- name: Download LetsEncrypt release git: repo=https://github.com/letsencrypt/letsencrypt dest=/root/letsencrypt version=master - name: Create directory for LetsEncrypt configuration and certificates file: state=directory path=/etc/letsencrypt group=root owner=root - name: Configure LetsEncrypt template: src=etc_letsencrypt_cli.conf.j2 dest=/etc/letsencrypt/cli.conf owner=root group=root - name: Install LetsEncrypt package dependencies command: /root/letsencrypt/letsencrypt-auto --help - name: Install crontab entry for LetsEncrypt copy: src=etc_cron-monthly_letsencrypt-renew dest=/etc/cron.monthly/letsencrypt-renew owner=root group=root mode=755 - name: Create live directory for LetsEncrypt cron job file: state=directory path=/etc/letsencrypt/live group=root owner=root - name: Stop Apache service: name=apache2 state=stopped - name: Get an SSL certificate for {{ domain }} from Let's Encrypt command: /root/letsencrypt/letsencrypt-auto certonly -c /etc/letsencrypt/cli.conf --domains {{ domain }},{{ subdomains }} args: creates: /etc/letsencrypt/live/{{ domain }}/privkey.pem when: ansible_ssh_user != "vagrant" - name: Modify permissions to allow ssl-cert group access file: path=/etc/letsencrypt/archive owner=root group=ssl-cert mode=750 ### Several steps to install a self-signed wildcard key to support offline testing - name: Create live directory for testing keys file: dest=/etc/letsencrypt/live/{{ domain }} state=directory owner=root group=root mode=755 when: ansible_ssh_user == "vagrant" - name: Copy SSL wildcard private key for testing copy: src=wildcard_private.key dest=/etc/letsencrypt/live/{{ domain }}/privkey.pem owner=root group=ssl-cert mode=640 when: ansible_ssh_user == "vagrant" - name: Copy SSL public certificate into place for testing copy: src=wildcard_public_cert.crt dest=/etc/letsencrypt/live/{{ domain }}/cert.pem group=root owner=root mode=644 register: certificate notify: restart apache when: ansible_ssh_user == "vagrant" - name: Copy SSL CA combined certificate into place for testing copy: src=wildcard_ca.pem dest=/etc/letsencrypt/live/{{ domain }}/chain.pem group=root owner=root mode=644 register: ca_certificate notify: restart apache when: ansible_ssh_user == "vagrant" - name: Create a combined SSL cert for testing shell: cat /etc/letsencrypt/live/{{ domain }}/cert.pem /etc/letsencrypt/live/{{ domain }}/chain.pem > /etc/letsencrypt/live/{{ domain }}/fullchain.pem when: private_key.changed or certificate.changed or ca_certificate.changed when: ansible_ssh_user == "vagrant" - name: Set permissions on combined SSL public cert file: name=/etc/letsencrypt/live/{{ domain }}/fullchain.pem mode=644 notify: restart apache when: ansible_ssh_user == "vagrant" ### Back to normal - name: Start Apache service: name=apache2 state=started