-
Notifications
You must be signed in to change notification settings - Fork 43
/
letsencrypt.yml
83 lines (67 loc) · 3.37 KB
/
letsencrypt.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
- hosts: localhost
become: yes
vars:
certs_dir: /etc/letsencrypt-certs
letsencrypt_prod_server: https://acme-staging-v02.api.letsencrypt.org/directory
intermediate_cert: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
tasks:
- name: install openssl
yum: name=openssl state=present
- name: create certs directory
file: path={{ certs_dir }} state=directory mode=0755
- name: check if letsencrypt account key is present
stat: path={{ certs_dir }}/account.key
register: account_key_exists
- name: generate letsencrypt account key
command: openssl genrsa -out {{ certs_dir }}/account.key 4096
when: account_key_exists.stat.exists == False
- name: check if domain key is present
stat: path={{ certs_dir }}/domain.key
register: domain_key_exists
- name: backup domain key
command: mv -f {{ certs_dir }}/domain.key {{ certs_dir }}/domain.key.bkp
when: domain_key_exists.stat.exists == True
- name: check if certificate is present
stat: path={{ certs_dir }}/cert.crt
register: certificate_exists
- name: backup certificate
command: mv -f {{ certs_dir }}/cert.crt {{ certs_dir }}/cert.crt.bkp
when: certificate_exists.stat.exists == True
- name: generate domain key
command: openssl genrsa -out {{ certs_dir }}/domain.key 4096
- name: generate certificate signing request
command: openssl req -new -key {{ certs_dir }}/domain.key -out {{ certs_dir }}/csr.csr -subj "/CN={{ commonName }}"
- name: send request to LetsEncrypt server to get dns-01 challege
letsencrypt:
acme_directory: "{{ letsencrypt_prod_server }}"
account_email: "{{ email }}"
account_key: "{{ certs_dir }}/account.key"
csr: "{{ certs_dir }}/csr.csr"
dest: "{{ certs_dir }}/cert.crt"
challenge: "dns-01"
agreement: "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
register: letsencrypt_data
- name: prompt challeges to the user
pause: prompt="Add NAME = {{ letsencrypt_data['challenge_data'][item]["dns-01"]["resource"] }}.{{ item }} and VALUE = {{ letsencrypt_data['challenge_data'][item]["dns-01"]["resource_value"] }} as DNS TXT record. Wait for sometime to let the TXT records sync with other DNS servers. Press ENTER after you are done"
with_items: "{{ letsencrypt_data['challenge_data'] }}"
- name: receive signed certificate from LetsEncrypt
letsencrypt:
acme_directory: "{{ letsencrypt_prod_server }}"
account_email: "{{ email }}"
account_key: "{{ certs_dir }}/account.key"
csr: "{{ certs_dir }}/csr.csr"
dest: "{{ certs_dir }}/cert.crt"
challenge: "dns-01"
data: "{{ letsencrypt_data }}"
- name: create certificate chain
shell: "{ cat {{ certs_dir }}/cert.crt & wget -O - {{ intermediate_cert }}; } > {{ certs_dir }}/chained.pem"
- name: link LetsEncrypt certificate
file: src={{ item.src }} dest={{ item.dest }} state=link
with_items:
- {src: "{{ certs_dir }}/cert.crt", dest: /etc/bahmni-certs/cert.crt}
- {src: "{{ certs_dir }}/domain.key", dest: /etc/bahmni-certs/domain.key}
- {src: "{{ certs_dir }}/chained.pem", dest: /etc/bahmni-certs/chained.pem}
- name: set strict file system permissions for all files
shell: chmod -R 0600 {{ certs_dir }}/*
- name: start httpd service
systemd: name=httpd state=restarted