--- # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: Install certbot with certbot-auto when: haproxy_ssl_letsencrypt_install_method == 'certbot-auto' block: - name: Ensure haproxy_ssl_letsencrypt_install_path exists file: path: "{{ haproxy_ssl_letsencrypt_install_path }}" state: directory - name: Download certbot-auto get_url: url: "{{ haproxy_ssl_letsencrypt_download_url }}" dest: "{{ haproxy_ssl_letsencrypt_install_path }}" mode: 0755 register: fetch_url until: fetch_url is success retries: 3 delay: 10 - name: Install certbot with certbot-auto script shell: > PIP_INDEX_URL="https://pypi.org/simple/" {{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }} --install-only args: creates: "{{ haproxy_ssl_letsencrypt_venv }}" - name: Create letsencrypt_renew file template: src: letsencrypt_renew_certbot_auto.j2 dest: /usr/local/bin/letsencrypt_renew mode: 0755 force: yes - name: Renew Letsencrypt Cert Cron cron: name: "Renew Letsencrypt Cert" minute: "{{ haproxy_ssl_letsencrypt_cron_minute }}" hour: "{{ haproxy_ssl_letsencrypt_cron_hour }}" weekday: "{{ haproxy_ssl_letsencrypt_cron_weekday }}" job: "/usr/local/bin/letsencrypt_renew" user: "root" state: present - name: Install certbot from distro package package: name: "{{ haproxy_distro_certbot_packages }}" state: present when: haproxy_ssl_letsencrypt_install_method == 'distro' - name: Create first time ssl cert with certbot throttle: 1 shell: > {% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %} timeout {{ haproxy_ssl_letsencrypt_pre_hook_timeout }} python3 -m http.server {{ haproxy_ssl_letsencrypt_certbot_backend_port }} --bind {{ haproxy_ssl_letsencrypt_certbot_bind_address }} || true && {% endif %} {{ haproxy_ssl_letsencrypt_certbot_binary }} certonly --agree-tos --non-interactive --text --rsa-key-size 4096 --email {{ haproxy_ssl_letsencrypt_email }} --domains {{ haproxy_ssl_letsencrypt_domains | join(',') }} {% if haproxy_ssl_letsencrypt_certbot_server is defined %} --server {{ haproxy_ssl_letsencrypt_certbot_server }} {% endif %} {% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %} --standalone --http-01-port {{ haproxy_ssl_letsencrypt_certbot_backend_port }} --http-01-address {{ haproxy_ssl_letsencrypt_certbot_bind_address }} {% endif %} {{ haproxy_ssl_letsencrypt_setup_extra_params }} args: creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}/fullchain.pem" - name: Create certbot pre hook template: src: letsencrypt_pre_hook_certbot_distro.j2 dest: /etc/letsencrypt/renewal-hooks/pre/haproxy-pre mode: 0755 when: - haproxy_ssl_letsencrypt_install_method == 'distro' - haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' - name: Create certbot post renewal hook template: src: letsencrypt_renew_certbot_distro.j2 dest: /etc/letsencrypt/renewal-hooks/post/haproxy-renew mode: 0755 when: haproxy_ssl_letsencrypt_install_method == 'distro' - name: Create new pem file for haproxy assemble: src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}" dest: "{{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item ~ '.pem' }}" regexp: '(privkey|fullchain).pem$' with_items: - "{{ [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses }}" notify: - Reload haproxy