Testing successful on EasyDNS.
This commit is contained in:
parent
1e41e871cd
commit
aecd01ccd8
@ -2,7 +2,7 @@
|
|||||||
acme_path: /var/acme
|
acme_path: /var/acme
|
||||||
acme_system_user: acme
|
acme_system_user: acme
|
||||||
acme_system_group: acme
|
acme_system_group: acme
|
||||||
nginx_config_dhparam: "{{ acme_path }}/dhparams.pem"
|
nginx_config_dhparam: "/etc/ssl/dhparams.pem"
|
||||||
nginx_user: nginx
|
nginx_user: nginx
|
||||||
|
|
||||||
lego_environment:
|
lego_environment:
|
||||||
|
@ -18,5 +18,5 @@
|
|||||||
# https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_dhparam_module.html
|
# https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_dhparam_module.html
|
||||||
- name: Generate Diffie-Hellman parameters with the default size (4096 bits)
|
- name: Generate Diffie-Hellman parameters with the default size (4096 bits)
|
||||||
community.crypto.openssl_dhparam:
|
community.crypto.openssl_dhparam:
|
||||||
path: "{{ acme_path }}/dhparams.pem"
|
path: "/etc/ssl/dhparams.pem"
|
||||||
tags: dhparams
|
tags: dhparams
|
||||||
|
@ -7,46 +7,40 @@
|
|||||||
path: "{{ lego_path }}/certificates/{{ acme_domain.domain }}.crt"
|
path: "{{ lego_path }}/certificates/{{ acme_domain.domain }}.crt"
|
||||||
register: lego_cert
|
register: lego_cert
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
tags: lego
|
|
||||||
|
|
||||||
- name: Instruct lego to register an account and order a new certificate if one doesn't already exist.
|
- name: Instruct lego to register an account and order a new certificate if one doesn't already exist.
|
||||||
set_fact:
|
set_fact:
|
||||||
lego_command: "{{ 'renew' if lego_cert.stat.exists else 'run'}}"
|
lego_command: "{{ 'renew' if lego_cert.stat.exists else 'run'}}"
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
tags: lego
|
|
||||||
|
|
||||||
- name: Order acme certificates without waiting for propogation of TXT record to all authoritative name servers.
|
- name: Order acme certificates, waiting for propogation of TXT record to all authoritative name servers.
|
||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
cmd: >
|
cmd: >
|
||||||
lego --path {{ lego_path }} --dns {{ acme_domain.provider }} --domains {{ acme_domain.domain }} --email {{ acme_email }} --dns.disable-cp --accept-tos {{ lego_command }}
|
lego --path {{ lego_path }} --dns {{ acme_domain.provider }} --domains {{ acme_domain.domain }} --email {{ acme_email }} --accept-tos {{ lego_command }}
|
||||||
register: lego_result
|
register: lego_result
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
changed_when: False
|
changed_when: False
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
tags: lego
|
|
||||||
environment: "{{ lego_environment }}"
|
environment: "{{ lego_environment }}"
|
||||||
|
|
||||||
- name: Print lego output with dns.disable-cp
|
- name: Print lego output with dns.disable-cp
|
||||||
ansible.builtin.debug:
|
ansible.builtin.debug:
|
||||||
var: lego_result
|
var: lego_result
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
tags: lego
|
|
||||||
|
|
||||||
# --dns.disable-cp: disables the need to wait the propagation of the TXT record to all authoritative name servers.
|
# --dns.disable-cp: disables the need to wait the propagation of the TXT record to all authoritative name servers.
|
||||||
# I haven't yet figured out why it only works sporadically with or without this option.
|
# I haven't yet figured out why it only works sporadically with or without this option.
|
||||||
- name: Retry the last command if necessary, but wait for propogation of TXT record to all authoritative name servers.
|
- name: Retry the last command if necessary, but don't wait for propogation of TXT record to all authoritative name servers.
|
||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
cmd: >
|
cmd: >
|
||||||
lego --path {{ lego_path }} --dns {{ acme_domain.provider }} --domains {{ acme_domain.domain }} --email {{ acme_email }} --accept-tos {{ lego_command }}
|
lego --path {{ lego_path }} --dns {{ acme_domain.provider }} --domains {{ acme_domain.domain }} --email {{ acme_email }} --dns.disable-cp --accept-tos {{ lego_command }}
|
||||||
when: lego_result.failed
|
when: lego_result.failed
|
||||||
register: lego_result
|
register: lego_result
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
changed_when: False
|
changed_when: False
|
||||||
tags: lego
|
|
||||||
environment: "{{ lego_environment }}"
|
environment: "{{ lego_environment }}"
|
||||||
|
|
||||||
- name: Print lego output without dns.disable-cp
|
- name: Print lego output without dns.disable-cp
|
||||||
ansible.builtin.debug:
|
ansible.builtin.debug:
|
||||||
var: lego_result
|
var: lego_result
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
tags: lego
|
|
||||||
|
@ -17,6 +17,7 @@
|
|||||||
file: lego.yml
|
file: lego.yml
|
||||||
apply:
|
apply:
|
||||||
become: false
|
become: false
|
||||||
|
tags: lego
|
||||||
loop: "{{ acme_domains }}"
|
loop: "{{ acme_domains }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: acme_domain
|
loop_var: acme_domain
|
||||||
@ -31,9 +32,9 @@
|
|||||||
loop_control:
|
loop_control:
|
||||||
loop_var: acme_domain
|
loop_var: acme_domain
|
||||||
tags: nginx
|
tags: nginx
|
||||||
when: os_family != 'RedHat'
|
when: ansible_os_family != 'RedHat'
|
||||||
|
|
||||||
- name: Loop through the domain list (again) to copy certs and configure nginx for each ACME domain
|
- name: (RedHat) Loop through the domain list (again) to copy certs and configure nginx for each ACME domain
|
||||||
include_tasks:
|
include_tasks:
|
||||||
file: certificates-RedHat.yml
|
file: certificates-RedHat.yml
|
||||||
apply:
|
apply:
|
||||||
@ -42,7 +43,7 @@
|
|||||||
loop_control:
|
loop_control:
|
||||||
loop_var: acme_domain
|
loop_var: acme_domain
|
||||||
tags: nginx
|
tags: nginx
|
||||||
when: os_family == 'RedHat'
|
when: ansible_os_family == 'RedHat'
|
||||||
|
|
||||||
- import_tasks: dhparams.yml
|
- import_tasks: dhparams.yml
|
||||||
become: true
|
become: true
|
||||||
|
Loading…
Reference in New Issue
Block a user