Fix the behaviour when we request the certificate via http.

2020-02-04 19:16:42 +01:00 · 2020-02-04 19:16:42 +01:00 · d019c0d8cd
parent 2da5d26ef6
commit d019c0d8cd
6 changed files with 32 additions and 4 deletions
--- a/library/roles/letsencrypt-acme-sh-client/defaults/main.yml
+++ b/library/roles/letsencrypt-acme-sh-client/defaults/main.yml
@ -9,6 +9,8 @@ letsencrypt_acme_user_home: /var/lib/acme
 letsencrypt_acme_git_dest_dir: '{{ letsencrypt_acme_user_home }}/acme_sh_dist'
 letsencrypt_acme_sh_user_home: '{{ letsencrypt_acme_user_home }}'
 letsencrypt_acme_sh_base_data_dir: '{{ letsencrypt_acme_sh_user_home }}/acme_data'
+letsencrypt_acme_sh_certs_data_prefix: '{{ ansible_fqdn }}'
+letsencrypt_acme_sh_certs_data_path: '{{ letsencrypt_acme_sh_base_data_dir }}/certs/{{ letsencrypt_acme_sh_certs_data_prefix }}'
 letsencrypt_acme_sh_certificates_install_dir: '{{ ansible_fqdn }}'
 letsencrypt_acme_sh_certificates_install_base_path: '{{ letsencrypt_acme_sh_user_home }}/live'
 letsencrypt_acme_sh_certificates_install_path: '{{ letsencrypt_acme_sh_certificates_install_base_path }}/{{ letsencrypt_acme_sh_certificates_install_dir }}'
--- a/library/roles/letsencrypt-acme-sh-client/files/acme-sh-cron-script
+++ b/library/roles/letsencrypt-acme-sh-client/files/acme-sh-cron-script
@ -13,7 +13,12 @@ else
 fi

 chown -R acme:acme "$ACME_SH_HOME"
-sudo -u acme -s /bin/bash /usr/local/bin/acme-sh-cron-command
+if [ "$ACME_SH_HTTP_BIND_PORT" -eq 80 ] && [ "$ACME_SH_USE_DNS_PROVIDER" == "False" ] ; then
+    /usr/local/bin/acme-sh-cron-command
+    chown -R acme:acme "$ACME_SH_HOME"
+else
+    sudo -u acme -s /bin/bash /usr/local/bin/acme-sh-cron-command
+fi

 if [ "$ACME_SH_INSTALL_CERTS" == "True" ] ; then
    $ACME_SH_BIN $ACME_SH_INSTALL_CERT_REQUEST > "$ACME_SH_INSTALL_LOG_FILE" 2>&1
--- a/library/roles/letsencrypt-acme-sh-client/files/acme-sh-request-cert
+++ b/library/roles/letsencrypt-acme-sh-client/files/acme-sh-request-cert
@ -17,7 +17,7 @@ else
 fi
 RETVAL=

-if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] ; then
+if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] && [ "$ACME_SH_USE_DNS_PROVIDER" == "False" ] ; then
    # First request. Try to shut down all the services running on port 80
    if [ -x /bin/systemctl ] ; then
        /bin/systemctl stop nginx >/dev/null 2>&1
@ -30,6 +30,15 @@ if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] ; then
    fi
    $ACME_SH_BIN $ACME_SH_FIRST_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1
    RETVAL=$?
+    if [ -x /bin/systemctl ] ; then
+        /bin/systemctl start nginx >/dev/null 2>&1
+        /bin/systemctl start apache2 >/dev/null 2>&1
+        /bin/systemctl start httpd >/dev/null 2>&1
+    else
+        service nginx start
+        service apache2 start
+        service httpd start
+    fi
 else
    $ACME_SH_BIN $ACME_SH_ISSUE_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1
    RETVAL=$?
--- a/library/roles/letsencrypt-acme-sh-client/tasks/main.yml
+++ b/library/roles/letsencrypt-acme-sh-client/tasks/main.yml
@ -114,10 +114,20 @@
  - name: Install the certificates
    shell: /usr/local/bin/acme-sh-install-certs
    when:
-      - letsencrypt_acme_sh_explicitly_install_certs
+      - letsencrypt_acme_sh_explicitly_install_certs | bool
      - acme_sh_certificate_issued is defined
      - acme_sh_certificate_issued is changed
    ignore_errors: True

+  - name: Fix the http port in the configuration. Needed when we renew using the http protocol and we are behind a web server
+    lineinfile:
+        path: '{{ letsencrypt_acme_sh_certs_data_path }}/{{ letsencrypt_acme_sh_certs_data_prefix }}.conf'
+        create: no
+        state: present
+        regexp: "^Le_HTTPPort="
+        line: "Le_HTTPPort='{{ letsencrypt_acme_standalone_port }}'"
+    when: not letsencrypt_acme_sh_use_dns_provider | bool
+    tags: [ 'letsencrypt', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_http_port' ]
+
  when: letsencrypt_acme_sh_install | bool
  tags: [ 'letsencrypt', 'letsencrypt_acme_sh' ]
--- a/library/roles/letsencrypt-acme-sh-client/templates/account.conf.j2
+++ b/library/roles/letsencrypt-acme-sh-client/templates/account.conf.j2
@ -1,5 +1,5 @@
 {% if letsencrypt_acme_sh_log_enabled %}
-LOG_FILE="{{ letsencrypt_acme_sh_base_data_dir }}/logs"
+LOG_FILE="{{ letsencrypt_acme_sh_base_data_dir }}/logs/cert_request.log"
 LOG_LEVEL=1
 {% endif %}

--- a/library/roles/letsencrypt-acme-sh-client/templates/acme_sh_request_env.j2
+++ b/library/roles/letsencrypt-acme-sh-client/templates/acme_sh_request_env.j2
@ -11,6 +11,8 @@ ACME_SH_CRON_LOG_FILE={{ letsencrypt_acme_sh_base_data_dir }}/logs/cron.log
 ACME_SH_INSTALL_LOG_FILE={{ letsencrypt_acme_sh_log_dir }}/cert_install.log
 ACME_SH_GIT_DIST_DIR={{ letsencrypt_acme_git_dest_dir }}
 ACME_LETSENCRYPT_HOOKS_DIR={{ letsencrypt_acme_services_scripts_dir }}
+ACME_SH_HTTP_BIND_PORT={{ letsencrypt_acme_standalone_port }}
+ACME_SH_USE_DNS_PROVIDER="{{ letsencrypt_acme_sh_use_dns_provider }}"

 ACME_SH_INSTALL_CERTS={{ letsencrypt_acme_sh_explicitly_install_certs }}