From ac7696c81f08b7b0964bbf018199237c9ccb0235 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <yohann.danello@gmail.com>
Date: Wed, 4 Nov 2020 23:07:51 +0100
Subject: [PATCH] User cerbot-nginx to create certificates

---
 roles/certbot/tasks/main.yml                  | 39 +++++++++++--------
 .../letsencrypt/conf.d/certname.ini.j2        |  8 ++--
 .../templates/letsencrypt/rfc2136.ini.j2      |  7 ----
 3 files changed, 26 insertions(+), 28 deletions(-)
 delete mode 100644 roles/certbot/templates/letsencrypt/rfc2136.ini.j2

diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index d6314ac..0f61e91 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -1,26 +1,18 @@
 ---
-- name: Install certbot and RFC2136 plugin
+- name: Install certbot and nginx plugin
   apt:
     update_cache: true
     name:
       - certbot
-      - python3-certbot-dns-rfc2136
-    state: present
-  register: apt_result
+      - python3-certbot-nginx
+  register: pkg_result
   retries: 3
-  until: apt_result is succeeded
+  until: pkg_result is succeeded
 
-- name: Lookup DNS masters IPv4
-  set_fact:
-    dns_masters_ipv4: "{{ certbot.dns_masters_ipv4 }}"
-    cacheable: true
-
-- name: Add DNS credentials
-  template:
-    src: letsencrypt/rfc2136.ini.j2
-    dest: /etc/letsencrypt/rfc2136.ini
-    mode: 0600
-    owner: root
+- name: Check if certificate already exists.
+  stat:
+    path: "/etc/letsencrypt/live/{{ certbot.certname }}/cert.pem"
+  register: letsencrypt_cert
 
 - name: Create /etc/letsencrypt/conf.d
   file:
@@ -33,3 +25,18 @@
     src: "letsencrypt/conf.d/certname.ini.j2"
     dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
     mode: 0644
+
+- name: Stop services to allow certbot to generate a cert.
+  service:
+    name: nginx
+    state: stopped
+
+- name: Generate new certificate if one doesn't exist.
+  shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
+  when: letsencrypt_cert.stat.exists == False
+
+- name: Restart services to allow certbot to generate a cert.
+  service:
+    name: nginx
+    state: started
+
diff --git a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
index 6683792..c23d930 100644
--- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
+++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
@@ -1,7 +1,7 @@
 # {{ ansible_managed }}
 
 # Pour appliquer cette conf et générer la conf de renewal :
-# certbot --config /etc/letsencrypt/conf.d/aurore.ini certonly
+# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
 
 # Use a 4096 bit RSA key instead of 2048
 rsa-key-size = 4096
@@ -15,10 +15,8 @@ email = {{ certbot.mail }}
 # Uncomment to use a text interface instead of ncurses
 text = True
 
-# Use DNS-01 challenge
-authenticator = dns-rfc2136
-dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
-dns-rfc2136-propagation-seconds = 30
+# Use nginx challenge
+authenticator = nginx
 
 # Wildcard the domain
 cert-name = {{ certbot.certname }}
diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
deleted file mode 100644
index 342195d..0000000
--- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-# {{ ansible_managed }}
-
-dns_rfc2136_server = {{ dns_masters_ipv4 | first }}
-dns_rfc2136_port = 53
-dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
-dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
-dns_rfc2136_algorithm = HMAC-SHA512