User cerbot-nginx to create certificates
This commit is contained in:
Yohann D'ANELLO
parent
f9b7e052b9
commit
ac7696c81f
3 changed files with 26 additions and 28 deletions
|
|
@ -1,26 +1,18 @@
|
||||||
---
|
---
|
||||||
- name: Install certbot and RFC2136 plugin
|
- name: Install certbot and nginx plugin
|
||||||
apt:
|
apt:
|
||||||
update_cache: true
|
update_cache: true
|
||||||
name:
|
name:
|
||||||
- certbot
|
- certbot
|
||||||
- python3-certbot-dns-rfc2136
|
- python3-certbot-nginx
|
||||||
state: present
|
register: pkg_result
|
||||||
register: apt_result
|
|
||||||
retries: 3
|
retries: 3
|
||||||
until: apt_result is succeeded
|
until: pkg_result is succeeded
|
||||||
|
|
||||||
- name: Lookup DNS masters IPv4
|
- name: Check if certificate already exists.
|
||||||
set_fact:
|
stat:
|
||||||
dns_masters_ipv4: "{{ certbot.dns_masters_ipv4 }}"
|
path: "/etc/letsencrypt/live/{{ certbot.certname }}/cert.pem"
|
||||||
cacheable: true
|
register: letsencrypt_cert
|
||||||
|
|
||||||
- name: Add DNS credentials
|
|
||||||
template:
|
|
||||||
src: letsencrypt/rfc2136.ini.j2
|
|
||||||
dest: /etc/letsencrypt/rfc2136.ini
|
|
||||||
mode: 0600
|
|
||||||
owner: root
|
|
||||||
|
|
||||||
- name: Create /etc/letsencrypt/conf.d
|
- name: Create /etc/letsencrypt/conf.d
|
||||||
file:
|
file:
|
||||||
|
|
@ -33,3 +25,18 @@
|
||||||
src: "letsencrypt/conf.d/certname.ini.j2"
|
src: "letsencrypt/conf.d/certname.ini.j2"
|
||||||
dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
|
dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
|
- name: Stop services to allow certbot to generate a cert.
|
||||||
|
service:
|
||||||
|
name: nginx
|
||||||
|
state: stopped
|
||||||
|
|
||||||
|
- name: Generate new certificate if one doesn't exist.
|
||||||
|
shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
|
||||||
|
when: letsencrypt_cert.stat.exists == False
|
||||||
|
|
||||||
|
- name: Restart services to allow certbot to generate a cert.
|
||||||
|
service:
|
||||||
|
name: nginx
|
||||||
|
state: started
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
# Pour appliquer cette conf et générer la conf de renewal :
|
# Pour appliquer cette conf et générer la conf de renewal :
|
||||||
# certbot --config /etc/letsencrypt/conf.d/aurore.ini certonly
|
# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
|
||||||
|
|
||||||
# Use a 4096 bit RSA key instead of 2048
|
# Use a 4096 bit RSA key instead of 2048
|
||||||
rsa-key-size = 4096
|
rsa-key-size = 4096
|
||||||
|
|
@ -15,10 +15,8 @@ email = {{ certbot.mail }}
|
||||||
# Uncomment to use a text interface instead of ncurses
|
# Uncomment to use a text interface instead of ncurses
|
||||||
text = True
|
text = True
|
||||||
|
|
||||||
# Use DNS-01 challenge
|
# Use nginx challenge
|
||||||
authenticator = dns-rfc2136
|
authenticator = nginx
|
||||||
dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
|
|
||||||
dns-rfc2136-propagation-seconds = 30
|
|
||||||
|
|
||||||
# Wildcard the domain
|
# Wildcard the domain
|
||||||
cert-name = {{ certbot.certname }}
|
cert-name = {{ certbot.certname }}
|
||||||
|
|
|
||||||
|
|
@ -1,7 +0,0 @@
|
||||||
# {{ ansible_managed }}
|
|
||||||
|
|
||||||
dns_rfc2136_server = {{ dns_masters_ipv4 | first }}
|
|
||||||
dns_rfc2136_port = 53
|
|
||||||
dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
|
|
||||||
dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
|
|
||||||
dns_rfc2136_algorithm = HMAC-SHA512
|
|
||||||
Loading…
Reference in a new issue