#!/usr/bin/ansible-playbook # vim:ft=ansible: --- - name: "Register certificate for {{ website_url }}" block: - name: Install SSL-required packages apt: name: python-openssl - name: Set up PKI filesystem hierarchy file: path: "{{ item.dir }}" mode: "{{ item.mode }}" owner: root group: www-data state: directory loop: - { dir: "/etc/pki", mode: "0750" } - { dir: "/etc/pki/cert", mode: "0750" } - { dir: "/etc/pki/cert/crt", mode: "0750" } - { dir: "/etc/pki/cert/csr", mode: "0750" } - { dir: "/etc/pki/cert/private", mode: "0750" } - name: Create ACME account key openssl_privatekey: path: "/etc/pki/cert/private/account.key" - name: Create certificate key openssl_privatekey: path: "/etc/pki/cert/private/{{ website_url }}.key" mode: "0750" - name: Create CSR openssl_csr: path: "/etc/pki/cert/csr/{{ website_url }}.csr" common_name: "{{ website_url }}" privatekey_path: /etc/pki/cert/private/{{ website_url }}.key email_address: "rehashedsalt@cock.li" - name: Create challenge for CSR acme_certificate: acme_directory: "{{ acme_directory }}" acme_version: 2 terms_agreed: yes account_email: "rehashedsalt@cock.li" account_key: "/etc/pki/cert/private/account.key" csr: "/etc/pki/cert/csr/{{ website_url }}.csr" dest: "/etc/pki/cert/crt/{{ website_url }}.crt" fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt" register: com_challenge - name: Create or renew certificate block: - name: Fulfill challenge block: - name: Back up website config command: "mv /etc/apache2/sites-enabled/{{ website_url }}.conf /etc/apache2/sites-available/{{ website_url }}.conf" args: creates: "/etc/apache2/sites-available/{{ website_url }}.conf" - name: Create temporary config template: src: apache2-vhost.conf dest: "/etc/apache2/sites-enabled/{{ website_url }}.conf" - name: Reload Apache service: name: apache2 state: reloaded - name: Create well-known directory file: path: "{{ acme_webroot }}/.well-known/acme-challenge" mode: "0755" recurse: yes state: directory - name: Copy challenge files copy: dest: "{{ acme_webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}" content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}" when: com_challenge['challenge_data']|length > 0 - name: Create certificate acme_certificate: acme_directory: "{{ acme_directory }}" acme_version: 2 account_key: /etc/pki/cert/private/account.key csr: "/etc/pki/cert/csr/{{ website_url }}.csr" dest: "/etc/pki/cert/crt/{{ website_url }}.crt" fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt" chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt" data: "{{ com_challenge }}" - name: Assign appropriate permissions to certificate file: path: "{{ item }}" owner: root group: www-data mode: "0640" loop: - "/etc/pki/cert/crt/{{ website_url }}.crt" - "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt" - "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt" - name: Clean up fulfillment block: - name: Remove webroot file: path: "{{ acme_webroot }}/.well-known" state: absent - name: Remove temporary config file: path: "/etc/apache2/sites-enabled/{{ website_url }}.conf" state: absent - name: Restore original config command: "/usr/bin/mv /etc/apache2/sites-available/{{ website_url }}.conf /etc/apache2/sites-enabled/{{ website_url }}.conf" args: creates: "/etc/apache2/sites-enabled/{{ website_url }}.conf" when: com_challenge['challenge_data']|length > 0 - name: Reload Apache service: name: apache2 state: reloaded when: com_challenge is changed become: yes