From 9b4f3d3d46287ec4cdb8ae1e48f187b9783fcb4c Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 20 Nov 2019 13:24:45 +0100 Subject: [PATCH] Remove duplicates from the acme.sh env. Add tags that permit to install the scripts without executing them. --- .../roles/letsencrypt-acme-sh-client/tasks/main.yml | 10 +++++++--- .../templates/acme_sh_request_env.j2 | 12 ++++++------ 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/library/roles/letsencrypt-acme-sh-client/tasks/main.yml b/library/roles/letsencrypt-acme-sh-client/tasks/main.yml index 8ee84a9e..ce607e1b 100644 --- a/library/roles/letsencrypt-acme-sh-client/tasks/main.yml +++ b/library/roles/letsencrypt-acme-sh-client/tasks/main.yml @@ -31,15 +31,19 @@ - name: Install the acme.sh environment variables file template: src=acme_sh_request_env.j2 dest=/etc/default/acme_sh_request_env owner=root group=root mode=0444 register: acme_sh_issue + tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_env' ] - name: Install the script that initializes the acme.sh environment copy: src=acme-sh-install dest=/usr/local/bin/acme-sh-install owner=root group=acme mode=0750 + tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts' ] - name: Install a script that issues the certificates copy: src=acme-sh-request-cert dest=/usr/local/bin/acme-sh-request-cert owner=root group=acme mode=0750 + tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts' ] - name: Install a script that installs the issued certificates copy: src=acme-sh-install-certs dest=/usr/local/bin/acme-sh-install-certs owner=root group=acme mode=0750 + tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts' ] - name: Install the script that will run the services hooks when a certificate is installed template: src=acme-services-hook.j2 dest=/usr/local/bin/acme-services-hook owner=root group=acme mode=0750 @@ -49,13 +53,13 @@ with_items: - acme-sh-cron-script - acme-sh-cron-command - tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh' ] + tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts' ] - name: Install a daily cron job to renew the certificates when needed. It runs as root cron: name="Letsencrypt certificate renewal" day={{ letsencrypt_acme_cron_day_of_month }} hour={{ letsencrypt_acme_cron_hour }} minute={{ letsencrypt_acme_cron_minute }} job="/usr/local/bin/acme-sh-cron-script > {{ letsencrypt_acme_sh_log_dir }}/acme-cron.log 2>&1" - tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh' ] + tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts' ] - when: letsencrypt_acme_sh_install + when: letsencrypt_acme_sh_install | bool tags: [ 'letsencrypt', 'letsencrypt_acme_sh' ] - block: diff --git a/library/roles/letsencrypt-acme-sh-client/templates/acme_sh_request_env.j2 b/library/roles/letsencrypt-acme-sh-client/templates/acme_sh_request_env.j2 index bdeb0c13..2f30aa13 100644 --- a/library/roles/letsencrypt-acme-sh-client/templates/acme_sh_request_env.j2 +++ b/library/roles/letsencrypt-acme-sh-client/templates/acme_sh_request_env.j2 @@ -26,15 +26,15 @@ ACME_SH_INSTALL_OPTS="$ACME_SH_INSTALL_OPTS --home {{ letsencrypt_acme_sh_user_h # # Certificate issue options # -ACME_SH_ISSUE_CERT_REQUEST="--issue -k {% if letsencrypt_acme_sh_use_ecc %}{{ letsencrypt_acme_sh_ecc_key_lenght }}{% else %}{{ letsencrypt_acme_sh_rsa_key_lenght }}{% endif %} --log {{ letsencrypt_acme_sh_base_data_dir }}/logs/acme.sh.log" +ACME_SH_ISSUE_CERT_REQUEST_OPTIONS="--issue -k {% if letsencrypt_acme_sh_use_ecc %}{{ letsencrypt_acme_sh_ecc_key_lenght }}{% else %}{{ letsencrypt_acme_sh_rsa_key_lenght }}{% endif %} --log {{ letsencrypt_acme_sh_base_data_dir }}/logs/acme.sh.log" {% if letsencrypt_acme_sh_ocsp_must_staple %} -ACME_SH_ISSUE_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST --ocsp" +ACME_SH_ISSUE_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST_OPTIONS --ocsp" {% endif %} {% if letsencrypt_acme_sh_use_syslog %} -ACME_SH_ISSUE_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST --syslog {{ letsencrypt_acme_sh_syslog_level }}" +ACME_SH_ISSUE_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST_OPTIONS --syslog {{ letsencrypt_acme_sh_syslog_level }}" {% endif %} {% if letsencrypt_acme_sh_test_request %} -ACME_SH_ISSUE_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST --test" +ACME_SH_ISSUE_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST_OPTIONS --test" {% endif %} ACME_SH_ISSUE_CERT_DOMAINS="{% for dom in letsencrypt_acme_sh_domains %} -d {{ dom.domain }} {% if dom.dns_provider is defined %} --dns {{ dom.dns_provider }} {% if dom.dns_alias_challenge is defined %} --challenge-alias {{ dom.dns_alias_challenge }} {% endif %} {% endif %} {% if dom.standalone is defined %} --standalone --httpport {{ letsencrypt_acme_standalone_port }} {% endif %} {% endfor %}" @@ -42,10 +42,10 @@ ACME_SH_ISSUE_CERT_DOMAINS="{% for dom in letsencrypt_acme_sh_domains %} -d {{ d ACME_SH_FIRST_REQUEST_CERT_DOMAINS="{% for dom in letsencrypt_acme_sh_domains %} -d {{ dom.domain }} {% if dom.dns_provider is defined %} --dns {{ dom.dns_provider }} {% if dom.dns_alias_challenge is defined %} --challenge-alias {{ dom.dns_alias_challenge }} {% endif %} {% endif %} {% if dom.standalone is defined %} --standalone --httpport 80 {% endif %} {% endfor %}" # The complete command line to issue a certificate -ACME_SH_ISSUE_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST $ACME_SH_ISSUE_CERT_DOMAINS" +ACME_SH_ISSUE_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST_OPTIONS $ACME_SH_ISSUE_CERT_DOMAINS" # The complete command line to issue a certificate. The first time we have to use port 80 when not using the dns protocol -ACME_SH_FIRST_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST $ACME_SH_FIRST_REQUEST_CERT_DOMAINS" +ACME_SH_FIRST_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST_OPTIONS $ACME_SH_FIRST_REQUEST_CERT_DOMAINS" # # Certificate install options