openstack/openstack-ansible-haproxy_server
Code Issues Proposed changes

Allow multiple methods of installing certbot

Browse Source 
Currently the only method is by downloading the certbot-auto script
and executing that. Some distros supply a so this patch sets up
an option for a future patch to add distro package support

Change-Id: Ie32e6f577c9aa898906ee76199fd0ebe75d5ae95
This commit is contained in:
Jonathan Rosser
2020-04-23 18:33:46 +01:00
parent 04932a7c74
commit ba3a89944b
3 changed files with 47 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
defaults/main.yml
View File

@@ -78,6 +78,10 @@ haproxy_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:
haproxy_ssl_bind_options: "force-tlsv12" haproxy_ssl_bind_options: "force-tlsv12"
# activate letsencrypt option # activate letsencrypt option
haproxy_ssl_letsencrypt_enable: false haproxy_ssl_letsencrypt_enable: false
# choose the certbot install method, 'distro' for a package manager repo, or downloaded with the certbot-auto script 'certbot-auto'
haproxy_ssl_letsencrypt_install_method: "certbot-auto"
haproxy_ssl_letsencrypt_certbot_auto_binary: "{{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }}"
haproxy_ssl_letsencrypt_certbot_binary: "{{ (haproxy_ssl_letsencrypt_install_method == 'certbot-auto') | ternary(haproxy_ssl_letsencrypt_certbot_auto_binary, 'certbot') }}"
haproxy_ssl_letsencrypt_email: "example@example.com" haproxy_ssl_letsencrypt_email: "example@example.com"
haproxy_ssl_letsencrypt_download_url: "https://dl.eff.org/certbot-auto" haproxy_ssl_letsencrypt_download_url: "https://dl.eff.org/certbot-auto"
haproxy_ssl_letsencrypt_venv: "/opt/eff.org/certbot/venv" haproxy_ssl_letsencrypt_venv: "/opt/eff.org/certbot/venv"

91
tasks/haproxy_ssl_letsencrypt.yml
View File

@@ -11,37 +11,49 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
- name: Ensure haproxy_ssl_letsencrypt_install_path exists - name: Install certbot with certbot-auto
file: when: haproxy_ssl_letsencrypt_install_method == 'certbot-auto'
path: "{{ haproxy_ssl_letsencrypt_install_path }}" block:
state: directory
- name: Download certbot - name: Ensure haproxy_ssl_letsencrypt_install_path exists
get_url: file:
url: "{{ haproxy_ssl_letsencrypt_download_url }}" path: "{{ haproxy_ssl_letsencrypt_install_path }}"
dest: "{{ haproxy_ssl_letsencrypt_install_path }}" state: directory
mode: 0755
register: fetch_url
until: fetch_url is success
retries: 3
delay: 10
- name: Ensure file permissions certbot-auto - name: Download certbot-auto
file: get_url:
path: "{{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }}" url: "{{ haproxy_ssl_letsencrypt_download_url }}"
dest: "{{ haproxy_ssl_letsencrypt_install_path }}"
mode: 0755
register: fetch_url
until: fetch_url is success
retries: 3
delay: 10
- name: Register Letsencrypt data dir - name: Install certbot with certbot-auto script
stat: shell: >
path: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}" PIP_INDEX_URL="https://pypi.org/simple/"
register: lcdatadir {{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }}
--install-only
args:
creates: "{{ haproxy_ssl_letsencrypt_venv }}"
- name: Install certbot - name: Create letsencrypt_renew file
shell: > template:
PIP_INDEX_URL="https://pypi.org/simple/" src: letsencrypt_renew_certbot_auto.j2
{{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }} dest: /usr/local/bin/letsencrypt_renew
--install-only mode: 0755
args: force: yes
creates: "{{ haproxy_ssl_letsencrypt_venv }}"
- name: Renew Letsencrypt Cert Cron
cron:
name: "Renew Letsencrypt Cert"
minute: "{{ haproxy_ssl_letsencrypt_cron_minute }}"
hour: "{{ haproxy_ssl_letsencrypt_cron_hour }}"
weekday: "{{ haproxy_ssl_letsencrypt_cron_weekday }}"
job: "/usr/local/bin/letsencrypt_renew"
user: "root"
state: present
- name: Stop haproxy for certbot activity - name: Stop haproxy for certbot activity
service: service:
@@ -49,9 +61,9 @@
state: "stopped" state: "stopped"
when: lcdatadir.stat.exists == False when: lcdatadir.stat.exists == False
- name: Create ssl cert with certbot - name: Create first time ssl cert with certbot
command: > command: >
{{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }} certonly {{ haproxy_ssl_letsencrypt_certbot_binary }} certonly
--standalone --standalone
--agree-tos --agree-tos
--non-interactive --non-interactive
@@ -61,29 +73,12 @@
--domains {{ external_lb_vip_address }} --domains {{ external_lb_vip_address }}
{{ haproxy_ssl_letsencrypt_setup_extra_params }} {{ haproxy_ssl_letsencrypt_setup_extra_params }}
args: args:
creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}-0001/fullchain.pem" creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem"
- name: Create new pem file for haproxy - name: Create new pem file for haproxy
assemble: assemble:
src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}-0001" src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}"
dest: "/etc/ssl/private/haproxy.pem" dest: "/etc/ssl/private/haproxy.pem"
regexp: '(privkey|fullchain).pem$' regexp: '(privkey|fullchain).pem$'
notify: notify:
- Reload haproxy - Reload haproxy
- name: Create letsencrypt_renew file
template:
src: letsencrypt_renew.j2
dest: /usr/local/bin/letsencrypt_renew
mode: 0755
force: yes
- name: Renew Letsencrypt Cert Cron
cron:
name: "Renew Letsencrypt Cert"
minute: "{{ haproxy_ssl_letsencrypt_cron_minute }}"
hour: "{{ haproxy_ssl_letsencrypt_cron_hour }}"
weekday: "{{ haproxy_ssl_letsencrypt_cron_weekday }}"
job: "/usr/local/bin/letsencrypt_renew"
user: "root"
state: present

0
templates/letsencrypt_renew.j2 → templates/letsencrypt_renew_certbot_auto.j2
View File