diff --git a/defaults/main.yml b/defaults/main.yml index 32fc3f2..c211101 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,7 +2,7 @@ acme_path: /var/acme acme_system_user: acme acme_system_group: acme -nginx_config_dhparam: "{{ acme_path }}/dhparams.pem" +nginx_config_dhparam: "/etc/ssl/dhparams.pem" nginx_user: nginx lego_environment: diff --git a/tasks/dhparams.yml b/tasks/dhparams.yml index ce67653..00849a0 100644 --- a/tasks/dhparams.yml +++ b/tasks/dhparams.yml @@ -18,5 +18,5 @@ # https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_dhparam_module.html - name: Generate Diffie-Hellman parameters with the default size (4096 bits) community.crypto.openssl_dhparam: - path: "{{ acme_path }}/dhparams.pem" + path: "/etc/ssl/dhparams.pem" tags: dhparams diff --git a/tasks/lego.yml b/tasks/lego.yml index 6d11512..f063fba 100644 --- a/tasks/lego.yml +++ b/tasks/lego.yml @@ -7,46 +7,40 @@ path: "{{ lego_path }}/certificates/{{ acme_domain.domain }}.crt" register: lego_cert delegate_to: localhost - tags: lego - name: Instruct lego to register an account and order a new certificate if one doesn't already exist. set_fact: lego_command: "{{ 'renew' if lego_cert.stat.exists else 'run'}}" delegate_to: localhost - tags: lego -- name: Order acme certificates without waiting for propogation of TXT record to all authoritative name servers. +- name: Order acme certificates, waiting for propogation of TXT record to all authoritative name servers. ansible.builtin.command: cmd: > - lego --path {{ lego_path }} --dns {{ acme_domain.provider }} --domains {{ acme_domain.domain }} --email {{ acme_email }} --dns.disable-cp --accept-tos {{ lego_command }} + lego --path {{ lego_path }} --dns {{ acme_domain.provider }} --domains {{ acme_domain.domain }} --email {{ acme_email }} --accept-tos {{ lego_command }} register: lego_result delegate_to: localhost changed_when: False ignore_errors: true - tags: lego environment: "{{ lego_environment }}" - name: Print lego output with dns.disable-cp ansible.builtin.debug: var: lego_result delegate_to: localhost - tags: lego - # --dns.disable-cp: disables the need to wait the propagation of the TXT record to all authoritative name servers. - # I haven't yet figured out why it only works sporadically with or without this option. -- name: Retry the last command if necessary, but wait for propogation of TXT record to all authoritative name servers. +# --dns.disable-cp: disables the need to wait the propagation of the TXT record to all authoritative name servers. +# I haven't yet figured out why it only works sporadically with or without this option. +- name: Retry the last command if necessary, but don't wait for propogation of TXT record to all authoritative name servers. ansible.builtin.command: cmd: > - lego --path {{ lego_path }} --dns {{ acme_domain.provider }} --domains {{ acme_domain.domain }} --email {{ acme_email }} --accept-tos {{ lego_command }} + lego --path {{ lego_path }} --dns {{ acme_domain.provider }} --domains {{ acme_domain.domain }} --email {{ acme_email }} --dns.disable-cp --accept-tos {{ lego_command }} when: lego_result.failed register: lego_result delegate_to: localhost changed_when: False - tags: lego environment: "{{ lego_environment }}" - name: Print lego output without dns.disable-cp ansible.builtin.debug: var: lego_result delegate_to: localhost - tags: lego diff --git a/tasks/main.yml b/tasks/main.yml index fa5dca1..b2f5a04 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -17,6 +17,7 @@ file: lego.yml apply: become: false + tags: lego loop: "{{ acme_domains }}" loop_control: loop_var: acme_domain @@ -31,9 +32,9 @@ loop_control: loop_var: acme_domain tags: nginx - when: os_family != 'RedHat' + when: ansible_os_family != 'RedHat' -- name: Loop through the domain list (again) to copy certs and configure nginx for each ACME domain +- name: (RedHat) Loop through the domain list (again) to copy certs and configure nginx for each ACME domain include_tasks: file: certificates-RedHat.yml apply: @@ -42,7 +43,7 @@ loop_control: loop_var: acme_domain tags: nginx - when: os_family == 'RedHat' + when: ansible_os_family == 'RedHat' - import_tasks: dhparams.yml become: true