From d019c0d8cd9c398a8dcf4a24c5f0b99092e862ba Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 4 Feb 2020 19:16:42 +0100 Subject: [PATCH] Fix the behaviour when we request the certificate via http. --- .../letsencrypt-acme-sh-client/defaults/main.yml | 2 ++ .../files/acme-sh-cron-script | 7 ++++++- .../files/acme-sh-request-cert | 11 ++++++++++- .../roles/letsencrypt-acme-sh-client/tasks/main.yml | 12 +++++++++++- .../templates/account.conf.j2 | 2 +- .../templates/acme_sh_request_env.j2 | 2 ++ 6 files changed, 32 insertions(+), 4 deletions(-) diff --git a/library/roles/letsencrypt-acme-sh-client/defaults/main.yml b/library/roles/letsencrypt-acme-sh-client/defaults/main.yml index 2a5a2c3c..94dc828f 100644 --- a/library/roles/letsencrypt-acme-sh-client/defaults/main.yml +++ b/library/roles/letsencrypt-acme-sh-client/defaults/main.yml @@ -9,6 +9,8 @@ letsencrypt_acme_user_home: /var/lib/acme letsencrypt_acme_git_dest_dir: '{{ letsencrypt_acme_user_home }}/acme_sh_dist' letsencrypt_acme_sh_user_home: '{{ letsencrypt_acme_user_home }}' letsencrypt_acme_sh_base_data_dir: '{{ letsencrypt_acme_sh_user_home }}/acme_data' +letsencrypt_acme_sh_certs_data_prefix: '{{ ansible_fqdn }}' +letsencrypt_acme_sh_certs_data_path: '{{ letsencrypt_acme_sh_base_data_dir }}/certs/{{ letsencrypt_acme_sh_certs_data_prefix }}' letsencrypt_acme_sh_certificates_install_dir: '{{ ansible_fqdn }}' letsencrypt_acme_sh_certificates_install_base_path: '{{ letsencrypt_acme_sh_user_home }}/live' letsencrypt_acme_sh_certificates_install_path: '{{ letsencrypt_acme_sh_certificates_install_base_path }}/{{ letsencrypt_acme_sh_certificates_install_dir }}' diff --git a/library/roles/letsencrypt-acme-sh-client/files/acme-sh-cron-script b/library/roles/letsencrypt-acme-sh-client/files/acme-sh-cron-script index 4af87ef8..d96d2be5 100644 --- a/library/roles/letsencrypt-acme-sh-client/files/acme-sh-cron-script +++ b/library/roles/letsencrypt-acme-sh-client/files/acme-sh-cron-script @@ -13,7 +13,12 @@ else fi chown -R acme:acme "$ACME_SH_HOME" -sudo -u acme -s /bin/bash /usr/local/bin/acme-sh-cron-command +if [ "$ACME_SH_HTTP_BIND_PORT" -eq 80 ] && [ "$ACME_SH_USE_DNS_PROVIDER" == "False" ] ; then + /usr/local/bin/acme-sh-cron-command + chown -R acme:acme "$ACME_SH_HOME" +else + sudo -u acme -s /bin/bash /usr/local/bin/acme-sh-cron-command +fi if [ "$ACME_SH_INSTALL_CERTS" == "True" ] ; then $ACME_SH_BIN $ACME_SH_INSTALL_CERT_REQUEST > "$ACME_SH_INSTALL_LOG_FILE" 2>&1 diff --git a/library/roles/letsencrypt-acme-sh-client/files/acme-sh-request-cert b/library/roles/letsencrypt-acme-sh-client/files/acme-sh-request-cert index 70fed230..07716fe7 100644 --- a/library/roles/letsencrypt-acme-sh-client/files/acme-sh-request-cert +++ b/library/roles/letsencrypt-acme-sh-client/files/acme-sh-request-cert @@ -17,7 +17,7 @@ else fi RETVAL= -if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] ; then +if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] && [ "$ACME_SH_USE_DNS_PROVIDER" == "False" ] ; then # First request. Try to shut down all the services running on port 80 if [ -x /bin/systemctl ] ; then /bin/systemctl stop nginx >/dev/null 2>&1 @@ -30,6 +30,15 @@ if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] ; then fi $ACME_SH_BIN $ACME_SH_FIRST_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1 RETVAL=$? + if [ -x /bin/systemctl ] ; then + /bin/systemctl start nginx >/dev/null 2>&1 + /bin/systemctl start apache2 >/dev/null 2>&1 + /bin/systemctl start httpd >/dev/null 2>&1 + else + service nginx start + service apache2 start + service httpd start + fi else $ACME_SH_BIN $ACME_SH_ISSUE_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1 RETVAL=$? diff --git a/library/roles/letsencrypt-acme-sh-client/tasks/main.yml b/library/roles/letsencrypt-acme-sh-client/tasks/main.yml index ce607e1b..44ecb315 100644 --- a/library/roles/letsencrypt-acme-sh-client/tasks/main.yml +++ b/library/roles/letsencrypt-acme-sh-client/tasks/main.yml @@ -114,10 +114,20 @@ - name: Install the certificates shell: /usr/local/bin/acme-sh-install-certs when: - - letsencrypt_acme_sh_explicitly_install_certs + - letsencrypt_acme_sh_explicitly_install_certs | bool - acme_sh_certificate_issued is defined - acme_sh_certificate_issued is changed ignore_errors: True + - name: Fix the http port in the configuration. Needed when we renew using the http protocol and we are behind a web server + lineinfile: + path: '{{ letsencrypt_acme_sh_certs_data_path }}/{{ letsencrypt_acme_sh_certs_data_prefix }}.conf' + create: no + state: present + regexp: "^Le_HTTPPort=" + line: "Le_HTTPPort='{{ letsencrypt_acme_standalone_port }}'" + when: not letsencrypt_acme_sh_use_dns_provider | bool + tags: [ 'letsencrypt', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_http_port' ] + when: letsencrypt_acme_sh_install | bool tags: [ 'letsencrypt', 'letsencrypt_acme_sh' ] diff --git a/library/roles/letsencrypt-acme-sh-client/templates/account.conf.j2 b/library/roles/letsencrypt-acme-sh-client/templates/account.conf.j2 index 3573d973..7e455e86 100644 --- a/library/roles/letsencrypt-acme-sh-client/templates/account.conf.j2 +++ b/library/roles/letsencrypt-acme-sh-client/templates/account.conf.j2 @@ -1,5 +1,5 @@ {% if letsencrypt_acme_sh_log_enabled %} -LOG_FILE="{{ letsencrypt_acme_sh_base_data_dir }}/logs" +LOG_FILE="{{ letsencrypt_acme_sh_base_data_dir }}/logs/cert_request.log" LOG_LEVEL=1 {% endif %} diff --git a/library/roles/letsencrypt-acme-sh-client/templates/acme_sh_request_env.j2 b/library/roles/letsencrypt-acme-sh-client/templates/acme_sh_request_env.j2 index 0a95e3e2..89866187 100644 --- a/library/roles/letsencrypt-acme-sh-client/templates/acme_sh_request_env.j2 +++ b/library/roles/letsencrypt-acme-sh-client/templates/acme_sh_request_env.j2 @@ -11,6 +11,8 @@ ACME_SH_CRON_LOG_FILE={{ letsencrypt_acme_sh_base_data_dir }}/logs/cron.log ACME_SH_INSTALL_LOG_FILE={{ letsencrypt_acme_sh_log_dir }}/cert_install.log ACME_SH_GIT_DIST_DIR={{ letsencrypt_acme_git_dest_dir }} ACME_LETSENCRYPT_HOOKS_DIR={{ letsencrypt_acme_services_scripts_dir }} +ACME_SH_HTTP_BIND_PORT={{ letsencrypt_acme_standalone_port }} +ACME_SH_USE_DNS_PROVIDER="{{ letsencrypt_acme_sh_use_dns_provider }}" ACME_SH_INSTALL_CERTS={{ letsencrypt_acme_sh_explicitly_install_certs }}