暫無描述
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

letsencrypt.yml 3.6KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109
  1. - name: Add group name ssl-cert for SSL certificates
  2. group:
  3. name: ssl-cert
  4. state: present
  5. - name: Download LetsEncrypt release
  6. git: repo=https://github.com/letsencrypt/letsencrypt
  7. dest=/root/letsencrypt
  8. version=master
  9. force=yes
  10. - name: Create directory for LetsEncrypt configuration and certificates
  11. file: state=directory path=/etc/letsencrypt group=root owner=root
  12. - name: Configure LetsEncrypt
  13. template:
  14. src=etc_letsencrypt_cli.conf.j2
  15. dest=/etc/letsencrypt/cli.conf
  16. owner=root
  17. group=root
  18. - name: Install LetsEncrypt package dependencies
  19. command: /root/letsencrypt/letsencrypt-auto --help
  20. register: le_deps_result
  21. changed_when: "'Bootstrapping dependencies' in le_deps_result.stdout"
  22. - name: Create directory for pre-renewal scripts
  23. file: state=directory path=/etc/letsencrypt/prerenew group=root owner=root
  24. - name: Create directory for post-renewal scripts
  25. file: state=directory path=/etc/letsencrypt/postrenew group=root owner=root
  26. - name: Create pre-renew hook to stop apache
  27. copy:
  28. content: "#!/bin/bash\n\nservice apache2 stop\n"
  29. dest: /etc/letsencrypt/prerenew/apache
  30. owner: root
  31. group: root
  32. mode: 0755
  33. - name: Create post-renew hook to start apache
  34. copy:
  35. content: "#!/bin/bash\n\nservice apache2 start\n"
  36. dest: /etc/letsencrypt/postrenew/apache
  37. owner: root
  38. group: root
  39. mode: 0755
  40. - name: Install crontab entry for LetsEncrypt
  41. copy:
  42. src: etc_cron-daily_letsencrypt-renew
  43. dest: /etc/cron.daily/letsencrypt-renew
  44. owner: root
  45. group: root
  46. mode: 0755
  47. - name: Create live directory for LetsEncrypt cron job
  48. file: state=directory path=/etc/letsencrypt/live group=root owner=root
  49. - name: Get an SSL certificate for {{ domain }} from Let's Encrypt
  50. script: letsencrypt-gencert {{ domain }} creates=/etc/letsencrypt/live/{{ domain }}/privkey.pem
  51. when: ansible_ssh_user != "vagrant"
  52. - name: Modify permissions to allow ssl-cert group access
  53. file: path=/etc/letsencrypt/archive owner=root group=ssl-cert mode=0750
  54. when: ansible_ssh_user != "vagrant"
  55. ### Several steps to install a self-signed wildcard key to support offline testing
  56. - name: Create live directory for testing keys
  57. file: dest=/etc/letsencrypt/live/{{ domain }} state=directory
  58. owner=root group=root mode=0755
  59. when: ansible_ssh_user == "vagrant"
  60. - name: Copy SSL wildcard private key for testing
  61. copy: src=wildcard_private.key
  62. dest=/etc/letsencrypt/live/{{ domain }}/privkey.pem
  63. owner=root group=ssl-cert mode=0640
  64. register: private_key
  65. when: ansible_ssh_user == "vagrant"
  66. - name: Copy SSL public certificate into place for testing
  67. copy: src=wildcard_public_cert.crt
  68. dest=/etc/letsencrypt/live/{{ domain }}/cert.pem
  69. group=root owner=root mode=0644
  70. register: certificate
  71. notify: restart apache
  72. when: ansible_ssh_user == "vagrant"
  73. - name: Copy SSL CA combined certificate into place for testing
  74. copy: src=wildcard_ca.pem
  75. dest=/etc/letsencrypt/live/{{ domain }}/chain.pem
  76. group=root owner=root mode=0644
  77. register: ca_certificate
  78. notify: restart apache
  79. when: ansible_ssh_user == "vagrant"
  80. - name: Create a combined SSL cert for testing
  81. shell: cat /etc/letsencrypt/live/{{ domain }}/cert.pem
  82. /etc/letsencrypt/live/{{ domain }}/chain.pem >
  83. /etc/letsencrypt/live/{{ domain }}/fullchain.pem
  84. when: (private_key.changed or certificate.changed or ca_certificate.changed) and ansible_ssh_user == "vagrant"
  85. - name: Set permissions on combined SSL public cert
  86. file: name=/etc/letsencrypt/live/{{ domain }}/fullchain.pem mode=0644
  87. notify: restart apache
  88. when: ansible_ssh_user == "vagrant"
  89. ### Back to normal