- name: "Create required directories in /etc/letsencrypt" file: path: "/etc/letsencrypt/{{ item }}" state: directory owner: root group: root mode: u=rwx,g=x,o=x with_items: - account - certs - csrs - keys - name: "Generate a Let's Encrypt account key" shell: "if [ ! -f {{ letsencrypt_account_key }} ]; then openssl genrsa 4096 | sudo tee {{ letsencrypt_account_key }}; fi" args: creates: "{{ letsencrypt_account_key }}" - name: "Generate Let's Encrypt private key" shell: "openssl genrsa 4096 | sudo tee /etc/letsencrypt/keys/{{ site_url }}.key" - name: "Generate Let's Encrypt CSR" shell: "openssl req -new -sha256 -key /etc/letsencrypt/keys/{{ site_url }}.key -subj \"/CN={{ site_url }}\" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf \"\n[SAN]\nsubjectAltName=DNS:{{ site_url }}\")) | sudo tee /etc/letsencrypt/csrs/{{ site_url }}.csr" args: executable: /bin/bash - name: "Begin Let's Encrypt challenges" letsencrypt: acme_directory: "{{ acme_directory }}" acme_version: "{{ acme_version }}" account_key_src: "{{ letsencrypt_account_key }}" account_email: "{{ admin_email }}" terms_agreed: 1 challenge: "{{ acme_challenge_type }}" csr: "{{ letsencrypt_csrs_dir }}/{{ site_url }}.csr" dest: "{{ letsencrypt_certs_dir }}/{{ site_url }}.crt" fullchain_dest: "{{ letsencrypt_certs_dir }}/fullchain_{{ site_url }}.crt" remaining_days: 91 force: yes register: acme_challenge_domain - name: "Create .well-known/acme-challenge directory" file: path: /var/www/html/{{ site_url }}/.well-known/acme-challenge state: directory owner: root group: root mode: u=rwx,g=rx,o=rx - name: "Implement http-01 challenge files" copy: content: "{{ acme_challenge_domain['challenge_data'][item]['http-01']['resource_value'] }}" dest: "/var/www/html/{{ site_url }}/{{ acme_challenge_domain['challenge_data'][item]['http-01']['resource'] }}" owner: root group: root mode: u=rw,g=r,o=r with_items: - "{{ site_url }}" when: acme_challenge_domain['challenge_data'][item] is defined - name: "Use challenge Apache conf" template: src: apache-challenge-site.conf dest: /etc/apache2/sites-available/{{ site_url }}.conf owner: root group: root mode: u=rw,g=r,o=r - name: "Enable site" shell: a2ensite {{ site_url }} - name: "Restart Apache" service: name: apache2 state: restarted - name: "Complete Let's Encrypt challenges" letsencrypt: acme_directory: "{{ acme_directory }}" acme_version: "{{ acme_version }}" account_key_src: "{{ letsencrypt_account_key }}" account_email: "{{ admin_email }}" challenge: "{{ acme_challenge_type }}" csr: "{{ letsencrypt_csrs_dir }}/{{ site_url }}.csr" dest: "{{ letsencrypt_certs_dir }}/{{ site_url }}.crt" chain_dest: "{{ letsencrypt_certs_dir }}/chain_{{ site_url }}.crt" fullchain_dest: "{{ letsencrypt_certs_dir }}/fullchain_{{ site_url }}" data: "{{ acme_challenge_domain }}" force: yes