We are seeing:
fatal: [adns1.opendev.org]: FAILED! => {"msg": "The task includes an
option with an undefined variable. The error was:
'ansible.vars.hostvars.HostVarsVars object' has no attribute
'acme_txt_required'
I belive this is because we have a disabled mirror host now. So the
iad.rx.opendev.org mirror is in the "letsencrypt" group, but because
it is also disabled the prior role (letsencrypt-request-certs) has not
run and it has not populated it's "acme_txt_required" variable.
We should skip disabled hosts when inspecting the hosts for this
variable. Add this to the "with_inventory_hostnames" match.
Change-Id: I33a1c8b6f7e8499248e370f69a9f573a2bf106a5
Per [1] ansible_date_time is NOT actually the date/time -- it is the
time cached from the facts. It seems this can not be changed because,
of course, things have started depending on this behaviour.
This is particuarly incorrect if you're using this as a serial number
for DNS and it is not incrementing across runs, and thus bind is
refusing to load the new entries in the acme.opendev.org zone during
letsencrypt runs, and the TXT authentication fails.
Use the suggested work-around in the issue which is an external call
to date.
[1] https://github.com/ansible/ansible/issues/22561
Change-Id: Ic3f12f52e8fbb87a7cd673c37c6c4280c56c2b0f
This change contains the roles and testing for deploying certificates
on hosts using letsencrypt with domain authentication.
From a top level, the process is implemented in the roles as follows:
1) letsencrypt-acme-sh-install
This role installs the acme.sh tool on hosts in the letsencrypt
group, along with a small custom driver script to help parse output
that is used by later roles.
2) letsencrypt-request-certs
This role runs on each host, and reads a host variable describing
the certificates required. It uses the acme.sh tool (via the
driver) to request the certificates from letsencrypt. It populates
a global Ansible variable with the authentication TXT records
required.
If the certificate exists on the host and is not within the renewal
period, it should do nothing.
3) letsencrypt-install-txt-record
This role runs on the adns server. It installs the TXT records
generated in step 2 to the acme.opendev.org domain and then
refreshes the server. Hosts wanting certificates will have
pre-provisioned CNAME records for _acme-challenge.host.opendev.org
pointing to acme.opendev.org.
4) letsencrypt-create-certs
This role runs on each host, reading the same variable as in step
2. However this time the acme.sh tool is run to authenticate and
create the certificates, which should now work correctly via the
TXT records from step 3. After this, the host will have the
full certificate material.
Testing is added via testinfra. For testing purposes requests are
made to the staging letsencrypt servers and a self-signed certificate
is provisioned in step 4 (as the authentication is not available
during CI). We test that the DNS TXT records are created locally on
the CI adns server, however.
Related-Spec: https://review.openstack.org/587283
Change-Id: I1f66da614751a29cc565b37cdc9ff34d70fdfd3f