron-command
rename to templates/acme-sh-cron-command.sh.j2
diff --git a/files/acme-sh-cron-script b/templates/acme-sh-cron-script.sh.j2
similarity index 91%
rename from files/acme-sh-cron-script
rename to templates/acme-sh-cron-script.sh.j2
index d96d2be..b6ce0aa 100644
--- a/files/acme-sh-cron-script
+++ b/templates/acme-sh-cron-script.sh.j2
@@ -1,12 +1,14 @@
 #!/bin/bash
 
 if [ -f "/etc/default/acme_sh_request_env" ] ; then
+    # shellcheck disable=SC1091
     . "/etc/default/acme_sh_request_env"
 else
     exit 1
 fi
 
 if [ -f "$ACME_SH_ENV_FILE" ] ; then
+    # shellcheck source=/dev/null
     . "$ACME_SH_ENV_FILE"
 else
     exit 1
diff --git a/files/acme-sh-request-cert b/templates/acme-sh-request-cert.sh.j2
similarity index 85%
rename from files/acme-sh-request-cert
rename to templates/acme-sh-request-cert.sh.j2
index 5d148b9..0225058 100644
--- a/files/acme-sh-request-cert
+++ b/templates/acme-sh-request-cert.sh.j2
@@ -30,7 +30,7 @@ if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] && [ "$ACME_SH_USE_DNS_
         service apache2 stop >/dev/null 2>&1
         service httpd stop >/dev/null 2>&1
     fi
-    $ACME_SH_BIN $ACME_SH_FIRST_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1
+    $ACME_SH_BIN {{ letsencrypt_acme_sh_specific_root_ca }} $ACME_SH_FIRST_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1
     RETVAL=$?
     if [ -x /bin/systemctl ] ; then
         /bin/systemctl restart nginx >/dev/null 2>&1
@@ -42,7 +42,7 @@ if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] && [ "$ACME_SH_USE_DNS_
         service httpd start >/dev/null 2>&1
     fi
 else
-    $ACME_SH_BIN $ACME_SH_ISSUE_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1
+    $ACME_SH_BIN {{ letsencrypt_acme_sh_specific_root_ca }} $ACME_SH_ISSUE_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1
     RETVAL=$?
 fi
 
diff --git a/templates/acme_sh_request_env.j2 b/templates/acme_sh_request_env.j2
index 198f952..51497e0 100644
--- a/templates/acme_sh_request_env.j2
+++ b/templates/acme_sh_request_env.j2
@@ -30,7 +30,7 @@ ACME_SH_INSTALL_OPTS="$ACME_SH_INSTALL_OPTS --home {{ letsencrypt_acme_sh_user_h
 #
 # Certificate issue options
 #
-ACME_SH_ISSUE_CERT_REQUEST_OPTIONS="--issue --server {{ letsencrypt_acme_sh_default_ca }} $ACME_SH_ROOT_CA -k {% if letsencrypt_acme_sh_use_ecc %}{{ letsencrypt_acme_sh_ecc_key_lenght }}{% else %}{{ letsencrypt_acme_sh_rsa_key_lenght }}{% endif %} --log {{ letsencrypt_acme_sh_base_data_dir }}/logs/acme.sh.log"
+ACME_SH_ISSUE_CERT_REQUEST_OPTIONS="--issue --server {{ letsencrypt_acme_sh_default_ca }} -k {% if letsencrypt_acme_sh_use_ecc %}{{ letsencrypt_acme_sh_ecc_key_lenght }}{% else %}{{ letsencrypt_acme_sh_rsa_key_lenght }}{% endif %} --log {{ letsencrypt_acme_sh_base_data_dir }}/logs/acme.sh.log"
 {% if letsencrypt_acme_sh_ocsp_must_staple %}
 ACME_SH_ISSUE_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST_OPTIONS --ocsp"
 {% endif %}