Request the certificates as root to bind port 80. Install the certificates after having obtained them, by default.

This commit is contained in:
Andrea Dell'Amico 2019-10-31 12:30:27 +01:00
parent 29e44b27a8
commit 1289862b9a
2 changed files with 12 additions and 13 deletions

View File

@ -44,7 +44,7 @@ letsencrypt_acme_certs_dir: '{{ letsencrypt_acme_sh_certificates_install_path }}
letsencrypt_acme_services_scripts_dir: /usr/lib/acme/hooks letsencrypt_acme_services_scripts_dir: /usr/lib/acme/hooks
letsencrypt_acme_sh_services_scripts_dir: '{{ letsencrypt_acme_services_scripts_dir }}' letsencrypt_acme_sh_services_scripts_dir: '{{ letsencrypt_acme_services_scripts_dir }}'
letsencrypt_acme_sh_explicitly_install_certs: False letsencrypt_acme_sh_explicitly_install_certs: True
# ECC is better, but most old distributions fail on them # ECC is better, but most old distributions fail on them
letsencrypt_acme_sh_use_ecc: False letsencrypt_acme_sh_use_ecc: False

View File

@ -74,25 +74,24 @@
- name: Create the letsencrypt acme.sh configuration - name: Create the letsencrypt acme.sh configuration
template: src=account.conf.j2 dest={{ letsencrypt_acme_sh_base_data_dir }}/data/account.conf mode=0640 template: src=account.conf.j2 dest={{ letsencrypt_acme_sh_base_data_dir }}/data/account.conf mode=0640
- name: Request the certificates
shell: /usr/local/bin/acme-sh-request-cert
#args:
# creates: '{{ letsencrypt_acme_sh_base_data_dir }}/data/ok_certificate_issued'
register: acme_sh_certificate_issued
when: acme_sh_issue is changed
notify: Install the requested certificates
ignore_errors: True
- name: Remove the daily cron job that run as acme user. - name: Remove the daily cron job that run as acme user.
cron: name="Letsencrypt certificate renewal" day={{ letsencrypt_acme_cron_day_of_month }} hour={{ letsencrypt_acme_cron_hour }} minute={{ letsencrypt_acme_cron_minute }} job="/usr/local/bin/acme-sh-cron-script > {{ letsencrypt_acme_sh_log_dir }}/acme-cron.log 2>&1" state=absent cron: name="Letsencrypt certificate renewal" day={{ letsencrypt_acme_cron_day_of_month }} hour={{ letsencrypt_acme_cron_hour }} minute={{ letsencrypt_acme_cron_minute }} job="/usr/local/bin/acme-sh-cron-script > {{ letsencrypt_acme_sh_log_dir }}/acme-cron.log 2>&1" state=absent
tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh' ] tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh' ]
become: True become: True
become_user: '{{ letsencrypt_acme_sh_user }}' become_user: '{{ letsencrypt_acme_sh_user }}'
when: letsencrypt_acme_sh_install when: letsencrypt_acme_sh_install | bool
tags: [ 'letsencrypt', 'letsencrypt_acme_sh' ] tags: [ 'letsencrypt', 'letsencrypt_acme_sh' ]
- block: - block:
- name: Request the certificates. As root because we must bind on port 80
shell: /usr/local/bin/acme-sh-request-cert
#args:
# creates: '{{ letsencrypt_acme_sh_base_data_dir }}/data/ok_certificate_issued'
register: acme_sh_certificate_issued
when: acme_sh_issue is changed
ignore_errors: True
- name: Check if the 'live' path is a symling. It is, if acmetool was installed - name: Check if the 'live' path is a symling. It is, if acmetool was installed
stat: path={{ letsencrypt_acme_sh_certificates_install_path }} stat: path={{ letsencrypt_acme_sh_certificates_install_path }}
register: is_symlink register: is_symlink
@ -112,5 +111,5 @@
- acme_sh_certificate_issued is changed - acme_sh_certificate_issued is changed
ignore_errors: True ignore_errors: True
when: letsencrypt_acme_sh_install when: letsencrypt_acme_sh_install | bool
tags: [ 'letsencrypt', 'letsencrypt_acme_sh' ] tags: [ 'letsencrypt', 'letsencrypt_acme_sh' ]