ka
/
ansible-role-certificate
1
0
複製 0
程式碼 問題 0 合併請求 0 版本發佈 0 Wiki 活動
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
15 提交
1 分支
40KB
目錄樹: c2e3f22fc4
分支列表 標籤
${ item.name }
建立分支 ${ searchTerm }
從 'c2e3f22fc4'
${ noResults }
ansible-role-certificate/tasks/provider-letsencrypt.yml

81 line
2.7KB
原始文件 Blame 歷史記錄 

  1. ---

  2. 

  3. - name: letsencrypt account private key

  4.   command: openssl genrsa

  5.     -out "{{certificate_letsencrypt_account_key_file}}"

  6.     4096

  7.   args:

  8.     creates: "{{ certificate_letsencrypt_account_key_file }}"

  9. 

  10. - include_tasks: key.yml

  11. - include_tasks: csr.yml

  12. 

  13. - name: check if the certificate will expire soon

  14.   command: openssl x509 -checkend {{ 60*60*24*30 }} -noout -in {{certificate_file}}

  15.   register: _certificate_checkend

  16.   changed_when: _certificate_checkend.rc == 1

  17.   failed_when: _certificate_checkend.rc > 1

  18. 

  19. - name: letsencrypt request

  20.   letsencrypt:

  21.     account_key: "{{certificate_letsencrypt_account_key_file}}"

  22.     csr: "{{certificate_signing_request_file}}"

  23.     dest: "{{certificate_file}}"

  24.     challenge: http-01

  25.     acme_directory: https://acme-v01.api.letsencrypt.org/directory

  26.     agreement: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf

  27.   register: _letsencrypt_request

  28.   when: _certificate_checkend.rc == 1

  29. 

  30. # - debug:

  31. #     msg:

  32. #       _letsencrypt_request: "{{_letsencrypt_request}}"

  33. 

  34. - block:

  35.     - name: acme http directory

  36.       file:

  37.         path: /var/www/default/.well-known/acme-challenge

  38.         state: directory

  39.     - name: copy acme challenge resource

  40.       copy:

  41.         dest: /var/www/default/{{ item.resource }}

  42.         content: "{{ item.resource_value }}"

  43.       with_items: "{{ _letsencrypt_request | json_query('challenge_data.*.\"http-01\"') }}"

  44.     - letsencrypt:

  45.         account_key: "{{certificate_letsencrypt_account_key_file}}"

  46.         csr: "{{certificate_signing_request_file}}"

  47.         dest: "{{certificate_file}}"

  48.         challenge: http-01

  49.         acme_directory: https://acme-v01.api.letsencrypt.org/directory

  50.         agreement: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf

  51.         data: "{{ _letsencrypt_request }}"

  52.       register: _letsencrypt

  53.   when:

  54.     - _letsencrypt_request.changed

  55.     - _certificate_checkend.rc == 1

  56. 

  57. - name: download letsencrypt certificate

  58.   get_url:

  59.     url: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

  60.     dest: "{{certificate_chain_file}}"

  61.     checksum: sha512:0fa893f751f0880c7d89c398cae9708f5ff04d466832fb6160a824395032259ac52e02a44da531d0f8bf7e310298b0067b1e8257f816d3223034f391ecba491d

  62. 

  63. - name: fetch certificate

  64.   fetch:

  65.     src: "{{ certificate_file }}"

  66.     dest: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.cert.pem

  67.     flat: yes

  68.     fail_on_missing: yes

  69. 

  70. - name: fetch certificate chain

  71.   fetch:

  72.     src: "{{ certificate_chain_file }}"

  73.     dest: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.chain.pem

  74.     flat: yes

  75.     fail_on_missing: yes

  76. 

  77. - name: create full certificate chain

  78.   template:

  79.     src: fullchain.pam.j2

  80.     dest: "{{ certificate_fullchain_file }}"