source: main/waeup-ansible/roles/letsencrypt/tasks/main.yml @ 16400

Last change on this file since 16400 was 15568, checked in by uli, 5 years ago

Start/stop nginx in main play, add more domains

The pre- and post-hooks for certbot did not work very well. Instead we now ask
ansible to stop nginx before we request/update a new cert and restart it
afterwards.

The domains added belong to the moved trac instances.
File size: 2.0 KB
Line 
1---
2# tasks to enable letsencrypt on Ubuntu
3#
4# This role expects that you run `nginx` as webserver.
5# This role works on Ubuntu machines.
6# This role expects the following vars to be set:
7# - `letsencrypt_email`  Email address of cert manager
8# - `letsencrypt_domains` List of domains to maintain
9#                         comma-separated, no blanks
10# - `letsencrypt_expand_domains` - true or false
11#                         if true, new domains are added
12#                         to the already existing list of
13#                         certs
14#
15- name: "enable letsencrypt PPA"
16  become: yes
17  apt_repository:
18      repo: 'ppa:certbot/certbot'
19      state: present
20  notify: update package cache
21
22- name: "install certbot"
23  become: yes
24  apt:
25      name: certbot
26      state: present
27
28- name: "register account"
29  become: yes
30  command: certbot register -m "{{ letsencrypt_email }}" --non-interactive --agree-tos -vv
31  args:
32    creates: '/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/*/private_key.json'
33
34- name: "stop webserver"
35  become: yes
36  service:
37      name: nginx
38      state: stopped
39
40# For first time creation of certs. Later on use the below task or renewal
41- name: "create initial certs"
42  become: yes
43  command: certbot certonly --standalone --non-interactive -d "{{ letsencrypt_domains }}" --pre-hook "sudo service nginx stop" --post-hook "sudo service nginx start" -m "{{ letsencrypt_email }}" --agree-tos --rsa-key-size 4096
44  args:
45    creates: '/etc/letsencrypt/live/*/cert.pem'
46
47# in case additional domains must be added to the already existing ones
48- name: "create certs (expand list of domains)"
49  become: yes
50  command: certbot certonly --standalone --non-interactive -d "{{ letsencrypt_domains }}" --pre-hook "sudo service nginx stop" --post-hook "sudo service nginx start" -m "{{ letsencrypt_email }}" --agree-tos --expand --rsa-key-size 4096
51  when: letsencrypt_expand_domains
52
53- name: "start webserver"
54  become: yes
55  service:
56      name: nginx
57      state: restarted
58
59# Cron task for renewal is installed automatically by the Ubuntu package
Note: See TracBrowser for help on using the repository browser.