thomas
/
sovereign
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
No Description
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
687 Commits
1 Branch
Tree: bc5bfa4b21
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'bc5bfa4b21'
${ noResults }
sovereign/roles/common/tasks/letsencrypt.yml

letsencrypt.yml 2.8KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586 
  1. - name: Download LetsEncrypt release

  2.   git: repo=https://github.com/letsencrypt/letsencrypt

  3.        dest=/root/letsencrypt

  4.        version=master

  5. 

  6. - name: Create directory for LetsEncrypt configuration and certificates

  7.   file: state=directory path=/etc/letsencrypt group=root owner=root

  8. 

  9. - name: Configure LetsEncrypt

  10.   template:

  11.     src=etc_letsencrypt_cli.conf.j2

  12.     dest=/etc/letsencrypt/cli.conf

  13.     owner=root

  14.     group=root

  15. 

  16. - name: Install LetsEncrypt package dependencies

  17.   command: /root/letsencrypt/letsencrypt-auto --help

  18. 

  19. - name: Install crontab entry for LetsEncrypt

  20.   copy:

  21.     src=etc_cron-monthly_letsencrypt-renew

  22.     dest=/etc/cron.monthly/letsencrypt-renew

  23.     owner=root

  24.     group=root

  25.     mode=755

  26. 

  27. - name: Create live directory for LetsEncrypt cron job

  28.   file: state=directory path=/etc/letsencrypt/live group=root owner=root

  29. 

  30. - name: Stop Apache

  31.   service: name=apache2 state=stopped

  32. 

  33. - name: Get an SSL certificate for {{ domain }} from Let's Encrypt

  34.   script: gencert {{ domain }}

  35.   args:

  36.     creates: /etc/letsencrypt/live/{{ domain }}/privkey.pem

  37.   when: ansible_ssh_user != "vagrant"

  38. 

  39. - name: Modify permissions to allow ssl-cert group access

  40.   file: path=/etc/letsencrypt/archive owner=root group=ssl-cert mode=750

  41. 

  42. ### Several steps to install a self-signed wildcard key to support offline testing

  43. 

  44. - name: Create live directory for testing keys

  45.   file: dest=/etc/letsencrypt/live/{{ domain }} state=directory

  46.     owner=root group=root mode=755

  47.   when: ansible_ssh_user == "vagrant"

  48. 

  49. - name: Copy SSL wildcard private key for testing

  50.   copy: src=wildcard_private.key

  51.     dest=/etc/letsencrypt/live/{{ domain }}/privkey.pem

  52.     owner=root group=ssl-cert mode=640

  53.   when: ansible_ssh_user == "vagrant"

  54. 

  55. - name: Copy SSL public certificate into place for testing

  56.   copy: src=wildcard_public_cert.crt

  57.     dest=/etc/letsencrypt/live/{{ domain }}/cert.pem

  58.     group=root owner=root mode=644

  59.   register: certificate

  60.   notify: restart apache

  61.   when: ansible_ssh_user == "vagrant"

  62. 

  63. - name: Copy SSL CA combined certificate into place for testing

  64.   copy: src=wildcard_ca.pem

  65.     dest=/etc/letsencrypt/live/{{ domain }}/chain.pem

  66.     group=root owner=root mode=644

  67.   register: ca_certificate

  68.   notify: restart apache

  69.   when: ansible_ssh_user == "vagrant"

  70. 

  71. - name: Create a combined SSL cert for testing

  72.   shell: cat /etc/letsencrypt/live/{{ domain }}/cert.pem

  73.     /etc/letsencrypt/live/{{ domain }}/chain.pem >

  74.     /etc/letsencrypt/live/{{ domain }}/fullchain.pem

  75.   when: private_key.changed or certificate.changed or ca_certificate.changed

  76.   when: ansible_ssh_user == "vagrant"

  77. 

  78. - name: Set permissions on combined SSL public cert

  79.   file: name=/etc/letsencrypt/live/{{ domain }}/fullchain.pem mode=644

  80.   notify: restart apache

  81.   when: ansible_ssh_user == "vagrant"

  82. 

  83. ### Back to normal

  84. 

  85. - name: Start Apache

  86.   service: name=apache2 state=started