You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
92 lines
3.3 KiB
92 lines
3.3 KiB
3 years ago
|
- name: "Create required directories in /etc/letsencrypt"
|
||
|
file:
|
||
|
path: "/etc/letsencrypt/{{ item }}"
|
||
|
state: directory
|
||
|
owner: root
|
||
|
group: root
|
||
|
mode: u=rwx,g=x,o=x
|
||
|
with_items:
|
||
|
- account
|
||
|
- certs
|
||
|
- csrs
|
||
|
- keys
|
||
|
|
||
|
- name: "Generate a Let's Encrypt account key"
|
||
|
shell: "if [ ! -f {{ letsencrypt_account_key }} ]; then openssl genrsa 4096 | sudo tee {{ letsencrypt_account_key }}; fi"
|
||
|
args:
|
||
|
creates: "{{ letsencrypt_account_key }}"
|
||
|
|
||
|
- name: "Generate Let's Encrypt private key"
|
||
|
shell: "openssl genrsa 4096 | sudo tee /etc/letsencrypt/keys/{{ site_url }}.key"
|
||
|
|
||
|
- name: "Generate Let's Encrypt CSR"
|
||
|
shell: "openssl req -new -sha256 -key /etc/letsencrypt/keys/{{ site_url }}.key -subj \"/CN={{ site_url }}\" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf \"\n[SAN]\nsubjectAltName=DNS:{{ site_url }}\")) | sudo tee /etc/letsencrypt/csrs/{{ site_url }}.csr"
|
||
|
args:
|
||
|
executable: /bin/bash
|
||
|
|
||
|
- name: "Begin Let's Encrypt challenges"
|
||
|
letsencrypt:
|
||
|
acme_directory: "{{ acme_directory }}"
|
||
|
acme_version: "{{ acme_version }}"
|
||
|
account_key_src: "{{ letsencrypt_account_key }}"
|
||
|
account_email: "{{ admin_email }}"
|
||
|
terms_agreed: 1
|
||
|
challenge: "{{ acme_challenge_type }}"
|
||
|
csr: "{{ letsencrypt_csrs_dir }}/{{ site_url }}.csr"
|
||
|
dest: "{{ letsencrypt_certs_dir }}/{{ site_url }}.crt"
|
||
|
fullchain_dest: "{{ letsencrypt_certs_dir }}/fullchain_{{ site_url }}.crt"
|
||
|
remaining_days: 91
|
||
|
force: yes
|
||
|
register: acme_challenge_domain
|
||
|
|
||
|
- name: "Create .well-known/acme-challenge directory"
|
||
|
file:
|
||
|
path: /var/www/html/{{ site_url }}/.well-known/acme-challenge
|
||
|
state: directory
|
||
|
owner: root
|
||
|
group: root
|
||
|
mode: u=rwx,g=rx,o=rx
|
||
|
|
||
|
- name: "Implement http-01 challenge files"
|
||
|
copy:
|
||
|
content: "{{ acme_challenge_domain['challenge_data'][item]['http-01']['resource_value'] }}"
|
||
|
dest: "/var/www/html/{{ acme_challenge_domain['challenge_data'][item]['http-01']['resource'] }}"
|
||
|
owner: root
|
||
|
group: root
|
||
|
mode: u=rw,g=r,o=r
|
||
|
with_items:
|
||
|
- "{{ site_url }}"
|
||
|
when: acme_challenge_domain['challenge_data'][item] is defined
|
||
|
|
||
|
- name: "Use challenge Apache conf"
|
||
|
template:
|
||
|
src: apache-challenge-site.conf
|
||
|
dest: /etc/apache2/sites-available/{{ site_url }}.conf
|
||
|
owner: root
|
||
|
group: root
|
||
|
mode: u=rw,g=r,o=r
|
||
|
|
||
|
- name: "Enable site"
|
||
|
shell: a2ensite {{ site_url }}
|
||
|
|
||
|
- name: "Restart Apache"
|
||
|
service:
|
||
|
name: apache2
|
||
|
state: restarted
|
||
|
|
||
|
- name: "Complete Let's Encrypt challenges"
|
||
|
letsencrypt:
|
||
|
acme_directory: "{{ acme_directory }}"
|
||
|
acme_version: "{{ acme_version }}"
|
||
|
account_key_src: "{{ letsencrypt_account_key }}"
|
||
|
account_email: "{{ admin_email }}"
|
||
|
challenge: "{{ acme_challenge_type }}"
|
||
|
csr: "{{ letsencrypt_csrs_dir }}/{{ site_url }}.csr"
|
||
|
dest: "{{ letsencrypt_certs_dir }}/{{ site_url }}.crt"
|
||
|
chain_dest: "{{ letsencrypt_certs_dir }}/chain_{{ site_url }}.crt"
|
||
|
fullchain_dest: "{{ letsencrypt_certs_dir }}/fullchain_{{ site_url }}"
|
||
|
data: "{{ acme_challenge_domain }}"
|
||
|
force: yes
|
||
|
|
||
|
|