Fix the behaviour when we request the certificate via http.

This commit is contained in:
Andrea Dell'Amico 2020-02-04 19:16:42 +01:00
parent 2da5d26ef6
commit d019c0d8cd
6 changed files with 32 additions and 4 deletions

View File

@ -9,6 +9,8 @@ letsencrypt_acme_user_home: /var/lib/acme
letsencrypt_acme_git_dest_dir: '{{ letsencrypt_acme_user_home }}/acme_sh_dist'
letsencrypt_acme_sh_user_home: '{{ letsencrypt_acme_user_home }}'
letsencrypt_acme_sh_base_data_dir: '{{ letsencrypt_acme_sh_user_home }}/acme_data'
letsencrypt_acme_sh_certs_data_prefix: '{{ ansible_fqdn }}'
letsencrypt_acme_sh_certs_data_path: '{{ letsencrypt_acme_sh_base_data_dir }}/certs/{{ letsencrypt_acme_sh_certs_data_prefix }}'
letsencrypt_acme_sh_certificates_install_dir: '{{ ansible_fqdn }}'
letsencrypt_acme_sh_certificates_install_base_path: '{{ letsencrypt_acme_sh_user_home }}/live'
letsencrypt_acme_sh_certificates_install_path: '{{ letsencrypt_acme_sh_certificates_install_base_path }}/{{ letsencrypt_acme_sh_certificates_install_dir }}'

View File

@ -13,7 +13,12 @@ else
fi
chown -R acme:acme "$ACME_SH_HOME"
if [ "$ACME_SH_HTTP_BIND_PORT" -eq 80 ] && [ "$ACME_SH_USE_DNS_PROVIDER" == "False" ] ; then
/usr/local/bin/acme-sh-cron-command
chown -R acme:acme "$ACME_SH_HOME"
else
sudo -u acme -s /bin/bash /usr/local/bin/acme-sh-cron-command
fi
if [ "$ACME_SH_INSTALL_CERTS" == "True" ] ; then
$ACME_SH_BIN $ACME_SH_INSTALL_CERT_REQUEST > "$ACME_SH_INSTALL_LOG_FILE" 2>&1

View File

@ -17,7 +17,7 @@ else
fi
RETVAL=
if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] ; then
if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] && [ "$ACME_SH_USE_DNS_PROVIDER" == "False" ] ; then
# First request. Try to shut down all the services running on port 80
if [ -x /bin/systemctl ] ; then
/bin/systemctl stop nginx >/dev/null 2>&1
@ -30,6 +30,15 @@ if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] ; then
fi
$ACME_SH_BIN $ACME_SH_FIRST_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1
RETVAL=$?
if [ -x /bin/systemctl ] ; then
/bin/systemctl start nginx >/dev/null 2>&1
/bin/systemctl start apache2 >/dev/null 2>&1
/bin/systemctl start httpd >/dev/null 2>&1
else
service nginx start
service apache2 start
service httpd start
fi
else
$ACME_SH_BIN $ACME_SH_ISSUE_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1
RETVAL=$?

View File

@ -114,10 +114,20 @@
- name: Install the certificates
shell: /usr/local/bin/acme-sh-install-certs
when:
- letsencrypt_acme_sh_explicitly_install_certs
- letsencrypt_acme_sh_explicitly_install_certs | bool
- acme_sh_certificate_issued is defined
- acme_sh_certificate_issued is changed
ignore_errors: True
- name: Fix the http port in the configuration. Needed when we renew using the http protocol and we are behind a web server
lineinfile:
path: '{{ letsencrypt_acme_sh_certs_data_path }}/{{ letsencrypt_acme_sh_certs_data_prefix }}.conf'
create: no
state: present
regexp: "^Le_HTTPPort="
line: "Le_HTTPPort='{{ letsencrypt_acme_standalone_port }}'"
when: not letsencrypt_acme_sh_use_dns_provider | bool
tags: [ 'letsencrypt', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_http_port' ]
when: letsencrypt_acme_sh_install | bool
tags: [ 'letsencrypt', 'letsencrypt_acme_sh' ]

View File

@ -1,5 +1,5 @@
{% if letsencrypt_acme_sh_log_enabled %}
LOG_FILE="{{ letsencrypt_acme_sh_base_data_dir }}/logs"
LOG_FILE="{{ letsencrypt_acme_sh_base_data_dir }}/logs/cert_request.log"
LOG_LEVEL=1
{% endif %}

View File

@ -11,6 +11,8 @@ ACME_SH_CRON_LOG_FILE={{ letsencrypt_acme_sh_base_data_dir }}/logs/cron.log
ACME_SH_INSTALL_LOG_FILE={{ letsencrypt_acme_sh_log_dir }}/cert_install.log
ACME_SH_GIT_DIST_DIR={{ letsencrypt_acme_git_dest_dir }}
ACME_LETSENCRYPT_HOOKS_DIR={{ letsencrypt_acme_services_scripts_dir }}
ACME_SH_HTTP_BIND_PORT={{ letsencrypt_acme_standalone_port }}
ACME_SH_USE_DNS_PROVIDER="{{ letsencrypt_acme_sh_use_dns_provider }}"
ACME_SH_INSTALL_CERTS={{ letsencrypt_acme_sh_explicitly_install_certs }}