From 85b0b2e13956eeb347a5a467f26c8d4e3e4670b6 Mon Sep 17 00:00:00 2001 From: Salt Date: Thu, 20 Feb 2020 05:25:46 -0600 Subject: [PATCH] Only attempt to fulfill the challenge if we have to --- roles/https/tasks/main.yml | 82 +++++++++++++++++++++++--------------- 1 file changed, 49 insertions(+), 33 deletions(-) diff --git a/roles/https/tasks/main.yml b/roles/https/tasks/main.yml index 8fa5c7d..d6f9b32 100644 --- a/roles/https/tasks/main.yml +++ b/roles/https/tasks/main.yml @@ -45,28 +45,31 @@ register: com_challenge - name: Create or renew certificate block: - - name: Back up website config - command: "mv /etc/apache2/sites-enabled/{{ website_url }}.conf /etc/apache2/sites-available/{{ website_url }}.conf" - args: - creates: "/etc/apache2/sites-available/{{ website_url }}.conf" - - name: Create temporary config - template: - src: apache2-vhost.conf - dest: "/etc/apache2/sites-enabled/{{ website_url }}.conf" - - name: Reload Apache - service: - name: apache2 - state: reloaded - - name: Create well-known directory - file: - path: "{{ acme_webroot }}/.well-known/acme-challenge" - mode: "0755" - recurse: yes - state: directory - - name: Copy challenge files - copy: - dest: "{{ acme_webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}" - content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}" + - name: Fulfill challenge + block: + - name: Back up website config + command: "mv /etc/apache2/sites-enabled/{{ website_url }}.conf /etc/apache2/sites-available/{{ website_url }}.conf" + args: + creates: "/etc/apache2/sites-available/{{ website_url }}.conf" + - name: Create temporary config + template: + src: apache2-vhost.conf + dest: "/etc/apache2/sites-enabled/{{ website_url }}.conf" + - name: Reload Apache + service: + name: apache2 + state: reloaded + - name: Create well-known directory + file: + path: "{{ acme_webroot }}/.well-known/acme-challenge" + mode: "0755" + recurse: yes + state: directory + - name: Copy challenge files + copy: + dest: "{{ acme_webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}" + content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}" + when: com_challenge['challenge_data']|length > 0 - name: Create certificate acme_certificate: acme_directory: "{{ acme_directory }}" @@ -77,18 +80,31 @@ fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt" chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt" data: "{{ com_challenge }}" - - name: Remove webroot + - name: Assign appropriate permissions to certificate file: - path: "{{ acme_webroot }}/.well-known" - state: absent - - name: Remove temporary config - file: - path: "/etc/apache2/sites-enabled/{{ website_url }}.conf" - state: absent - - name: Restore original config - command: "/usr/bin/mv /etc/apache2/sites-available/{{ website_url }}.conf /etc/apache2/sites-enabled/{{ website_url }}.conf" - args: - creates: "/etc/apache2/sites-enabled/{{ website_url }}.conf" + path: "{{ item }}" + owner: root + group: www-data + mode: "0640" + loop: + - "/etc/pki/cert/crt/{{ website_url }}.crt" + - "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt" + - "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt" + - name: Clean up fulfillment + block: + - name: Remove webroot + file: + path: "{{ acme_webroot }}/.well-known" + state: absent + - name: Remove temporary config + file: + path: "/etc/apache2/sites-enabled/{{ website_url }}.conf" + state: absent + - name: Restore original config + command: "/usr/bin/mv /etc/apache2/sites-available/{{ website_url }}.conf /etc/apache2/sites-enabled/{{ website_url }}.conf" + args: + creates: "/etc/apache2/sites-enabled/{{ website_url }}.conf" + when: com_challenge['challenge_data']|length > 0 - name: Reload Apache service: name: apache2