From 570b30c7fd2063b970ead5706ae50d8033dcf1bc Mon Sep 17 00:00:00 2001 From: Eric Engstrom Date: Mon, 13 Apr 2020 15:50:37 -0500 Subject: [PATCH 1/2] Support reuse of existing Let's Encrypt accounts Rather than create a new LE account on each installation, allow the playbook to specify the account private key file. Key will be installed to the target host. --- README.md | 9 +++++++++ handlers/main.yml | 6 ++++++ tasks/main.yml | 16 +--------------- tasks/registration.yml | 34 ++++++++++++++++++++++++++++++++++ 4 files changed, 50 insertions(+), 15 deletions(-) create mode 100644 tasks/registration.yml diff --git a/README.md b/README.md index 481b6ed..2ddac80 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,7 @@ Variable | Function | Default --- | --- | --- dehydrated_accept_letsencrypt_terms | Set to yes to automatically register and accept Let's Encrypt terms | no dehydrated_contactemail | E-Mail address (required) | +dehydrated_account_key | If set, deploy this file containing pre-registered private key | dehydrated_domains | List of domains to request SSL certificates for | dehydrated_deploycert | Script to run to deploy a certificate (see below) | dehydrated_wellknown | Directory where to deploy http-01 challenges | @@ -57,6 +58,14 @@ dehydrated_install_pip | Whether pip will be installed when using lexicon | yes dehydrated_pip_package | Name of pip package | python3-pip if ansible is running on python3, otherwise python-pip dehydrated_pip_executable | Name of pip executable to use | autodetected by pip module +## Account registration + +The first time this role is used, and when `dehydrated_accept_letsencrypt_terms` is true, register with Let's Encrypt, using the value of `dehydrated_contactemail` (required). Your account details, and private key, will be created by `dehydrated` and stored in `/etc/dehydrated/accounts/` on the target system. + +Alternatively, if you've already setup `dehydrated` once and want to use the same account for all installations, copy your Lets' Encrypt private key (`account_key.pem`) into your ansible configuration, and set `dehydrated_account_key` to the name that file. Subsequent installations will use that key instead of registering a **new** account. + +**IMPORTANT** The `account_key.pem` is a private key with no passphrase. When you copy it into your Ansible configuration, make sure to use `ansible-vault` or similar to encrypt the contents of that file, at rest. If you use `ansible-vault` to encrypt it, `ansible` will automatically decrypt when referenced and installed on the target system. + ## Using dns-01 challenges When `dehydrated_challengetype` is set to `dns-01`, this role will automatically install `lexicon` from python pip to be able to set and remove the necessary DNS records needed to obtain an SSL certificate. diff --git a/handlers/main.yml b/handlers/main.yml index 371a6f2..5f7b2b3 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,4 +1,10 @@ --- + +# This handler needs to be defined before "run dehydrated", +# as handlers run in the order __defined__, not _called__. +- name: update account details + command: "{{ dehydrated_install_root }}/dehydrated --account" + - name: run dehydrated command: "{{ dehydrated_install_root }}/dehydrated -c" when: dehydrated_run_on_changes diff --git a/tasks/main.yml b/tasks/main.yml index 8692b29..67e7988 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -59,20 +59,6 @@ - import_tasks: systemd.yml -# /opt/dehydrated/dehydrated --register --accept-terms -- name: Check if already registered - stat: - path: "/etc/dehydrated/accounts/{{ ((dehydrated_ca + '\n')|b64encode).rstrip('=').replace('+', '-').replace('/', '_') }}" - register: ca_stat - -- block: - - name: "assert dehydrated_accept_letsencrypt_terms is true" - assert: - that: dehydrated_accept_letsencrypt_terms - - - name: Register to CA - command: "{{ dehydrated_install_root }}/dehydrated --register --accept-terms" - # \end block register - when: "not ca_stat.stat.exists or (ca_stat.stat.isdir is defined and not ca_stat.stat.isdir)" +- import_tasks: registration.yml - meta: flush_handlers diff --git a/tasks/registration.yml b/tasks/registration.yml new file mode 100644 index 0000000..df8e375 --- /dev/null +++ b/tasks/registration.yml @@ -0,0 +1,34 @@ +--- + +- name: Determine CA account key file location + set_fact: + ca_account_key_file: "/etc/dehydrated/accounts/{{ ((dehydrated_ca + '\n')|b64encode).rstrip('=').replace('+', '-').replace('/', '_') }}/account_key.pem" + +- name: Create CA account directory + file: dest="{{ ca_account_key_file | dirname }}" state=directory owner=root group=root mode=0700 + when: dehydrated_account_key is defined + +- name: Deploy CA account key + copy: + src: "{{ dehydrated_account_key }}" + dest: "{{ ca_account_key_file }}" + owner: root + group: root + mode: 0600 + when: dehydrated_account_key is defined + notify: update account details + +- name: Check if already registered + stat: + path: "{{ ca_account_key_file }}" + register: ca_stat + +- block: + - name: "assert dehydrated_accept_letsencrypt_terms is true" + assert: + that: dehydrated_accept_letsencrypt_terms + + - name: Register to CA + command: "{{ dehydrated_install_root }}/dehydrated --register --accept-terms" + # \end block register + when: "not ca_stat.stat.exists or (ca_stat.stat.isreg is defined and not ca_stat.stat.isreg)" From 7587ffd6fef71a75ceab9248a60e763ef9997fcd Mon Sep 17 00:00:00 2001 From: Eric Engstrom Date: Thu, 16 Apr 2020 14:46:23 -0500 Subject: [PATCH 2/2] ignore galaxy install turdlet --- meta/.gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 meta/.gitignore diff --git a/meta/.gitignore b/meta/.gitignore new file mode 100644 index 0000000..ba6d390 --- /dev/null +++ b/meta/.gitignore @@ -0,0 +1 @@ +.galaxy_install_info