User cerbot-nginx to create certificates

2020-11-04 23:07:51 +01:00 · 2020-11-04 23:07:51 +01:00 · ac7696c81f
commit ac7696c81f
parent f9b7e052b9
3 changed files with 26 additions and 28 deletions
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@ -1,26 +1,18 @@
 ---
- name: Install certbot and RFC2136 plugin
+- name: Install certbot and nginx plugin
  apt:
    update_cache: true
    name:
      - certbot
-      - python3-certbot-dns-rfc2136
-    state: present
-  register: apt_result
+      - python3-certbot-nginx
+  register: pkg_result
  retries: 3
-  until: apt_result is succeeded
+  until: pkg_result is succeeded

- name: Lookup DNS masters IPv4
-  set_fact:
-    dns_masters_ipv4: "{{ certbot.dns_masters_ipv4 }}"
-    cacheable: true
-
- name: Add DNS credentials
-  template:
-    src: letsencrypt/rfc2136.ini.j2
-    dest: /etc/letsencrypt/rfc2136.ini
-    mode: 0600
-    owner: root
+- name: Check if certificate already exists.
+  stat:
+    path: "/etc/letsencrypt/live/{{ certbot.certname }}/cert.pem"
+  register: letsencrypt_cert

 - name: Create /etc/letsencrypt/conf.d
  file:
@ -33,3 +25,18 @@
    src: "letsencrypt/conf.d/certname.ini.j2"
    dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
    mode: 0644
+
+- name: Stop services to allow certbot to generate a cert.
+  service:
+    name: nginx
+    state: stopped
+
+- name: Generate new certificate if one doesn't exist.
+  shell: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
+  when: letsencrypt_cert.stat.exists == False
+
+- name: Restart services to allow certbot to generate a cert.
+  service:
+    name: nginx
+    state: started
+
--- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
+++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
@ -1,7 +1,7 @@
 # {{ ansible_managed }}

 # Pour appliquer cette conf et générer la conf de renewal :
-# certbot --config /etc/letsencrypt/conf.d/aurore.ini certonly
+# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly

 # Use a 4096 bit RSA key instead of 2048
 rsa-key-size = 4096
@ -15,10 +15,8 @@ email = {{ certbot.mail }}
 # Uncomment to use a text interface instead of ncurses
 text = True

-# Use DNS-01 challenge
-authenticator = dns-rfc2136
-dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
-dns-rfc2136-propagation-seconds = 30
+# Use nginx challenge
+authenticator = nginx

 # Wildcard the domain
 cert-name = {{ certbot.certname }}
--- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
+++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
@ -1,7 +0,0 @@
-# {{ ansible_managed }}
-
-dns_rfc2136_server = {{ dns_masters_ipv4 | first }}
-dns_rfc2136_port = 53
-dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
-dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
-dns_rfc2136_algorithm = HMAC-SHA512