From 1289862b9a6fa0ee555f7890fe2769ecc8899fd3 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 31 Oct 2019 12:30:27 +0100 Subject: [PATCH] Request the certificates as root to bind port 80. Install the certificates after having obtained them, by default. --- .../defaults/main.yml | 2 +- .../letsencrypt-acme-sh-client/tasks/main.yml | 23 +++++++++---------- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/library/roles/letsencrypt-acme-sh-client/defaults/main.yml b/library/roles/letsencrypt-acme-sh-client/defaults/main.yml index 80b74568..2a5a2c3c 100644 --- a/library/roles/letsencrypt-acme-sh-client/defaults/main.yml +++ b/library/roles/letsencrypt-acme-sh-client/defaults/main.yml @@ -44,7 +44,7 @@ letsencrypt_acme_certs_dir: '{{ letsencrypt_acme_sh_certificates_install_path }} letsencrypt_acme_services_scripts_dir: /usr/lib/acme/hooks letsencrypt_acme_sh_services_scripts_dir: '{{ letsencrypt_acme_services_scripts_dir }}' -letsencrypt_acme_sh_explicitly_install_certs: False +letsencrypt_acme_sh_explicitly_install_certs: True # ECC is better, but most old distributions fail on them letsencrypt_acme_sh_use_ecc: False diff --git a/library/roles/letsencrypt-acme-sh-client/tasks/main.yml b/library/roles/letsencrypt-acme-sh-client/tasks/main.yml index a65c34c9..6dd522bd 100644 --- a/library/roles/letsencrypt-acme-sh-client/tasks/main.yml +++ b/library/roles/letsencrypt-acme-sh-client/tasks/main.yml @@ -74,25 +74,24 @@ - name: Create the letsencrypt acme.sh configuration template: src=account.conf.j2 dest={{ letsencrypt_acme_sh_base_data_dir }}/data/account.conf mode=0640 - - name: Request the certificates - shell: /usr/local/bin/acme-sh-request-cert - #args: - # creates: '{{ letsencrypt_acme_sh_base_data_dir }}/data/ok_certificate_issued' - register: acme_sh_certificate_issued - when: acme_sh_issue is changed - notify: Install the requested certificates - ignore_errors: True - - name: Remove the daily cron job that run as acme user. cron: name="Letsencrypt certificate renewal" day={{ letsencrypt_acme_cron_day_of_month }} hour={{ letsencrypt_acme_cron_hour }} minute={{ letsencrypt_acme_cron_minute }} job="/usr/local/bin/acme-sh-cron-script > {{ letsencrypt_acme_sh_log_dir }}/acme-cron.log 2>&1" state=absent tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh' ] become: True become_user: '{{ letsencrypt_acme_sh_user }}' - when: letsencrypt_acme_sh_install + when: letsencrypt_acme_sh_install | bool tags: [ 'letsencrypt', 'letsencrypt_acme_sh' ] -- block: +- block: + - name: Request the certificates. As root because we must bind on port 80 + shell: /usr/local/bin/acme-sh-request-cert + #args: + # creates: '{{ letsencrypt_acme_sh_base_data_dir }}/data/ok_certificate_issued' + register: acme_sh_certificate_issued + when: acme_sh_issue is changed + ignore_errors: True + - name: Check if the 'live' path is a symling. It is, if acmetool was installed stat: path={{ letsencrypt_acme_sh_certificates_install_path }} register: is_symlink @@ -112,5 +111,5 @@ - acme_sh_certificate_issued is changed ignore_errors: True - when: letsencrypt_acme_sh_install + when: letsencrypt_acme_sh_install | bool tags: [ 'letsencrypt', 'letsencrypt_acme_sh' ]