From 34963cc94d64a8c99e65bc9c1d4b08bbd413bec7 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@sevenseas.org>
Date: Fri, 6 May 2016 13:22:34 +0200
Subject: [PATCH] library/roles/letsencrypt-acmetool-client: Fix the
 initialization procedure.
 library/roles/ubuntu-deb-general/tasks/pki-basics.yml: A link to the
 fullchain was missing.

---
 letsencrypt-acmetool-client/handlers/main.yml |  4 +--
 letsencrypt-acmetool-client/tasks/main.yml    | 21 +++++---------
 .../templates/acme-cert-request.sh.j2         | 28 +++++++++++++++++++
 ubuntu-deb-general/tasks/pki-basics.yml       | 10 ++++++-
 4 files changed, 45 insertions(+), 18 deletions(-)
 create mode 100644 letsencrypt-acmetool-client/templates/acme-cert-request.sh.j2

diff --git a/letsencrypt-acmetool-client/handlers/main.yml b/letsencrypt-acmetool-client/handlers/main.yml
index c4309b3..db1b112 100644
--- a/letsencrypt-acmetool-client/handlers/main.yml
+++ b/letsencrypt-acmetool-client/handlers/main.yml
@@ -2,8 +2,6 @@
 - name: Initialize letsencrypt acmetool
   become: True
   become_user: '{{ letsencrypt_acme_user }}'
-  command: '{{ letsencrypt_acme_command }} {{ letsencrypt_acme_command_opts }} quickstart ; {{ letsencrypt_acme_command }} {{ letsencrypt_acme_command_opts }} reconcile'
-  args:
-    creates: '{{ letsencrypt_acme_user_home }}/accounts'
+  command: '/usr/local/bin/acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1'
   when: letsencrypt_acme_install
 
diff --git a/letsencrypt-acmetool-client/tasks/main.yml b/letsencrypt-acmetool-client/tasks/main.yml
index c257dba..5238460 100644
--- a/letsencrypt-acmetool-client/tasks/main.yml
+++ b/letsencrypt-acmetool-client/tasks/main.yml
@@ -98,28 +98,21 @@
   file: dest={{ letsencrypt_acme_log_dir }} state=directory owner={{ letsencrypt_acme_user }} group={{ letsencrypt_acme_user }} mode=0750
   when: letsencrypt_acme_install
   tags: letsencrypt
-  
-- name: Install a daily cron job to renew the certificates when needed
-  cron: name="Letsencrypt certificate renewal" special_time=daily job="{{ letsencrypt_acme_command }} {{ letsencrypt_acme_command_opts }} reconcile > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1" user={{ letsencrypt_acme_user }}
+
+- name: Install a script that requests the certificates and manage the self signed certificate
+  template: src=acme-cert-request.sh.j2 dest=/usr/local/bin/acme-cert-request owner=root group=root mode=0755
   when: letsencrypt_acme_install
   tags: letsencrypt
-
-- name: letsencrypt acmetool initializaztion
-  become: True
-  become_user: '{{ letsencrypt_acme_user }}'
-  shell: 'rm -fr {{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert ; rm -fr {{ letsencrypt_acme_user_home }}/keys/fakeselfsignedcert ; rm {{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }} ; {{ letsencrypt_acme_command }} {{ letsencrypt_acme_command_opts }} quickstart'
-  args:
-    creates: '{{ letsencrypt_acme_user_home }}/accounts'
+  
+- name: Install a daily cron job to renew the certificates when needed
+  cron: name="Letsencrypt certificate renewal" special_time=daily job="/usr/local/bin/acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1" user={{ letsencrypt_acme_user }}
   when: letsencrypt_acme_install
-  ignore_errors: True
   tags: letsencrypt
 
 - name: letsencrypt acmetool request the first certificate
   become: True
   become_user: '{{ letsencrypt_acme_user }}'
-  command: '{{ letsencrypt_acme_command }} {{ letsencrypt_acme_command_opts }} reconcile'
-  args:
-    creates: '{{ letsencrypt_acme_certs_dir }}/cert'
+  shell: '/usr/local/bin/acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-init.log 2>&1'
   when: letsencrypt_acme_install
   ignore_errors: True
   tags: letsencrypt
diff --git a/letsencrypt-acmetool-client/templates/acme-cert-request.sh.j2 b/letsencrypt-acmetool-client/templates/acme-cert-request.sh.j2
new file mode 100644
index 0000000..d048424
--- /dev/null
+++ b/letsencrypt-acmetool-client/templates/acme-cert-request.sh.j2
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+TMP_DIR=/var/tmp/acmetool
+BASE_DIR=/var/lib/acme
+RETVAL=
+
+if [ -d $BASE_DIR/keys/fakeselfsignedcert -a -d $BASE_DIR/certs/fakeselfsignedcert ] ; then
+    mkdir -p $TMP_DIR/{keys,certs}
+    mv $BASE_DIR/keys/fakeselfsignedcert $TMP_DIR/keys
+    mv $BASE_DIR/certs/fakeselfsignedcert $TMP_DIR/certs
+    /bin/rm live/{{ ansible_fqdn }}
+    {{ letsencrypt_acme_command }} {{ letsencrypt_acme_command_opts }} quickstart
+fi
+
+{{ letsencrypt_acme_command }} {{ letsencrypt_acme_command_opts }} reconcile
+RETVAL=$?
+
+if [ -d $TMP_DIR ] ; then
+    if [ $RETVAL -ne 0 ] ; then
+        mv $TMP_DIR/keys/fakeselfsignedcert $BASE_DIR/keys
+        mv $TMP_DIR/certs/fakeselfsignedcert $BASE_DIR/certs
+        cd $BASE_DIR/live
+        ln -s ../certs/fakeselfsignedcert {{ ansible_fqdn }}
+    fi
+    rm -fr $TMP_DIR
+fi
+
+exit $RETVAL
diff --git a/ubuntu-deb-general/tasks/pki-basics.yml b/ubuntu-deb-general/tasks/pki-basics.yml
index 94a0d9a..41d66ad 100644
--- a/ubuntu-deb-general/tasks/pki-basics.yml
+++ b/ubuntu-deb-general/tasks/pki-basics.yml
@@ -22,7 +22,10 @@
     - '{{ letsencrypt_acme_user_home }}/keys/fakeselfsignedcert' 
   when: ( true_cert.stat.islnk is not defined ) and ( letsencrypt_acme_install is defined and letsencrypt_acme_install )
   tags: [ 'pki', 'ssl', 'letsencrypt' ]
-  
+
+# 20160506121714 [WARN] fdb: "keys/fakeselfsignedcert" has wrong mode -rwxr-xr-x, changing to -rwx------
+# 20160506121714 [WARN] fdb: "keys/fakeselfsignedcert/privkey" has wrong mode -rw-r--r--, changing to -rw-------
+
 - name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the certificate and private key
   command: openssl req -x509 -newkey rsa:2048 -keyout {{ letsencrypt_acme_user_home }}/keys/fakeselfsignedcert/privkey -out {{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/cert -days 10 -nodes -subj '/CN=self signed certificate'
   args:
@@ -40,6 +43,11 @@
   when: ( true_cert.stat.islnk is not defined ) and ( letsencrypt_acme_install is defined and letsencrypt_acme_install )
   tags: [ 'pki', 'ssl', 'letsencrypt' ]
   
+- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the symbolic links for the fullchain file
+  file: src=cert dest={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/fullchain state=link
+  when: ( true_cert.stat.islnk is not defined ) and ( letsencrypt_acme_install is defined and letsencrypt_acme_install )
+  tags: [ 'pki', 'ssl', 'letsencrypt' ]
+  
 - name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the symbolic links for the certificate if there is not one
   file: src=../certs/fakeselfsignedcert dest={{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }} state=link
   when: ( true_cert.stat.islnk is not defined ) and ( letsencrypt_acme_install is defined and letsencrypt_acme_install )