Only attempt to fulfill the challenge if we have to

This commit is contained in:
Salt 2020-02-20 05:25:46 -06:00
parent e5a5f5efcd
commit 85b0b2e139

View File

@ -45,28 +45,31 @@
register: com_challenge
- name: Create or renew certificate
block:
- name: Back up website config
command: "mv /etc/apache2/sites-enabled/{{ website_url }}.conf /etc/apache2/sites-available/{{ website_url }}.conf"
args:
creates: "/etc/apache2/sites-available/{{ website_url }}.conf"
- name: Create temporary config
template:
src: apache2-vhost.conf
dest: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
- name: Reload Apache
service:
name: apache2
state: reloaded
- name: Create well-known directory
file:
path: "{{ acme_webroot }}/.well-known/acme-challenge"
mode: "0755"
recurse: yes
state: directory
- name: Copy challenge files
copy:
dest: "{{ acme_webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}"
content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}"
- name: Fulfill challenge
block:
- name: Back up website config
command: "mv /etc/apache2/sites-enabled/{{ website_url }}.conf /etc/apache2/sites-available/{{ website_url }}.conf"
args:
creates: "/etc/apache2/sites-available/{{ website_url }}.conf"
- name: Create temporary config
template:
src: apache2-vhost.conf
dest: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
- name: Reload Apache
service:
name: apache2
state: reloaded
- name: Create well-known directory
file:
path: "{{ acme_webroot }}/.well-known/acme-challenge"
mode: "0755"
recurse: yes
state: directory
- name: Copy challenge files
copy:
dest: "{{ acme_webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}"
content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}"
when: com_challenge['challenge_data']|length > 0
- name: Create certificate
acme_certificate:
acme_directory: "{{ acme_directory }}"
@ -77,18 +80,31 @@
fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
data: "{{ com_challenge }}"
- name: Remove webroot
- name: Assign appropriate permissions to certificate
file:
path: "{{ acme_webroot }}/.well-known"
state: absent
- name: Remove temporary config
file:
path: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
state: absent
- name: Restore original config
command: "/usr/bin/mv /etc/apache2/sites-available/{{ website_url }}.conf /etc/apache2/sites-enabled/{{ website_url }}.conf"
args:
creates: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
path: "{{ item }}"
owner: root
group: www-data
mode: "0640"
loop:
- "/etc/pki/cert/crt/{{ website_url }}.crt"
- "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
- "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
- name: Clean up fulfillment
block:
- name: Remove webroot
file:
path: "{{ acme_webroot }}/.well-known"
state: absent
- name: Remove temporary config
file:
path: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
state: absent
- name: Restore original config
command: "/usr/bin/mv /etc/apache2/sites-available/{{ website_url }}.conf /etc/apache2/sites-enabled/{{ website_url }}.conf"
args:
creates: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
when: com_challenge['challenge_data']|length > 0
- name: Reload Apache
service:
name: apache2