--- - name: Import the deb tasks ansible.builtin.import_tasks: acmetool_deb.yml when: ansible_distribution_file_variety == "Debian" - name: Import the RH and derivatives ansible.builtin.import_tasks: acmetool_rh.yml when: ansible_distribution_file_variety == "RedHat" - name: Prepare the acme.sh environment when: letsencrypt_acme_install tags: ['letsencrypt', 'letsencrypt_acme_sh'] block: - name: Create the letsencrypt acme user ansible.builtin.user: name: "{{ letsencrypt_acme_sh_user }}" home: "{{ letsencrypt_acme_sh_user_home }}" createhome: false shell: /usr/sbin/nologin system: true tags: ['letsencrypt', 'letsencrypt_user'] - name: Create the letsencrypt acme home, if it does not exist already. In a separate step because it could be already there. ansible.builtin.file: dest: "{{ letsencrypt_acme_sh_user_home }}" owner: "{{ letsencrypt_acme_sh_user }}" group: "{{ letsencrypt_acme_sh_user }}" state: directory mode: 0755 recurse: true - name: Create a directory where to put the cron job and hooks logs ansible.builtin.file: dest: "{{ letsencrypt_acme_sh_log_dir }}" state: directory owner: "{{ letsencrypt_acme_sh_user }}" group: "{{ letsencrypt_acme_sh_user }}" mode: 0750 - name: Install the acme.sh environment variables file ansible.builtin.template: src: acme_sh_request_env.j2 dest: /etc/default/acme_sh_request_env owner: root group: root mode: 0444 register: acme_sh_issue tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_env', 'letsencrypt_req_cert'] - name: Install the script that initializes the acme.sh environment ansible.builtin.copy: src: acme-sh-install dest: /usr/local/bin/acme-sh-install owner: root group: "{{ letsencrypt_acme_user }}" mode: 0750 tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts'] - name: Install a script that issues the certificates ansible.builtin.template: src: acme-sh-request-cert.sh.j2 dest: /usr/local/bin/acme-sh-request-cert owner: root group: "{{ letsencrypt_acme_user }}" mode: 0750 tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts'] - name: Install a script that installs the issued certificates ansible.builtin.copy: src: acme-sh-install-certs dest: /usr/local/bin/acme-sh-install-certs owner: root group: "{{ letsencrypt_acme_user }}" mode: 0750 tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts'] - name: Install the script that will run the services hooks when a certificate is installed ansible.builtin.template: src: acme-services-hook.j2 dest: /usr/local/bin/acme-services-hook owner: root group: "{{ letsencrypt_acme_user }}" mode: 0750 - name: Install the scripts that will be run as a cron job ansible.builtin.template: src: '{{ item }}.sh.j2' dest: '/usr/local/bin/{{ item }}' owner: root group: acme mode: 0750 loop: - acme-sh-cron-script - acme-sh-cron-command tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts'] - name: Remove the cron job under spool if it exists ansible.builtin.cron: name: "Letsencrypt certificate renewal" day: '{{ letsencrypt_acme_cron_day_of_month }}' hour: '{{ letsencrypt_acme_cron_hour }}' minute: '{{ letsencrypt_acme_cron_minute }}' job: "/usr/local/bin/acme-sh-cron-script > {{ letsencrypt_acme_sh_log_dir }}/acme-cron.log 2>&1" state: absent tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts'] - name: Install a daily cron job to renew the certificates when needed. It runs as root ansible.builtin.cron: name: "Letsencrypt certificate renewal" cron_file: letsencrypt_renew_certificates user: root day: '{{ letsencrypt_acme_cron_day_of_month }}' hour: '{{ letsencrypt_acme_cron_hour }}' minute: '{{ letsencrypt_acme_cron_minute }}' job: "/usr/local/bin/acme-sh-cron-script > {{ letsencrypt_acme_sh_log_dir }}/acme-cron.log 2>&1" tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts'] - name: Acme.sh distribution when: letsencrypt_acme_install tags: ['letsencrypt', 'letsencrypt_acme_sh'] block: - name: Download the acme.sh distribution become: true become_user: "{{ letsencrypt_acme_user }}" ansible.builtin.git: repo: "{{ letsencrypt_acme_sh_git_url }}" dest: "{{ letsencrypt_acme_git_dest_dir }}" recursive: true update: false force: true - name: Force the upgrade of the acme.sh distribution become: true become_user: "{{ letsencrypt_acme_user }}" ansible.builtin.git: repo: "{{ letsencrypt_acme_sh_git_url }}" dest: "{{ letsencrypt_acme_git_dest_dir }}" recursive: true update: true force: true when: letsencrypt_update_acme_distribution - name: Create the letsencrypt acme.sh directory tree ansible.builtin.file: dest: "{{ item }}" state: directory owner: "{{ letsencrypt_acme_user }}" group: "{{ letsencrypt_acme_user }}" mode: 0755 with_items: '{{ letsencrypt_acme_sh_dirs }}' - name: Run the installation command for acme.sh ansible.builtin.command: /usr/local/bin/acme-sh-install args: creates: '{{ letsencrypt_acme_sh_user_home }}/bin/acme.sh' - name: Create the letsencrypt acme.sh account configuration ansible.builtin.template: src: account.conf.j2 dest: "{{ letsencrypt_acme_sh_base_data_dir }}/data/account.conf" owner: "{{ letsencrypt_acme_user }}" group: "{{ letsencrypt_acme_user }}" mode: 0440 tags: ['letsencrypt', 'letsencrypt_account_conf', 'letsencrypt_acme_sh'] - name: Certificates management when: letsencrypt_acme_install tags: ['letsencrypt', 'letsencrypt_acme_sh', 'letsencrypt_req_cert'] block: - name: Remove the ok_certificate_issued file when the env file has been changed so that we can force a new request ansible.builtin.file: dest: "{{ letsencrypt_acme_sh_base_data_dir }}/data/ok_certificate_issued" state: absent when: (acme_sh_issue is changed) or letsencrypt_force_cert_request - name: Request the certificates. ansible.builtin.command: /usr/local/bin/acme-sh-request-cert args: creates: '{{ letsencrypt_acme_sh_base_data_dir }}/data/ok_certificate_issued' register: acme_sh_certificate_issued - name: Print the install path ansible.builtin.debug: msg: "Certificates install path: {{ letsencrypt_acme_sh_certificates_install_path }}" - name: Check if the certificates install path is a link ansible.builtin.stat: path: "{{ letsencrypt_acme_sh_certificates_install_path }}" register: cert_install_path - name: Remove the certificates install path if it is a link ansible.builtin.file: dest: "{{ letsencrypt_acme_sh_certificates_install_path }}" state: absent when: cert_install_path.stat.islink is defined and cert_install_path.stat.islink - name: Create the certificates installation directory ansible.builtin.file: dest: "{{ letsencrypt_acme_sh_certificates_install_path }}" state: directory owner: root group: root mode: 0755 - name: Install the certificates ansible.builtin.command: /usr/local/bin/acme-sh-install-certs when: - letsencrypt_acme_sh_explicitly_install_certs | bool - acme_sh_certificate_issued is defined - acme_sh_certificate_issued is changed - name: Fix the http port in the configuration. Needed when we renew using the http protocol and we are behind a web server ansible.builtin.lineinfile: path: '{{ letsencrypt_acme_sh_certs_data_path }}/{{ letsencrypt_acme_sh_certs_data_prefix }}.conf' create: false state: present regexp: "^Le_HTTPPort=" line: "Le_HTTPPort='{{ letsencrypt_acme_standalone_port }}'" when: not letsencrypt_acme_sh_use_dns_provider | bool tags: ['letsencrypt', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_http_port', 'letsencrypt_req_cert']