3 Commits

Author SHA1 Message Date
Ian Wienand
b742bfc911 letsencrypt-install-txt-record: skip disabled hosts
We are seeing:

  fatal: [adns1.opendev.org]: FAILED! => {"msg": "The task includes an
  option with an undefined variable. The error was:
  'ansible.vars.hostvars.HostVarsVars object' has no attribute
  'acme_txt_required'

I belive this is because we have a disabled mirror host now.  So the
iad.rx.opendev.org mirror is in the "letsencrypt" group, but because
it is also disabled the prior role (letsencrypt-request-certs) has not
run and it has not populated it's "acme_txt_required" variable.

We should skip disabled hosts when inspecting the hosts for this
variable.  Add this to the "with_inventory_hostnames" match.

Change-Id: I33a1c8b6f7e8499248e370f69a9f573a2bf106a5
2019-07-01 13:06:57 +10:00
Ian Wienand
93bb1d549e letsencrypt : use date call for serial number
Per [1] ansible_date_time is NOT actually the date/time -- it is the
time cached from the facts.  It seems this can not be changed because,
of course, things have started depending on this behaviour.

This is particuarly incorrect if you're using this as a serial number
for DNS and it is not incrementing across runs, and thus bind is
refusing to load the new entries in the acme.opendev.org zone during
letsencrypt runs, and the TXT authentication fails.

Use the suggested work-around in the issue which is an external call
to date.

[1] https://github.com/ansible/ansible/issues/22561

Change-Id: Ic3f12f52e8fbb87a7cd673c37c6c4280c56c2b0f
2019-05-22 16:41:51 +10:00
Ian Wienand
afd907c16d letsencrypt support
This change contains the roles and testing for deploying certificates
on hosts using letsencrypt with domain authentication.

From a top level, the process is implemented in the roles as follows:

1) letsencrypt-acme-sh-install

   This role installs the acme.sh tool on hosts in the letsencrypt
   group, along with a small custom driver script to help parse output
   that is used by later roles.

2) letsencrypt-request-certs

   This role runs on each host, and reads a host variable describing
   the certificates required.  It uses the acme.sh tool (via the
   driver) to request the certificates from letsencrypt.  It populates
   a global Ansible variable with the authentication TXT records
   required.

   If the certificate exists on the host and is not within the renewal
   period, it should do nothing.

3) letsencrypt-install-txt-record

   This role runs on the adns server.  It installs the TXT records
   generated in step 2 to the acme.opendev.org domain and then
   refreshes the server.  Hosts wanting certificates will have
   pre-provisioned CNAME records for _acme-challenge.host.opendev.org
   pointing to acme.opendev.org.

4) letsencrypt-create-certs

   This role runs on each host, reading the same variable as in step
   2.  However this time the acme.sh tool is run to authenticate and
   create the certificates, which should now work correctly via the
   TXT records from step 3.  After this, the host will have the
   full certificate material.

Testing is added via testinfra.  For testing purposes requests are
made to the staging letsencrypt servers and a self-signed certificate
is provisioned in step 4 (as the authentication is not available
during CI).  We test that the DNS TXT records are created locally on
the CI adns server, however.

Related-Spec: https://review.openstack.org/587283

Change-Id: I1f66da614751a29cc565b37cdc9ff34d70fdfd3f
2019-04-02 15:31:41 +11:00