From 0b37070f66ebde1d180979800b0a5ef846f11393 Mon Sep 17 00:00:00 2001
From: Markus Katharina Brechtel <markus.katharina.brechtel@thengo.net>
Date: Wed, 22 Jan 2020 11:45:47 +0100
Subject: [PATCH] update letsencrypt to acme v2

---
 tasks/provider-letsencrypt.yml | 82 +++++++++++++---------------------
 tasks/setup_Debian.yml         |  3 +-
 2 files changed, 33 insertions(+), 52 deletions(-)

diff --git a/tasks/provider-letsencrypt.yml b/tasks/provider-letsencrypt.yml
index 1d8fbf1..e43616a 100644
--- a/tasks/provider-letsencrypt.yml
+++ b/tasks/provider-letsencrypt.yml
@@ -1,12 +1,5 @@
 ---
 
-- name: letsencrypt account private key
-  command: openssl genrsa
-    -out "{{certificate_letsencrypt_account_key_file}}"
-    4096
-  args:
-    creates: "{{ certificate_letsencrypt_account_key_file }}"
-
 - include_tasks: key.yml
 - include_tasks: csr.yml
 
@@ -16,22 +9,31 @@
   changed_when: _certificate_checkend.rc == 1
   failed_when: _certificate_checkend.rc > 1
 
-- name: letsencrypt request
-  letsencrypt:
-    account_key: "{{certificate_letsencrypt_account_key_file}}"
-    csr: "{{certificate_signing_request_file}}"
-    dest: "{{certificate_file}}"
-    challenge: http-01
-    acme_directory: https://acme-v01.api.letsencrypt.org/directory
-    agreement: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
-  register: _letsencrypt_request
-  when: _certificate_checkend.rc == 1
+- block:
+    - name: letsencrypt account private key
+      openssl_privatekey:
+        path: "{{certificate_letsencrypt_account_key_file}}"
+        type: RSA
+        size: 4096
+
+    - name: letsencrypt request
+      acme_certificate:
+        account_key_src: "{{certificate_letsencrypt_account_key_file}}"
+        csr: "{{certificate_signing_request_file}}"
+        dest: "{{certificate_file}}"
+        chain_dest: "{{ certificate_chain_file }}"
+        fullchain_dest: "{{ certificate_fullchain_file }}"
+        challenge: http-01
+        acme_directory: https://acme-v02.api.letsencrypt.org/directory
+        acme_version: 2
+        terms_agreed: yes
+      register: _letsencrypt_request
+      when: _certificate_checkend.rc == 1
 
-# - debug:
-#     msg:
-#       _letsencrypt_request: "{{_letsencrypt_request}}"
+    - debug:
+        msg:
+          _letsencrypt_request: "{{_letsencrypt_request}}"
 
-- block:
     - name: acme http directory
       file:
         path: /var/www/default/.well-known/acme-challenge
@@ -41,40 +43,18 @@
         dest: /var/www/default/{{ item.resource }}
         content: "{{ item.resource_value }}"
       with_items: "{{ _letsencrypt_request | json_query('challenge_data.*.\"http-01\"') }}"
-    - letsencrypt:
-        account_key: "{{certificate_letsencrypt_account_key_file}}"
+    - name: letsencrypt certificate
+      acme_certificate:
+        account_key_src: "{{certificate_letsencrypt_account_key_file}}"
         csr: "{{certificate_signing_request_file}}"
         dest: "{{certificate_file}}"
+        chain_dest: "{{ certificate_chain_file }}"
+        fullchain_dest: "{{ certificate_fullchain_file }}"
         challenge: http-01
-        acme_directory: https://acme-v01.api.letsencrypt.org/directory
-        agreement: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
+        acme_directory: https://acme-v02.api.letsencrypt.org/directory
+        acme_version: 2
+        terms_agreed: yes
         data: "{{ _letsencrypt_request }}"
       register: _letsencrypt
   when:
-    - _letsencrypt_request.changed
     - _certificate_checkend.rc == 1
-
-- name: download letsencrypt certificate
-  get_url:
-    url: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
-    dest: "{{certificate_chain_file}}"
-    checksum: sha512:0fa893f751f0880c7d89c398cae9708f5ff04d466832fb6160a824395032259ac52e02a44da531d0f8bf7e310298b0067b1e8257f816d3223034f391ecba491d
-
-- name: fetch certificate
-  fetch:
-    src: "{{ certificate_file }}"
-    dest: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.cert.pem
-    flat: yes
-    fail_on_missing: yes
-
-- name: fetch certificate chain
-  fetch:
-    src: "{{ certificate_chain_file }}"
-    dest: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.chain.pem
-    flat: yes
-    fail_on_missing: yes
-
-- name: create full certificate chain
-  template:
-    src: fullchain.pam.j2
-    dest: "{{ certificate_fullchain_file }}"
diff --git a/tasks/setup_Debian.yml b/tasks/setup_Debian.yml
index 11674ea..e47c7de 100644
--- a/tasks/setup_Debian.yml
+++ b/tasks/setup_Debian.yml
@@ -1,7 +1,8 @@
 ---
 
-- name: install packages
+- name: install debian packages
   apt:
     pkg:
       - openssl
       - certbot
+      - python-cryptography