๐Ÿ“— Ansible playbooks and roles for building an idempotent, interconnected and scalable infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
ansible-playbooks/roles/ca/tasks/gen_acme.yml

87 lines
3.0 KiB

2 years ago
- name: define some acme parameters
set_fact:
acme_staging: "{{ (ca_options | d({}) | combine(item)).acme_staging | d(false) }}"
acme_upgrade_int_ca: "{{ cert_info is defined and ((cert_info.ocsp_uri is not defined) or (cert_info.ocsp_uri == None)) }}"
- name: determine if acme cert generation will be forced
set_fact:
acme_forced: "{{ acme_upgrade_int_ca or (always_update_acme is defined) }}"
- name: slurp account key from ca
slurp:
src: "{{ ca_dir ~ '/acme-' ~ ('staging' if acme_staging == true else 'main') ~ '.' ~ ca_key_ext }}"
register: acme_account_key
delegate_to: "{{ services.ca.hostname }}"
- name: define args for acme certificate generation
set_fact:
acme_common_args:
account_key_content: "{{ acme_account_key.content | b64decode }}"
account_key_passphrase: "{{ ca_acme_account_key_password }}"
acme_directory: "{%- if (acme_staging == false) or (acme_staging == None) -%}{{ ca_acme_endpoint | d('https://acme-v02.api.letsencrypt.org/directory') }}\
{%- else -%}{{ ca_acme_staging_endpoint | d('https://acme-staging-v02.api.letsencrypt.org/directory') }}\
{%- endif -%}"
acme_version: "{{ ca_acme_version | d(2) }}"
acme_extra_args:
challenge: dns-01
csr_content: "{{ csr.csr }}"
fullchain_dest: "{{ cert_path if ((ca_options | d({}) | combine(item)).concat_inter | d(true) == true) else omit }}"
dest: "{{ cert_path if ((ca_options | d({}) | combine(item)).concat_inter | d(true) == false) else omit }}"
modify_account: no
remaining_days: 45
force: "{{ acme_forced }}"
terms_agreed: yes
- name: generate acme challenge request
community.crypto.acme_certificate:
args: "{{ acme_common_args | combine(acme_extra_args) }}"
register: challenge
changed_when: no
- block:
- name: unset challenge_records
set_fact:
challenge_records: "{{ [] }}"
- name: fill challenge records
set_fact:
challenge_records: "{{ challenge_records + [{
'name': item2.key | regex_search('(.*).' ~ (tld | regex_escape()), '\\1') | first,
'type': 'TXT',
'value': item2.value[0]
}] }}"
loop: "{{ challenge['challenge_data_dns'] | dict2items }}"
loop_control:
loop_var: item2
- include_tasks: gen_acme_include.yml
- block:
- name: revoke cert if it already exists
community.crypto.acme_certificate_revoke:
certificate: "{{ cert_path }}"
revoke_reason: 4
args: "{{ acme_common_args }}"
when: (cert_exists is defined) and cert_exists.stat.exists and not acme_upgrade_int_ca
rescue:
- debug:
msg: failed to revoke certificate, ignoring
- name: finalize acme challenge request
community.crypto.acme_certificate:
data: "{{ challenge }}"
args: "{{ acme_common_args | combine(acme_extra_args) }}"
notify: "{{ ca_options.notify | d(omit) }}"
when: (challenge.cert_days is not defined) or (challenge.cert_days < 45) or acme_forced