commit f3ad9bb701ef9f6e701aa477cd753b2f6c2a0313 parent b4bb41cc362dbc0228bacc0b16a3ce7e8c76e75a Author: Florian Dold <florian@dold.me> Date: Mon, 28 Apr 2025 00:38:12 +0200 improve handling of certbot certs - We no longer use the geerlingguy.certbot role - When the webserver role checks for a broken nginx config and purges /etc/sites-available if the config is broken, to allow subsequent playbook runs to actually fix the error - Certs are fetched via certbot with the nginx plugin, via the custom cert role. Diffstat:
55 files changed, 226 insertions(+), 1327 deletions(-)
diff --git a/.ansible-lint b/.ansible-lint @@ -2,9 +2,6 @@ profile: safety -exclude_paths: - - roles/geerlingguy.certbot/ - skip_list: - var-naming - role-name diff --git a/inventories/host_vars/fdold-acai/test-public.yml b/inventories/host_vars/fdold-acai/test-public.yml @@ -7,6 +7,15 @@ USE_PREGENERATED_DHPARAM: true DEPLOY_CHALLENGER: true # Main domain name. DOMAIN_NAME: "topstest.fdold.eu" +# Our internal hostname +TARGET_HOST_NAME: "acai.box.fdold.eu" +# Disable restore from backup? MUST be set to "false" once in production! +# This forces a backup to be provided *if* there is no database on the +# target system already. If such a database exists, we will NOT restore +# any backup even if this is 'false'. If no database exists on the target +# system and this option is 'false', then a backup must have been provided +# at the originating host (you get get it using the 'restore.sh' script). +DISABLE_RESTORE_BACKUP: true # Use nightly Taler distro (true/false). USE_NIGHTLY: true # Deploy EBICS configuration (true/false). diff --git a/inventories/host_vars/rusty/test-public.yml b/inventories/host_vars/rusty/test-public.yml @@ -10,6 +10,8 @@ DEPLOY_CHALLENGER: true DISABLE_RESTORE_BACKUP: true # Main domain name. DOMAIN_NAME: "stage.taler-ops.ch" +# Our internal hostname +TARGET_HOST_NAME: "rusty.taler-ops.ch" # Use nightly Taler distro (true/false). USE_NIGHTLY: true # Deploy EBICS configuration (true/false). diff --git a/playbooks/setup.yml b/playbooks/setup.yml @@ -8,18 +8,18 @@ msg: "Secrets are not defined (HAVE_SECRETS not set)" when: HAVE_SECRETS is undefined roles: - - role: common_packages + #- role: common_packages # - role: ansible_pull - role: webserver - - role: database - - role: libeufin-nexus - - role: challenger - when: DEPLOY_CHALLENGER | bool - postexchange: false - - role: exchange - - role: challenger - name: challenger - postexchange: true - when: DEPLOY_CHALLENGER | bool - - role: auditor + #- role: database + #- role: libeufin-nexus + #- role: challenger + # when: DEPLOY_CHALLENGER | bool + # postexchange: false + #- role: exchange + #- role: challenger + # name: challenger + # postexchange: true + # when: DEPLOY_CHALLENGER | bool + #- role: auditor - role: monitoring diff --git a/roles/auditor/tasks/main.yml b/roles/auditor/tasks/main.yml @@ -22,14 +22,6 @@ register: st failed_when: not (st.stat.exists is defined and st.stat.exists) -- name: Ensure Taler letsencrypt auditor dir exists from installation - file: - path: "/var/www/letsencrypt/auditor.{{ DOMAIN_NAME }}/.well-known/acme-challenge/" - state: directory - owner: www-data - group: www-data - mode: "0755" - - name: Ensure Taler auditor virtualhost configuration file exists template: src: templates/etc/nginx/sites-available/auditor-nginx.conf.j2 @@ -48,12 +40,6 @@ mode: "0644" notify: Restart nginx -- name: Enable Taler HTTP auditor reverse proxy configuration - file: - src: /etc/nginx/sites-available/auditor-http.conf - dest: /etc/nginx/sites-enabled/auditor-http.conf - state: link - notify: Restart nginx # We need to make sure that our handler notifies nginx to restart NOW - name: Flush handlers @@ -61,33 +47,14 @@ - name: Secure the auditor site with Letsencrypt ansible.builtin.include_role: - name: geerlingguy.certbot + name: cert vars: - certbot_install_method: package - certbot_auto_renew: true - certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}" - certbot_auto_renew_hour: "11" - certbot_auto_renew_minute: "11" - certbot_auto_renew_options: "--quiet" - certbot_create_method: webroot - certbot_create_if_missing: true - certbot_create_extra_args: - certbot_hsts: false - certbot_testmode: false - certbot_admin_email: "admin@{{ DOMAIN_NAME }}" - certbot_keep_updated: true - certbot_script: letsencrypt - certbot_certs: - - webroot: "/var/www/letsencrypt/auditor.{{ DOMAIN_NAME }}" - domains: - - "auditor.{{ DOMAIN_NAME }}" - -- name: Enable Taler auditor reverse proxy configuration - file: - src: /etc/nginx/sites-available/auditor-nginx.conf - dest: /etc/nginx/sites-enabled/auditor-nginx.conf - state: link - notify: Restart nginx + cert_name: auditor + wanted_cert_domains: + - "auditor.{{ DOMAIN_NAME }}" + nginx_sites: + - auditor-http.conf + - auditor-nginx.conf - name: Ensure /etc/taler-auditor/conf.d/ directory exists ansible.builtin.stat: diff --git a/roles/auditor/templates/etc/nginx/sites-available/auditor-http.conf.j2 b/roles/auditor/templates/etc/nginx/sites-available/auditor-http.conf.j2 @@ -8,16 +8,6 @@ server { error_log /var/log/nginx/auditor.{{ DOMAIN_NAME }}-http.err; access_log /var/log/nginx/auditor.{{ DOMAIN_NAME }}-http.log; - location ^~ /.well-known/acme-challenge/ { - default_type "text/plain"; - root /var/www/letsencrypt; - } - - # Hide /acme-challenge subdirectory and return 404 on all requests. - location = /.well-known/acme-challenge/ { - return 404; - } - location / { return 301 https://$host$request_uri; } diff --git a/roles/auditor/templates/etc/nginx/sites-available/auditor-nginx.conf.j2 b/roles/auditor/templates/etc/nginx/sites-available/auditor-nginx.conf.j2 @@ -8,9 +8,9 @@ server { server_name auditor.{{ DOMAIN_NAME }}; - ssl_certificate /etc/letsencrypt/live/auditor.{{ DOMAIN_NAME }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/auditor.{{ DOMAIN_NAME }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/auditor.{{ DOMAIN_NAME }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/auditor/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/auditor/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/auditor/chain.pem; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/ssl/private/dhparam.pem; diff --git a/roles/cert/tasks/handlers/main.yml b/roles/cert/tasks/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Restart nginx + service: + name: nginx + state: restarted diff --git a/roles/cert/tasks/main.yml b/roles/cert/tasks/main.yml @@ -0,0 +1,72 @@ +--- +# Create certs with certbot and the nginx plugin. +# Required vars: +# - DOMAIN_NAME: send e-mails to admin@{{ DOMAIN_NAME }} +# - cert_name: name of the certbot certificate +# - wanted_cert_domains: list of domains to issue a cert for +# - nginx_sites: nginx sites that use this domain, enabled when +# cert creation succeeds + + +- name: Check nginx config + ansible.builtin.command: nginx -c /etc/nginx/nginx.conf -t + register: result + ignore_errors: true + +- name: Fail if nginx misconfigured + ansible.builtin.fail: + msg: The nginx configuration is broken. You need to have a valid nginx configuration before certs can be issued. + when: result is failed + +- name: Check if domains have changed + block: + - name: Register certificate domains + shell: "certbot certificates --cert-name {{ cert_name }} | grep Domains | cut -d':' -f2" + changed_when: false + register: cert_domains_dirty + + - name: Cleanup domain list + set_fact: + actual_cert_domains: "{{ cert_domains_dirty.stdout | trim | split(' ') | map('trim') | select('!=', '') | list | sort }}" + + - name: Determine if domains have changed + set_fact: + cert_domains_changed: "{{ actual_cert_domains != (wanted_cert_domains | map('trim') | select('!=', '') | list | sort) }}" + +- name: Disable site in nginx if cert needs to be created + when: cert_domains_changed + ansible.builtin.file: + path: '/etc/nginx/sites-enabled/{{ item }}' + state: absent + with_items: "{{ nginx_sites | list }}" + notify: Restart nginx + +# We need to make sure that our handler notifies nginx to restart NOW +- name: Flush handlers + meta: flush_handlers + +- name: Create or update certs + command: + argv: "{{ cmd + domain_args | list }}" + vars: + cmd: + - certbot + - -v + - certonly + - --cert-name + - "{{ cert_name }}" + - --nginx + - --keep-until-expiring + - --noninteractive + - --agree-tos + - --email + - admin@{{ DOMAIN_NAME }} + domain_args: "{{ wanted_cert_domains | product(['-d']) | map('reverse') | flatten | list }}" + +- name: Enable nginx sites + file: + src: /etc/nginx/sites-available/{{ item }} + dest: /etc/nginx/sites-enabled/{{ item }} + state: link + notify: Restart nginx + with_items: "{{ nginx_sites | list }}" +\ No newline at end of file diff --git a/roles/challenger/tasks/pre-exchange.yml b/roles/challenger/tasks/pre-exchange.yml @@ -327,166 +327,56 @@ state: started enabled: true -- name: Place SMS challenger HTTP Nginx configuration +- name: Generate challenger nginx configuration files (tls config) ansible.builtin.template: - src: templates/etc/nginx/sites-available/sms-challenger-http.conf.j2 - dest: /etc/nginx/sites-available/sms-challenger-http.conf + src: templates/etc/nginx/conf.d/challenger-tls.conf.inc + dest: /etc/nginx/conf.d/challenger-tls.conf.inc owner: root group: root mode: "0644" -- name: Place SMS challenger Nginx configuration +- name: Generate challenger nginx configuration files ansible.builtin.template: - src: templates/etc/nginx/sites-available/sms-challenger-nginx.conf.j2 - dest: /etc/nginx/sites-available/sms-challenger-nginx.conf + src: templates/etc/nginx/sites-available/{{ item }}.j2 + dest: /etc/nginx/sites-available/{{ item }} owner: root group: root mode: "0644" - -- name: Enable SMS challenger HTTP reverse proxy configuration - file: - src: /etc/nginx/sites-available/sms-challenger-http.conf - dest: /etc/nginx/sites-enabled/sms-challenger-http.conf - state: link - notify: Restart nginx - -- name: Place email challenger HTTP Nginx configuration - ansible.builtin.template: - src: templates/etc/nginx/sites-available/email-challenger-http.conf.j2 - dest: /etc/nginx/sites-available/email-challenger-http.conf - owner: root - group: root - mode: "0644" - -- name: Place email challenger Nginx configuration - ansible.builtin.template: - src: templates/etc/nginx/sites-available/email-challenger-nginx.conf.j2 - dest: /etc/nginx/sites-available/email-challenger-nginx.conf - owner: root - group: root - mode: "0644" - -- name: Enable email challenger HTTP reverse proxy configuration - file: - src: /etc/nginx/sites-available/email-challenger-http.conf - dest: /etc/nginx/sites-enabled/email-challenger-http.conf - state: link - notify: Restart nginx - -- name: Place postal challenger HTTP configuration - ansible.builtin.template: - src: templates/etc/nginx/sites-available/postal-challenger-http.conf.j2 - dest: /etc/nginx/sites-available/postal-challenger-http.conf - owner: root - group: root - mode: "0644" - -- name: Place postal challenger Nginx configuration - ansible.builtin.template: - src: templates/etc/nginx/sites-available/postal-challenger-nginx.conf.j2 - dest: /etc/nginx/sites-available/postal-challenger-nginx.conf - owner: root - group: root - mode: "0644" - -- name: Enable postal challenger HTTP reverse proxy configuration - file: - src: /etc/nginx/sites-available/postal-challenger-http.conf - dest: /etc/nginx/sites-enabled/postal-challenger-http.conf - state: link - notify: Restart nginx - -# We need to make sure that our handler notifies nginx to restart NOW -- name: Flush handlers - meta: flush_handlers - -- name: Secure the SMS challenger site with Letsencrypt + with_items: + - sms-challenger-nginx.conf + - sms-challenger-http.conf + - email-challenger-nginx.conf + - email-challenger-http.conf + - postal-challenger-nginx.conf + - postal-challenger-http.conf + +- name: Secure the auditor site with Letsencrypt ansible.builtin.include_role: - name: geerlingguy.certbot + name: cert vars: - certbot_install_method: package - certbot_auto_renew: true - certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}" - certbot_auto_renew_hour: "11" - certbot_auto_renew_minute: "11" - certbot_auto_renew_options: "--quiet" - certbot_create_method: webroot - certbot_create_if_missing: true - certbot_create_extra_args: - certbot_hsts: false - certbot_testmode: false - certbot_admin_email: "admin@{{ DOMAIN_NAME }}" - certbot_keep_updated: true - certbot_script: letsencrypt - certbot_certs: - - webroot: "/var/www/letsencrypt/sms.challenger.{{ DOMAIN_NAME }}" - domains: - - "sms.challenger.{{ DOMAIN_NAME }}" - -- name: Secure the EMAIL challenger site with Letsencrypt - ansible.builtin.include_role: - name: geerlingguy.certbot - vars: - certbot_install_method: package - certbot_auto_renew: true - certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}" - certbot_auto_renew_hour: "11" - certbot_auto_renew_minute: "11" - certbot_auto_renew_options: "--quiet" - certbot_create_method: webroot - certbot_create_if_missing: true - certbot_create_extra_args: - certbot_hsts: false - certbot_testmode: false - certbot_admin_email: "admin@{{ DOMAIN_NAME }}" - certbot_keep_updated: true - certbot_script: letsencrypt - certbot_certs: - - webroot: "/var/www/letsencrypt/email.challenger.{{ DOMAIN_NAME }}" - domains: - - "email.challenger.{{ DOMAIN_NAME }}" - - -- name: Secure the POSTAL challenger site with Letsencrypt - ansible.builtin.include_role: - name: geerlingguy.certbot - vars: - certbot_install_method: package - certbot_auto_renew: true - certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}" - certbot_auto_renew_hour: "11" - certbot_auto_renew_minute: "11" - certbot_auto_renew_options: "--quiet" - certbot_create_method: webroot - certbot_create_if_missing: true - certbot_create_extra_args: - certbot_hsts: false - certbot_testmode: false - certbot_admin_postal: "admin@{{ DOMAIN_NAME }}" - certbot_keep_updated: true - certbot_script: letsencrypt - certbot_certs: - - webroot: "/var/www/letsencrypt/postal.challenger.{{ DOMAIN_NAME }}" - domains: - - "postal.challenger.{{ DOMAIN_NAME }}" - -- name: Enable SMS challenger reverse proxy configuration - file: - src: /etc/nginx/sites-available/sms-challenger-nginx.conf - dest: /etc/nginx/sites-enabled/sms-challenger-nginx.conf - state: link - notify: Restart nginx - -- name: Enable email challenger reverse proxy configuration - file: - src: /etc/nginx/sites-available/email-challenger-nginx.conf - dest: /etc/nginx/sites-enabled/email-challenger-nginx.conf - state: link - notify: Restart nginx + cert_name: challenger + wanted_cert_domains: + - "sms.challenger.{{ DOMAIN_NAME }}" + - "email.challenger.{{ DOMAIN_NAME }}" + - "postal.challenger.{{ DOMAIN_NAME }}" + nginx_sites: + - sms-challenger-nginx.conf + - postal-challenger-nginx.conf + - email-challenger-nginx.conf + - sms-challenger-http.conf + - postal-challenger-http.conf + - email-challenger-http.conf - name: Enable postal challenger reverse proxy configuration file: - src: /etc/nginx/sites-available/postal-challenger-nginx.conf - dest: /etc/nginx/sites-enabled/postal-challenger-nginx.conf + src: "/etc/nginx/sites-available/{{ item }}" + dest: "/etc/nginx/sites-enabled/{{ item }}" state: link notify: Restart nginx + with_items: + - sms-challenger-nginx.conf + - postal-challenger-nginx.conf + - email-challenger-nginx.conf + - sms-challenger-http.conf + - postal-challenger-http.conf + - email-challenger-http.conf diff --git a/roles/challenger/templates/etc/nginx/conf.d/challenger-tls.conf.inc b/roles/challenger/templates/etc/nginx/conf.d/challenger-tls.conf.inc @@ -0,0 +1,11 @@ + +ssl_certificate /etc/letsencrypt/live/challenger/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/challenger/privkey.pem; +ssl_trusted_certificate /etc/letsencrypt/live/challenger/chain.pem; +ssl_prefer_server_ciphers on; +ssl_session_cache shared:SSL:10m; +ssl_dhparam /etc/ssl/private/dhparam.pem; +ssl_protocols TLSv1.3 TLSv1.2; +ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; +\ No newline at end of file diff --git a/roles/challenger/templates/etc/nginx/sites-available/email-challenger-http.conf.j2 b/roles/challenger/templates/etc/nginx/sites-available/email-challenger-http.conf.j2 @@ -8,16 +8,6 @@ server { error_log /var/log/nginx/email.challenger.{{ DOMAIN_NAME }}-http.err; access_log /var/log/nginx/email.challenger.{{ DOMAIN_NAME }}-http.log; - location ^~ /.well-known/acme-challenge/ { - default_type "text/plain"; - root /var/www/letsencrypt; - } - - # Hide /acme-challenge subdirectory and return 404 on all requests. - location = /.well-known/acme-challenge/ { - return 404; - } - location / { return 301 https://$host$request_uri; } diff --git a/roles/challenger/templates/etc/nginx/sites-available/email-challenger-nginx.conf.j2 b/roles/challenger/templates/etc/nginx/sites-available/email-challenger-nginx.conf.j2 @@ -7,16 +7,7 @@ server { server_tokens off; server_name email.challenger.{{ DOMAIN_NAME }}; - ssl_certificate /etc/letsencrypt/live/email.challenger.{{ DOMAIN_NAME }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/email.challenger.{{ DOMAIN_NAME }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/email.challenger.{{ DOMAIN_NAME }}/chain.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/private/dhparam.pem; - ssl_protocols TLSv1.3 TLSv1.2; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + include conf.d/challenger-tls.conf.inc; # Bigger than default timeout to support long polling proxy_read_timeout 650s; diff --git a/roles/challenger/templates/etc/nginx/sites-available/postal-challenger-http.conf.j2 b/roles/challenger/templates/etc/nginx/sites-available/postal-challenger-http.conf.j2 @@ -8,16 +8,6 @@ server { error_log /var/log/nginx/postal.challenger.{{ DOMAIN_NAME }}-http.err; access_log /var/log/nginx/postal.challenger.{{ DOMAIN_NAME }}-http.log; - location ^~ /.well-known/acme-challenge/ { - default_type "text/plain"; - root /var/www/letsencrypt; - } - - # Hide /acme-challenge subdirectory and return 404 on all requests. - location = /.well-known/acme-challenge/ { - return 404; - } - location / { return 301 https://$host$request_uri; } diff --git a/roles/challenger/templates/etc/nginx/sites-available/postal-challenger-nginx.conf.j2 b/roles/challenger/templates/etc/nginx/sites-available/postal-challenger-nginx.conf.j2 @@ -7,14 +7,7 @@ server { server_tokens off; server_name postal.challenger.{{ DOMAIN_NAME }}; - ssl_certificate /etc/letsencrypt/live/postal.challenger.{{ DOMAIN_NAME }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/postal.challenger.{{ DOMAIN_NAME }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/postal.challenger.{{ DOMAIN_NAME }}/chain.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/private/dhparam.pem; - ssl_protocols TLSv1.3 TLSv1.2; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + include conf.d/challenger-tls.conf.inc; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; diff --git a/roles/challenger/templates/etc/nginx/sites-available/sms-challenger-http.conf.j2 b/roles/challenger/templates/etc/nginx/sites-available/sms-challenger-http.conf.j2 @@ -8,18 +8,7 @@ server { error_log /var/log/nginx/sms.challenger.{{ DOMAIN_NAME }}-http.err; access_log /var/log/nginx/sms.challenger.{{ DOMAIN_NAME }}-http.log; - location ^~ /.well-known/acme-challenge/ { - default_type "text/plain"; - root /var/www/letsencrypt; - } - - # Hide /acme-challenge subdirectory and return 404 on all requests. - location = /.well-known/acme-challenge/ { - return 404; - } - location / { return 301 https://$host$request_uri; } - } diff --git a/roles/challenger/templates/etc/nginx/sites-available/sms-challenger-nginx.conf.j2 b/roles/challenger/templates/etc/nginx/sites-available/sms-challenger-nginx.conf.j2 @@ -7,14 +7,7 @@ server { server_tokens off; server_name sms.challenger.{{ DOMAIN_NAME }}; - ssl_certificate /etc/letsencrypt/live/sms.challenger.{{ DOMAIN_NAME }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/sms.challenger.{{ DOMAIN_NAME }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/sms.challenger.{{ DOMAIN_NAME }}/chain.pem; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /etc/ssl/private/dhparam.pem; - ssl_protocols TLSv1.3 TLSv1.2; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + include conf.d/challenger-tls.conf.inc; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; diff --git a/roles/exchange/tasks/main.yml b/roles/exchange/tasks/main.yml @@ -33,6 +33,17 @@ group: root mode: "0644" +- name: Secure the exchange site with Letsencrypt + ansible.builtin.include_role: + name: cert + vars: + cert_name: exchange + wanted_cert_domains: + - "exchange.{{ DOMAIN_NAME }}" + nginx_sites: + - exchange-http.conf + - exchange-nginx.conf + - name: Enable Taler exchange HTTP reverse proxy configuration file: src: /etc/nginx/sites-available/exchange-http.conf @@ -40,33 +51,6 @@ state: link notify: Restart nginx -# We need to make sure that our handler notifies nginx to restart NOW -- name: Flush handlers - meta: flush_handlers - -- name: Secure the exchange site with Letsencrypt - ansible.builtin.include_role: - name: geerlingguy.certbot - vars: - certbot_install_method: package - certbot_auto_renew: true - certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}" - certbot_auto_renew_hour: "11" - certbot_auto_renew_minute: "11" - certbot_auto_renew_options: "--quiet" - certbot_create_method: webroot - certbot_create_if_missing: true - certbot_create_extra_args: - certbot_hsts: false - certbot_testmode: false - certbot_admin_email: "admin@{{ DOMAIN_NAME }}" - certbot_keep_updated: true - certbot_script: letsencrypt - certbot_certs: - - webroot: "/var/www/letsencrypt/exchange.{{ DOMAIN_NAME }}" - domains: - - "exchange.{{ DOMAIN_NAME }}" - - name: Enable Taler exchange reverse proxy configuration file: src: /etc/nginx/sites-available/exchange-nginx.conf diff --git a/roles/exchange/templates/etc/nginx/sites-available/exchange-http.conf.j2 b/roles/exchange/templates/etc/nginx/sites-available/exchange-http.conf.j2 @@ -8,16 +8,6 @@ server { error_log /var/log/nginx/exchange.{{ DOMAIN_NAME }}-http.err; access_log /var/log/nginx/exchange.{{ DOMAIN_NAME }}-http.log; - location ^~ /.well-known/acme-challenge/ { - default_type "text/plain"; - root /var/www/letsencrypt; - } - - # Hide /acme-challenge subdirectory and return 404 on all requests. - location = /.well-known/acme-challenge/ { - return 404; - } - location / { return 301 https://$host$request_uri; } diff --git a/roles/exchange/templates/etc/nginx/sites-available/exchange-nginx.conf.j2 b/roles/exchange/templates/etc/nginx/sites-available/exchange-nginx.conf.j2 @@ -7,9 +7,9 @@ server { server_tokens off; server_name exchange.{{ DOMAIN_NAME }}; - ssl_certificate /etc/letsencrypt/live/exchange.{{ DOMAIN_NAME }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exchange.{{ DOMAIN_NAME }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/exchange.{{ DOMAIN_NAME }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/exchange/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exchange/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/exchange/chain.pem; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/ssl/private/dhparam.pem; diff --git a/roles/geerlingguy.certbot/.ansible-lint b/roles/geerlingguy.certbot/.ansible-lint @@ -1,3 +0,0 @@ -skip_list: - - 'yaml' - - 'role-name' diff --git a/roles/geerlingguy.certbot/.github/FUNDING.yml b/roles/geerlingguy.certbot/.github/FUNDING.yml @@ -1,4 +0,0 @@ -# These are supported funding model platforms ---- -github: geerlingguy -patreon: geerlingguy diff --git a/roles/geerlingguy.certbot/.github/workflows/ci.yml b/roles/geerlingguy.certbot/.github/workflows/ci.yml @@ -1,79 +0,0 @@ ---- -name: CI -'on': - pull_request: - push: - branches: - - master - schedule: - - cron: "30 2 * * 0" - -defaults: - run: - working-directory: 'geerlingguy.certbot' - -jobs: - - lint: - name: Lint - runs-on: ubuntu-latest - steps: - - name: Check out the codebase. - uses: actions/checkout@v4 - with: - path: 'geerlingguy.certbot' - - - name: Set up Python 3. - uses: actions/setup-python@v5 - with: - python-version: '3.x' - - - name: Install test dependencies. - run: pip3 install yamllint - - - name: Lint code. - run: | - yamllint . - - molecule: - name: Molecule - runs-on: ubuntu-latest - strategy: - matrix: - include: - - distro: rockylinux9 - playbook: converge.yml - experimental: false - - distro: ubuntu2004 - playbook: converge.yml - experimental: false - - distro: debian10 - playbook: converge.yml - experimental: false - - - distro: rockylinux9 - playbook: playbook-snap-install.yml - experimental: true - - steps: - - name: Check out the codebase. - uses: actions/checkout@v4 - with: - path: 'geerlingguy.certbot' - - - name: Set up Python 3. - uses: actions/setup-python@v5 - with: - python-version: '3.x' - - - name: Install test dependencies. - run: pip3 install ansible molecule molecule-plugins[docker] docker - - - name: Run Molecule tests. - run: molecule test - continue-on-error: ${{ matrix.experimental }} - env: - PY_COLORS: '1' - ANSIBLE_FORCE_COLOR: '1' - MOLECULE_DISTRO: ${{ matrix.distro }} - MOLECULE_PLAYBOOK: ${{ matrix.playbook }} diff --git a/roles/geerlingguy.certbot/.github/workflows/release.yml b/roles/geerlingguy.certbot/.github/workflows/release.yml @@ -1,40 +0,0 @@ ---- -# This workflow requires a GALAXY_API_KEY secret present in the GitHub -# repository or organization. -# -# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy -# See: https://github.com/ansible/galaxy/issues/46 - -name: Release -'on': - push: - tags: - - '*' - -defaults: - run: - working-directory: 'geerlingguy.certbot' - -jobs: - - release: - name: Release - runs-on: ubuntu-latest - steps: - - name: Check out the codebase. - uses: actions/checkout@v4 - with: - path: 'geerlingguy.certbot' - - - name: Set up Python 3. - uses: actions/setup-python@v5 - with: - python-version: '3.x' - - - name: Install Ansible. - run: pip3 install ansible-core - - - name: Trigger a new import on Galaxy. - run: >- - ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} - $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) diff --git a/roles/geerlingguy.certbot/.github/workflows/stale.yml b/roles/geerlingguy.certbot/.github/workflows/stale.yml @@ -1,34 +0,0 @@ ---- -name: Close inactive issues -'on': - schedule: - - cron: "55 12 * * 1" # semi-random time - -jobs: - close-issues: - runs-on: ubuntu-latest - permissions: - issues: write - pull-requests: write - steps: - - uses: actions/stale@v8 - with: - days-before-stale: 120 - days-before-close: 60 - exempt-issue-labels: bug,pinned,security,planned - exempt-pr-labels: bug,pinned,security,planned - stale-issue-label: "stale" - stale-pr-label: "stale" - stale-issue-message: | - This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! - - Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale. - close-issue-message: | - This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details. - stale-pr-message: | - This pr has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! - - Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale. - close-pr-message: | - This pr has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details. - repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/roles/geerlingguy.certbot/.gitignore b/roles/geerlingguy.certbot/.gitignore @@ -1,5 +0,0 @@ -*.retry -*/__pycache__ -*.pyc -.cache - diff --git a/roles/geerlingguy.certbot/.yamllint b/roles/geerlingguy.certbot/.yamllint @@ -1,13 +0,0 @@ ---- -extends: default - -rules: - line-length: - max: 180 - level: warning - indentation: - spaces: 2 - indent-sequences: consistent - -ignore: | - .github/workflows/stale.yml diff --git a/roles/geerlingguy.certbot/LICENSE b/roles/geerlingguy.certbot/LICENSE @@ -1,20 +0,0 @@ -The MIT License (MIT) - -Copyright (c) 2017 Jeff Geerling - -Permission is hereby granted, free of charge, to any person obtaining a copy of -this software and associated documentation files (the "Software"), to deal in -the Software without restriction, including without limitation the rights to -use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -the Software, and to permit persons to whom the Software is furnished to do so, -subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/roles/geerlingguy.certbot/README.md b/roles/geerlingguy.certbot/README.md @@ -1,165 +0,0 @@ -# Ansible Role: Certbot (for Let's Encrypt) - -[](https://github.com/geerlingguy/ansible-role-certbot/actions?query=workflow%3ACI) - -Installs and configures Certbot (for Let's Encrypt). - -## Requirements - -If installing from source, Git is required. You can install Git using the `geerlingguy.git` role. - -Generally, installing from source (see section `Source Installation from Git`) leads to a better experience using Certbot and Let's Encrypt, especially if you're using an older OS release. - -## Role Variables - - certbot_install_method: package - -Controls how Certbot is installed. Available options are 'package', 'snap', and 'source'. - - certbot_auto_renew: true - certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}" - certbot_auto_renew_hour: "3" - certbot_auto_renew_minute: "30" - certbot_auto_renew_options: "--quiet" - -By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account. - -### Automatic Certificate Generation - -Currently the `standalone` and `webroot` method are supported for generating new certificates using this role. - -**For a complete example**: see the fully functional test playbook in [molecule/default/playbook-standalone-nginx-aws.yml](molecule/default/playbook-standalone-nginx-aws.yml). - - certbot_create_if_missing: false - -Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. - - certbot_create_method: standalone - -Set the method used for generating certs with the `certbot_create_method` variable — current allowed values are: `standalone` or `webroot`. - - certbot_testmode: false - -Enable test mode to only run a test request without actually creating certificates. - - certbot_hsts: false - -Enable (HTTP Strict Transport Security) for the certificate generation. - - certbot_admin_email: email@example.com - -The email address used to agree to Let's Encrypt's TOS and subscribe to cert-related notifications. This should be customized and set to an email address that you or your organization regularly monitors. - - certbot_certs: [] - # - email: janedoe@example.com - # webroot: "/var/www/html" - # domains: - # - example1.com - # - example2.com - # - domains: - # - example3.com - -A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`. When using the `webroot` creation method, a `webroot` item has to be provided, specifying which directory to use for the authentication. Make sure your webserver correctly delivers contents from this directory. - - certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}" - -The `certbot_create_command` defines the command used to generate the cert. See the full default command inside `defaults/main.yml` for a full example—and you can easily add in extra arguments that are not in the default command with the `certbot_create_extra_args` variable. - -#### Standalone Certificate Generation - - certbot_create_standalone_stop_services: - - nginx - -Services that should be stopped while `certbot` runs it's own standalone server on ports 80 and 443. If you're running Apache, set this to `apache2` (Ubuntu), or `httpd` (RHEL), or if you have Nginx on port 443 and something else on port 80 (e.g. Varnish, a Java app, or something else), add it to the list so it is stopped when the certificate is generated. - -These services will only be stopped the first time a new cert is generated. - -### Snap Installation - -Beginning in December 2020, the Certbot maintainers decided to recommend installing Certbot from Snap rather than maintain scripts like `certbot-auto`. - -Setting `certbot_install_method: snap` configures this role to install Certbot via Snap. - -This install method is currently experimental and may or may not work across all Linux distributions. - -#### Webroot Certificate Generation - -When using the `webroot` creation method, a `webroot` item has to be provided for every `certbot_certs` item, specifying which directory to use for the authentication. Also, make sure your webserver correctly delivers contents from this directory. - -### Source Installation from Git - -You can install Certbot from it's Git source repository if desired with `certbot_install_method: source`. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8). - - certbot_repo: https://github.com/certbot/certbot.git - certbot_version: master - certbot_keep_updated: true - -Certbot Git repository options. If installing from source, the configured `certbot_repo` is cloned, respecting the `certbot_version` setting. If `certbot_keep_updated` is set to `yes`, the repository is updated every time this role runs. - - certbot_dir: /opt/certbot - -The directory inside which Certbot will be cloned. - -### Wildcard Certificates - -Let's Encrypt supports [generating wildcard certificates](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579), but the process for generating and using them is slightly more involved. See comments in [this pull request](https://github.com/geerlingguy/ansible-role-certbot/pull/60#issuecomment-423919284) for an example of how to use this role to maintain wildcard certs. - -Michael Porter also has a walkthrough of [Creating A Let’s Encrypt Wildcard Cert With Ansible](https://www.michaelpporter.com/2018/09/creating-a-wildcard-cert-with-ansible/), specifically with Cloudflare. - -## Dependencies - -None. - -## Example Playbook - - - hosts: servers - - vars: - certbot_auto_renew_user: your_username_here - certbot_auto_renew_minute: "20" - certbot_auto_renew_hour: "5" - - roles: - - geerlingguy.certbot - -See other examples in the `tests/` directory. - -### Manually creating certificates with certbot - -_Note: You can have this role automatically generate certificates; see the "Automatic Certificate Generation" documentation above._ - -You can manually create certificates using the `certbot` (or `certbot-auto`) script (use `letsencrypt` on Ubuntu 16.04, or use `/opt/certbot/certbot-auto` if installing from source/Git. Here are some example commands to configure certificates with Certbot: - - # Automatically add certs for all Apache virtualhosts (use with caution!). - certbot --apache - - # Generate certs, but don't modify Apache configuration (safer). - certbot --apache certonly - -If you want to fully automate the process of adding a new certificate, but don't want to use this role's built in functionality, you can do so using the command line options to register, accept the terms of service, and then generate a cert using the standalone server: - - 1. Make sure any services listening on ports 80 and 443 (Apache, Nginx, Varnish, etc.) are stopped. - 2. Register with something like `certbot register --agree-tos --email [your-email@example.com]` - - Note: You won't need to do this step in the future, when generating additional certs on the same server. - 3. Generate a cert for a domain whose DNS points to this server: `certbot certonly --noninteractive --standalone -d example.com -d www.example.com` - 4. Re-start whatever was listening on ports 80 and 443 before. - 5. Update your webserver's virtualhost TLS configuration to point at the new certificate (`fullchain.pem`) and private key (`privkey.pem`) Certbot just generated for the domain you passed in the `certbot` command. - 6. Reload or restart your webserver so it uses the new HTTPS virtualhost configuration. - -### Certbot certificate auto-renewal - -By default, this role adds a cron job that will renew all installed certificates once per day at the hour and minute of your choosing. - -You can test the auto-renewal (without actually renewing the cert) with the command: - - /opt/certbot/certbot-auto renew --dry-run - -See full documentation and options on the [Certbot website](https://certbot.eff.org/). - -## License - -MIT / BSD - -## Author Information - -This role was created in 2016 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/). diff --git a/roles/geerlingguy.certbot/defaults/main.yml b/roles/geerlingguy.certbot/defaults/main.yml @@ -1,61 +0,0 @@ ---- -# Certbot auto-renew cron job configuration (for certificate renewals). -certbot_auto_renew: true -certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}" -certbot_auto_renew_hour: "3" -certbot_auto_renew_minute: "30" -certbot_auto_renew_options: "--quiet" - -certbot_testmode: false -certbot_hsts: false - - -# Parameters used when creating new Certbot certs. -certbot_create_if_missing: false -certbot_create_method: standalone -certbot_admin_email: email@example.com - -# Default webroot, overwritten by individual per-cert webroot directories -certbot_webroot: /var/www/letsencrypt - -certbot_certs: [] -# - email: janedoe@example.com -# webroot: "/var/www/html/" -# domains: -# - example1.com -# - example2.com -# - domains: -# - example3.com - -certbot_create_command: >- - {{ certbot_script }} certonly --{{ certbot_create_method }} - {{ '--hsts' if certbot_hsts else '' }} - {{ '--test-cert' if certbot_testmode else '' }} - --noninteractive --agree-tos - --email {{ cert_item.email | default(certbot_admin_email) }} - {{ '--webroot-path ' if certbot_create_method == 'webroot' else '' }} - {{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }} - {{ certbot_create_extra_args }} - -d {{ cert_item.domains | join(',') }} - {{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services' - if certbot_create_standalone_stop_services and certbot_create_method == 'standalone' - else '' }} - {{ '--post-hook /etc/letsencrypt/renewal-hooks/post/start_services' - if certbot_create_standalone_stop_services and certbot_create_method == 'standalone' - else '' }} - -certbot_create_standalone_stop_services: - - nginx - # - apache - # - varnish - -# Available options: 'package', 'snap', 'source'. -certbot_install_method: 'package' - -# Source install configuration. -certbot_repo: https://github.com/certbot/certbot.git -certbot_version: master -certbot_keep_updated: true - -# Where to put Certbot when installing from source. -certbot_dir: /opt/certbot diff --git a/roles/geerlingguy.certbot/meta/.galaxy_install_info b/roles/geerlingguy.certbot/meta/.galaxy_install_info @@ -1,2 +0,0 @@ -install_date: 'Sun 15 Dec 2024 07:29:52 PM ' -version: 5.2.0 diff --git a/roles/geerlingguy.certbot/meta/main.yml b/roles/geerlingguy.certbot/meta/main.yml @@ -1,30 +0,0 @@ ---- -dependencies: [] - -galaxy_info: - role_name: certbot - author: geerlingguy - description: "Installs and configures Certbot (for Let's Encrypt)." - company: "Midwestern Mac, LLC" - license: "license (BSD, MIT)" - min_ansible_version: 2.10 - platforms: - - name: Fedora - versions: - - all - - name: Ubuntu - versions: - - all - - name: Debian - versions: - - all - galaxy_tags: - - networking - - system - - web - - certbot - - letsencrypt - - encryption - - certificates - - ssl - - https diff --git a/roles/geerlingguy.certbot/molecule/default/converge.yml b/roles/geerlingguy.certbot/molecule/default/converge.yml @@ -1,28 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - - vars: - certbot_auto_renew_user: root - - pre_tasks: - - name: Update apt cache. - apt: update_cache=yes cache_valid_time=600 - when: ansible_os_family == 'Debian' - changed_when: false - - - name: Install dependencies (RedHat). - yum: - name: - - cronie - - epel-release - state: present - when: ansible_os_family == 'RedHat' - - - name: Install cron (Debian). - apt: name=cron state=present - when: ansible_os_family == 'Debian' - - roles: - - geerlingguy.certbot diff --git a/roles/geerlingguy.certbot/molecule/default/molecule.yml b/roles/geerlingguy.certbot/molecule/default/molecule.yml @@ -1,21 +0,0 @@ ---- -role_name_check: 1 -dependency: - name: galaxy - options: - ignore-errors: true -driver: - name: docker -platforms: - - name: instance - image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux9}-ansible:latest" - command: ${MOLECULE_DOCKER_COMMAND:-""} - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host - privileged: true - pre_build_image: true -provisioner: - name: ansible - playbooks: - converge: ${MOLECULE_PLAYBOOK:-converge.yml} diff --git a/roles/geerlingguy.certbot/molecule/default/playbook-snap-install.yml b/roles/geerlingguy.certbot/molecule/default/playbook-snap-install.yml @@ -1,26 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - - vars: - certbot_install_method: 'snap' - certbot_auto_renew_user: root - - pre_tasks: - - name: Update apt cache. - apt: update_cache=yes cache_valid_time=600 - when: ansible_os_family == 'Debian' - changed_when: false - - - name: Install cron (RedHat). - yum: name=cronie state=present - when: ansible_os_family == 'RedHat' - - - name: Install cron (Debian). - apt: name=cron state=present - when: ansible_os_family == 'Debian' - - roles: - - geerlingguy.git - - geerlingguy.certbot diff --git a/roles/geerlingguy.certbot/molecule/default/playbook-source-install.yml b/roles/geerlingguy.certbot/molecule/default/playbook-source-install.yml @@ -1,26 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - - vars: - certbot_install_method: 'source' - certbot_auto_renew_user: root - - pre_tasks: - - name: Update apt cache. - apt: update_cache=yes cache_valid_time=600 - when: ansible_os_family == 'Debian' - changed_when: false - - - name: Install cron (RedHat). - yum: name=cronie state=present - when: ansible_os_family == 'RedHat' - - - name: Install cron (Debian). - apt: name=cron state=present - when: ansible_os_family == 'Debian' - - roles: - - geerlingguy.git - - geerlingguy.certbot diff --git a/roles/geerlingguy.certbot/molecule/default/playbook-standalone-nginx-aws.yml b/roles/geerlingguy.certbot/molecule/default/playbook-standalone-nginx-aws.yml @@ -1,180 +0,0 @@ ---- -# To run: -# 1. Ensure Ansible and Boto are installed (pip install ansible boto). -# 2. Ensure you have AWS credentials stored where Boto can find them, and they -# are under the profile 'mm'. -# 3. Ensure you have a pubkey available at ~/.ssh/id_rsa.pub. -# 3. Run the playbook: ansible-playbook test-standalone-nginx-aws.yml - -# Play 1: Provision EC2 instance and A record. -- hosts: localhost - connection: local - gather_facts: false - - tasks: - - name: Configure EC2 Security Group. - ec2_group: - profile: mm - name: certbot_test_http - description: HTTP security group for Certbot testing. - region: "us-east-1" - state: present - rules: - - proto: tcp - from_port: 80 - to_port: 80 - cidr_ip: 0.0.0.0/0 - - proto: tcp - from_port: 443 - to_port: 443 - cidr_ip: 0.0.0.0/0 - - proto: tcp - from_port: 22 - to_port: 22 - cidr_ip: 0.0.0.0/0 - rules_egress: [] - - - name: Add EC2 Key Pair. - ec2_key: - profile: mm - region: "us-east-1" - name: certbot_test - key_material: "{{ item }}" - with_file: - - ~/.ssh/id_rsa.pub - - - name: Provision EC2 instance. - ec2: - profile: mm - key_name: certbot_test - instance_tags: - Name: "certbot-standalone-nginx-test" - group: ['default', 'certbot_test_http'] - instance_type: t2.micro - # CentOS Linux 7 x86_64 HVM EBS - image: ami-02e98f78 - region: "us-east-1" - wait: true - wait_timeout: 500 - exact_count: 1 - count_tag: - Name: "certbot-standalone-nginx-test" - register: created_instance - - - name: Add A record for the new EC2 instance IP in Route53. - route53: - profile: mm - command: create - zone: servercheck.in - record: certbot-test.servercheck.in - type: A - ttl: 300 - value: "{{ created_instance.tagged_instances.0.public_ip }}" - wait: true - overwrite: true - - - name: Add EC2 instance to inventory groups. - add_host: - name: "certbot-test.servercheck.in" - groups: "aws,aws_nginx" - ansible_ssh_user: centos - host_key_checking: false - when: created_instance.tagged_instances.0.id is defined - -# Play 2: Configure EC2 instance with Certbot and Nginx. -- hosts: aws_nginx - gather_facts: true - become: true - - vars: - certbot_admin_email: https@servercheck.in - certbot_create_if_missing: true - certbot_create_standalone_stop_services: [] - certbot_certs: - - domains: - - certbot-test.servercheck.in - nginx_vhosts: - - listen: "443 ssl http2" - server_name: "certbot-test.servercheck.in" - root: "/usr/share/nginx/html" - index: "index.html index.htm" - state: "present" - template: "{{ nginx_vhost_template }}" - filename: "certbot_test.conf" - extra_parameters: | - ssl_certificate /etc/letsencrypt/live/certbot-test.servercheck.in/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/certbot-test.servercheck.in/privkey.pem; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!MD5; - - pre_tasks: - - name: Update apt cache. - apt: update_cache=true cache_valid_time=600 - when: ansible_os_family == 'Debian' - changed_when: false - - - name: Install dependencies (RedHat). - yum: name={{ item }} state=present - when: ansible_os_family == 'RedHat' - with_items: - - cronie - - epel-release - - - name: Install cron (Debian). - apt: name=cron state=present - when: ansible_os_family == 'Debian' - - roles: - - geerlingguy.certbot - - geerlingguy.nginx - - tasks: - - name: Flush handlers in case any configs have changed. - meta: flush_handlers - - - name: Test secure connection to SSL domain. - uri: - url: https://certbot-test.servercheck.in/ - status_code: 200 - delegate_to: localhost - become: false - -# Play 3: Tear down EC2 instance and A record. -- hosts: localhost - connection: local - gather_facts: false - - tasks: - - name: Destroy EC2 instance. - ec2: - profile: mm - instance_ids: ["{{ created_instance.tagged_instances.0.id }}"] - region: "us-east-1" - state: absent - wait: true - wait_timeout: 500 - - - name: Delete Security Group. - ec2_group: - profile: mm - name: certbot_test_http - region: "us-east-1" - state: absent - - - name: Delete Key Pair. - ec2_key: - profile: mm - name: certbot_test - region: "us-east-1" - state: absent - - - name: Delete Route53 record. - route53: - profile: mm - state: delete - zone: servercheck.in - record: certbot-test.servercheck.in - type: A - ttl: 300 - # See: https://github.com/ansible/ansible/pull/32297 - value: [] diff --git a/roles/geerlingguy.certbot/molecule/default/requirements.yml b/roles/geerlingguy.certbot/molecule/default/requirements.yml @@ -1,3 +0,0 @@ ---- -- src: geerlingguy.git -- src: geerlingguy.nginx diff --git a/roles/geerlingguy.certbot/tasks/create-cert-standalone.yml b/roles/geerlingguy.certbot/tasks/create-cert-standalone.yml @@ -1,42 +0,0 @@ ---- -- name: Check if certificate already exists. - stat: - path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem - register: letsencrypt_cert - -- name: Ensure pre and post hook folders exist. - file: - path: /etc/letsencrypt/renewal-hooks/{{ item }} - state: directory - mode: 0755 - owner: root - group: root - with_items: - - pre - - post - -- name: Create pre hook to stop services. - template: - src: stop_services.j2 - dest: /etc/letsencrypt/renewal-hooks/pre/stop_services - owner: root - group: root - mode: 0750 - when: - - certbot_create_standalone_stop_services is defined - - certbot_create_standalone_stop_services - -- name: Create post hook to start services. - template: - src: start_services.j2 - dest: /etc/letsencrypt/renewal-hooks/post/start_services - owner: root - group: root - mode: 0750 - when: - - certbot_create_standalone_stop_services is defined - - certbot_create_standalone_stop_services - -- name: Generate new certificate if one doesn't exist. - command: "{{ certbot_create_command }}" - when: not letsencrypt_cert.stat.exists diff --git a/roles/geerlingguy.certbot/tasks/create-cert-webroot.yml b/roles/geerlingguy.certbot/tasks/create-cert-webroot.yml @@ -1,14 +0,0 @@ ---- -- name: Check if certificate already exists. - stat: - path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem - register: letsencrypt_cert - -- name: Create webroot directory if it doesn't exist yet - file: - path: "{{ cert_item.webroot | default(certbot_webroot) }}" - state: directory - -- name: Generate new certificate if one doesn't exist. - command: "{{ certbot_create_command }}" - when: not letsencrypt_cert.stat.exists diff --git a/roles/geerlingguy.certbot/tasks/include-vars.yml b/roles/geerlingguy.certbot/tasks/include-vars.yml @@ -1,8 +0,0 @@ ---- -- name: Load a variable file based on the OS type, or a default if not found. - include_vars: "{{ item }}" - with_first_found: - - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml" - - "{{ ansible_distribution }}.yml" - - "{{ ansible_os_family }}.yml" - - "default.yml" diff --git a/roles/geerlingguy.certbot/tasks/install-from-source.yml b/roles/geerlingguy.certbot/tasks/install-from-source.yml @@ -1,17 +0,0 @@ ---- -- name: Clone Certbot into configured directory. - git: - repo: "{{ certbot_repo }}" - dest: "{{ certbot_dir }}" - version: "{{ certbot_version }}" - update: "{{ certbot_keep_updated }}" - force: true - -- name: Set Certbot script variable. - set_fact: - certbot_script: "{{ certbot_dir }}/certbot-auto" - -- name: Ensure certbot-auto is executable. - file: - path: "{{ certbot_script }}" - mode: 0755 diff --git a/roles/geerlingguy.certbot/tasks/install-with-package.yml b/roles/geerlingguy.certbot/tasks/install-with-package.yml @@ -1,7 +0,0 @@ ---- -- name: Install Certbot. - package: "name={{ certbot_package }} state=present" - -- name: Set Certbot script variable. - set_fact: - certbot_script: "{{ certbot_package }}" diff --git a/roles/geerlingguy.certbot/tasks/install-with-snap.yml b/roles/geerlingguy.certbot/tasks/install-with-snap.yml @@ -1,41 +0,0 @@ ---- -- name: Ensure snapd is installed. - package: - name: snapd - state: present - register: snapd_install - -- name: Ensure snapd is enabled. - systemd: - name: snapd.socket - enabled: true - state: started - -- name: Enable classic snap support. - file: - src: /var/lib/snapd/snap - dest: /snap - state: link - when: ansible_os_family != "Debian" - -- name: Update snap after install. - shell: snap install core; snap refresh core - changed_when: true - failed_when: false - when: snapd_install is changed - -- name: Install certbot via snap. - snap: - name: certbot - classic: true - -- name: Symlink certbot into place. - file: - src: /snap/bin/certbot - dest: /usr/bin/certbot - state: link - ignore_errors: "{{ ansible_check_mode }}" - -- name: Set Certbot script variable. - set_fact: - certbot_script: /usr/bin/certbot diff --git a/roles/geerlingguy.certbot/tasks/main.yml b/roles/geerlingguy.certbot/tasks/main.yml @@ -1,33 +0,0 @@ ---- -- import_tasks: include-vars.yml - -- import_tasks: setup-RedHat.yml - when: ansible_os_family == 'RedHat' - -- import_tasks: install-with-package.yml - when: certbot_install_method == 'package' - -- import_tasks: install-with-snap.yml - when: certbot_install_method == 'snap' - -- import_tasks: install-from-source.yml - when: certbot_install_method == 'source' - -- include_tasks: create-cert-standalone.yml - with_items: "{{ certbot_certs }}" - when: - - certbot_create_if_missing - - certbot_create_method == 'standalone' - loop_control: - loop_var: cert_item - -- include_tasks: create-cert-webroot.yml - with_items: "{{ certbot_certs }}" - when: - - certbot_create_if_missing - - certbot_create_method == 'webroot' - loop_control: - loop_var: cert_item - -- import_tasks: renew-cron.yml - when: certbot_auto_renew diff --git a/roles/geerlingguy.certbot/tasks/renew-cron.yml b/roles/geerlingguy.certbot/tasks/renew-cron.yml @@ -1,8 +0,0 @@ ---- -- name: Add cron job for certbot renewal (if configured). - cron: - name: Certbot automatic renewal. - job: "{{ certbot_script }} renew {{ certbot_auto_renew_options }}" - minute: "{{ certbot_auto_renew_minute }}" - hour: "{{ certbot_auto_renew_hour }}" - user: "{{ certbot_auto_renew_user }}" diff --git a/roles/geerlingguy.certbot/tasks/setup-RedHat.yml b/roles/geerlingguy.certbot/tasks/setup-RedHat.yml @@ -1,11 +0,0 @@ ---- -# See: https://github.com/geerlingguy/ansible-role-certbot/issues/107 -- name: Ensure dnf-plugins are installed on Rocky/AlmaLinux. - yum: - name: dnf-plugins-core - state: present - -- name: Enable DNF module for Rocky/AlmaLinux. - shell: | - dnf config-manager --set-enabled crb - changed_when: false diff --git a/roles/geerlingguy.certbot/templates/start_services.j2 b/roles/geerlingguy.certbot/templates/start_services.j2 @@ -1,15 +0,0 @@ -#!/bin/bash -# {{ ansible_managed }} - -{% for item in certbot_create_standalone_stop_services %} -echo "starting service {{ item }}" -{% if ansible_service_mgr == 'systemd' %} -systemctl start {{ item }} -{% elif ansible_service_mgr == 'upstart' %} -initctl start {{ item }} -{% elif ansible_service_mgr == 'openrc' %} -rc-service {{ item }} start -{% else %} -service {{ item }} start -{% endif %} -{% endfor %} diff --git a/roles/geerlingguy.certbot/templates/stop_services.j2 b/roles/geerlingguy.certbot/templates/stop_services.j2 @@ -1,15 +0,0 @@ -#!/bin/bash -# {{ ansible_managed }} - -{% for item in certbot_create_standalone_stop_services %} -echo "stopping service {{ item }}" -{% if ansible_service_mgr == 'systemd' %} -systemctl stop {{ item }} -{% elif ansible_service_mgr == 'upstart' %} -initctl stop {{ item }} -{% elif ansible_service_mgr == 'openrc' %} -rc-service {{ item }} stop -{% else %} -service {{ item }} stop -{% endif %} -{% endfor %} diff --git a/roles/geerlingguy.certbot/vars/Ubuntu-16.04.yml b/roles/geerlingguy.certbot/vars/Ubuntu-16.04.yml @@ -1,2 +0,0 @@ ---- -certbot_package: letsencrypt diff --git a/roles/geerlingguy.certbot/vars/default.yml b/roles/geerlingguy.certbot/vars/default.yml @@ -1,2 +0,0 @@ ---- -certbot_package: certbot diff --git a/roles/monitoring/tasks/main.yml b/roles/monitoring/tasks/main.yml @@ -69,36 +69,6 @@ mode: "0644" notify: Restart nginx -- name: Enable Taler monitoring HTTP reverse proxy configuration - file: - src: /etc/nginx/sites-available/monitoring-http.conf - dest: /etc/nginx/sites-enabled/monitoring-http.conf - state: link - notify: Restart nginx - -- name: Secure the monitoring site with Letsencrypt - ansible.builtin.include_role: - name: geerlingguy.certbot - vars: - certbot_install_method: package - certbot_auto_renew: true - certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}" - certbot_auto_renew_hour: "11" - certbot_auto_renew_minute: "11" - certbot_auto_renew_options: "--quiet" - certbot_create_method: webroot - certbot_create_if_missing: true - certbot_create_extra_args: - certbot_hsts: false - certbot_testmode: false - certbot_admin_email: "admin@{{ DOMAIN_NAME }}" - certbot_keep_updated: true - certbot_script: letsencrypt - certbot_certs: - - webroot: "/var/www/letsencrypt/monitoring.{{ DOMAIN_NAME }}" - domains: - - "monitoring.{{ DOMAIN_NAME }}" - - name: Ensure Taler monitoring HTTPS configuration file exists template: src: templates/etc/nginx/sites-available/monitoring-nginx.conf.j2 @@ -108,13 +78,16 @@ mode: "0644" notify: Restart nginx -- name: Enable Taler monitoring HTTPS reverse proxy configuration - file: - src: /etc/nginx/sites-available/monitoring-nginx.conf - dest: /etc/nginx/sites-enabled/monitoring-nginx.conf - state: link - notify: Restart nginx - +- name: Secure the monitoring site with Letsencrypt + ansible.builtin.include_role: + name: cert + vars: + cert_name: monitoring + wanted_cert_domains: + - "monitoring.{{ DOMAIN_NAME }}" + nginx_sites: + - monitoring-nginx.conf + - monitoring-http.conf # We need to make sure that our handler notifies nginx to restart NOW - name: Flush handlers diff --git a/roles/monitoring/templates/etc/nginx/sites-available/monitoring-http.conf.j2 b/roles/monitoring/templates/etc/nginx/sites-available/monitoring-http.conf.j2 @@ -8,16 +8,6 @@ server { error_log /var/log/nginx/monitoring.{{ DOMAIN_NAME }}-http.err; access_log /var/log/nginx/monitoring.{{ DOMAIN_NAME }}-http.log; - location ^~ /.well-known/acme-challenge/ { - default_type "text/plain"; - root /var/www/letsencrypt; - } - - # Hide /acme-challenge subdirectory and return 404 on all requests. - location = /.well-known/acme-challenge/ { - return 404; - } - location / { return 301 https://$host$request_uri; } diff --git a/roles/monitoring/templates/etc/nginx/sites-available/monitoring-nginx.conf.j2 b/roles/monitoring/templates/etc/nginx/sites-available/monitoring-nginx.conf.j2 @@ -7,9 +7,9 @@ server { server_tokens off; server_name monitoring.{{ DOMAIN_NAME }}; - ssl_certificate /etc/letsencrypt/live/monitoring.{{ DOMAIN_NAME }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/monitoring.{{ DOMAIN_NAME }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/monitoring.{{ DOMAIN_NAME }}/chain.pem; + ssl_certificate /etc/letsencrypt/live/monitoring/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/monitoring/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/monitoring/chain.pem; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/ssl/private/dhparam.pem; diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml @@ -8,16 +8,19 @@ update_cache: true when: ansible_os_family == 'Debian' -# - name: Obtain or renew SSL certificate using Certbot with Nginx -# command: certbot --nginx --domain "{{ SUBDOMAIN }}.{{ DOMAIN_NAME }}" --redirect --non-interactive --agree-tos --email "{{ ACME_EMAIL }}" -# register: certbot_result -# changed_when: "'Certificate not yet due for renewal' not in certbot_result.stdout" -# -# - name: Reload Nginx configuration if certificates were obtained or renewed -# service: -# name: nginx -# state: restarted -# when: certbot_result.changed +- name: Install certbot base package + apt: + name: certbot + state: present + update_cache: true + when: ansible_os_family == 'Debian' + +- name: Install certbot nginx plugin + apt: + name: python3-certbot-nginx + state: present + update_cache: true + when: ansible_os_family == 'Debian' - name: Remove default nginx configuration file: @@ -32,6 +35,30 @@ group: root mode: "0644" +- name: Check nginx config + ansible.builtin.command: nginx -c /etc/nginx/nginx.conf -t + register: result + ignore_errors: true + +- name: Clear all sites if nginx is misconfigured + when: result is failed + block: + - name: Locate enabled sites + find: + path: "/etc/nginx/sites-enabled" + file_type: "link" + register: cleanup + ignore_errors: true + - name: Delete enabled sites + file: + path: "{{ item.path }}" + state: absent + with_items: "{{ cleanup.files }}" + ignore_errors: true + - fail: + msg: Clearing all enabled sites, as nginx config is broken. + ignore_errors: true + - name: Ensure Nginx service is enabled and started service: name: nginx