sovereign/roles/common/tasks/letsencrypt.yml

- name: Download LetsEncrypt release
  git: repo=https://github.com/letsencrypt/letsencrypt
       dest=/root/letsencrypt
       version=master
       force=yes

- name: Create directory for LetsEncrypt configuration and certificates
  file: state=directory path=/etc/letsencrypt group=root owner=root

- name: Configure LetsEncrypt
  template:
    src=etc_letsencrypt_cli.conf.j2
    dest=/etc/letsencrypt/cli.conf
    owner=root
    group=root

- name: Install LetsEncrypt package dependencies
  command: /root/letsencrypt/letsencrypt-auto --help

- name: Create directory for post-renewal scripts
  file: state=directory path=/etc/letsencrypt/postrenew group=root owner=root

- name: Install crontab entry for LetsEncrypt
  copy:
    src=etc_cron-monthly_letsencrypt-renew
    dest=/etc/cron.monthly/letsencrypt-renew
    owner=root
    group=root
    mode=755

- name: Create live directory for LetsEncrypt cron job
  file: state=directory path=/etc/letsencrypt/live group=root owner=root

- name: Stop Apache
  service: name=apache2 state=stopped

- name: Get an SSL certificate for {{ domain }} from Let's Encrypt
  script: letsencrypt-gencert {{ domain }}
  args:
    creates: /etc/letsencrypt/live/{{ domain }}/privkey.pem
  when: ansible_ssh_user != "vagrant"

- name: Modify permissions to allow ssl-cert group access
  file: path=/etc/letsencrypt/archive owner=root group=ssl-cert mode=750
  when: ansible_ssh_user != "vagrant"

### Several steps to install a self-signed wildcard key to support offline testing

- name: Create live directory for testing keys
  file: dest=/etc/letsencrypt/live/{{ domain }} state=directory
    owner=root group=root mode=755
  when: ansible_ssh_user == "vagrant"

- name: Copy SSL wildcard private key for testing
  copy: src=wildcard_private.key
    dest=/etc/letsencrypt/live/{{ domain }}/privkey.pem
    owner=root group=ssl-cert mode=640
  when: ansible_ssh_user == "vagrant"

- name: Copy SSL public certificate into place for testing
  copy: src=wildcard_public_cert.crt
    dest=/etc/letsencrypt/live/{{ domain }}/cert.pem
    group=root owner=root mode=644
  register: certificate
  notify: restart apache
  when: ansible_ssh_user == "vagrant"

- name: Copy SSL CA combined certificate into place for testing
  copy: src=wildcard_ca.pem
    dest=/etc/letsencrypt/live/{{ domain }}/chain.pem
    group=root owner=root mode=644
  register: ca_certificate
  notify: restart apache
  when: ansible_ssh_user == "vagrant"

- name: Create a combined SSL cert for testing
  shell: cat /etc/letsencrypt/live/{{ domain }}/cert.pem
    /etc/letsencrypt/live/{{ domain }}/chain.pem >
    /etc/letsencrypt/live/{{ domain }}/fullchain.pem
  when: private_key.changed or certificate.changed or ca_certificate.changed
  when: ansible_ssh_user == "vagrant"

- name: Set permissions on combined SSL public cert
  file: name=/etc/letsencrypt/live/{{ domain }}/fullchain.pem mode=644
  notify: restart apache
  when: ansible_ssh_user == "vagrant"

### Back to normal

- name: Start Apache
  service: name=apache2 state=started