From 82f8b41ac9c3b96890bd3018d1c11de85ec2be06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C5=82awomir=20Magdziarz?= Date: Fri, 1 Sep 2023 17:37:55 +0200 Subject: [PATCH 1/5] [feat] use community.crypto.x509_certificate_info instead of openssl_certificate As of Ansible 2.10, the 'openssl_certificate' was moved to the 'community.crypto' collection and the 'assertonly' provider was removed. See: https://docs.ansible.com/ansible/latest/collections/community/crypto/x509_certificate_module.html#synopsis --- tasks/certificate.yml | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/tasks/certificate.yml b/tasks/certificate.yml index b111527..1b1ce60 100644 --- a/tasks/certificate.yml +++ b/tasks/certificate.yml @@ -1,31 +1,30 @@ --- - name: "Check if certificates exist or not" - stat: + ansible.builtin.stat: path: "{{ lets_encrypt_directory_path }}/certificates/{{ lets_encrypt_resource.common_name }}.crt" register: lets_encrypt_resource_stat_result -- name: "Check if a certificate is currently still valid and generated by lets encrypt" - openssl_certificate: +- name: "Gather certificate information" + community.crypto.x509_certificate_info: path: "{{ lets_encrypt_directory_path }}/certificates/{{ lets_encrypt_resource.common_name }}.crt" - provider: assertonly - issuer: - O: "Let's Encrypt" - has_expired: False - ignore_errors: True - register: lets_encrypt_ressource_validity_check + register: lets_encrypt_resource_info + +- name: "Check if the certificate is still valid and generated by lets encrypt" + ansible.builtin.set_fact: + lets_encrypt_resource_validity_check_failed: "{{ true if (( lets_encrypt_resource_info.issuer.organizationName != \"Let's Encrypt\" ) or ( lets_encrypt_resource_info.expired )) else false }}" - name: "Remove wrong/expired cert" - file: + ansible.builtin.file: path: "{{ lets_encrypt_directory_path }}/certificates/{{ lets_encrypt_resource.common_name }}.crt" state: absent when: - lets_encrypt_resource is not skipped - lets_encrypt_resource_stat_result.stat.exists == true - - lets_encrypt_ressource_validity_check.failed + - lets_encrypt_resource_validity_check_failed == true - name: "Create certificates" - shell: "{{ lets_encrypt_additional_env | default('') }} lego \ + ansible.builtin.shell: "{{ lets_encrypt_additional_env | default('') }} lego \ --email='{{ lets_encrypt_account_email }}' \ --csr='{{ lets_encrypt_directory_path }}/requests/{{ lets_encrypt_resource.common_name }}.csr' \ --path='{{ lets_encrypt_directory_path }}' \ @@ -38,4 +37,4 @@ {% if lets_encrypt_resource.preferred_chain is defined %}--preferred-chain='{{ lets_encrypt_resource.preferred_chain }}'{% endif %}" when: - lets_encrypt_resource is not skipped - - ( lets_encrypt_resource_stat_result.stat.exists == false ) or ( lets_encrypt_ressource_validity_check.failed ) + - ( lets_encrypt_resource_stat_result.stat.exists == false ) or ( lets_encrypt_resource_validity_check_failed == true ) From 57fb7a88f809727174b80cb9d61daf0f69b3fa44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C5=82awomir=20Magdziarz?= Date: Fri, 1 Sep 2023 17:57:38 +0200 Subject: [PATCH 2/5] [docs] update readme file - changing requirements to be Ansible 2.10.0+ - updating usage to use role version 3.0.0 - adding missing commas --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 69705f2..defe909 100644 --- a/README.md +++ b/README.md @@ -9,11 +9,11 @@ During deployment certificates are created only if thy do not exist, however they are not renewed at this stage. Cron jobs for renewal are set up for all domains, this is the only mechanism of renewal in use. -Currently "dns" and "http" challenges are supported. +Currently, "dns" and "http" challenges are supported. ## Requirements - - Ansible 2.8.0+ + - Ansible 2.10.0+ - Python21 - pip (installs dependencies if required) @@ -23,7 +23,7 @@ Add this role to your requirements file: ``` - src: "https://github.com/sitewards/ansible-role-lego-lets-encrypt" - version: "1.0.0" + version: "3.0.0" name: "sitewards.lego-lets-encrypt" ``` @@ -60,7 +60,7 @@ roles ## Limitations -Currently this role does not provide mechanism of authentication against selected dns providers, this has to be handled externally +Currently, this role does not provide mechanism of authentication against selected dns providers, this has to be handled externally ## Configuration The variables that are available are defined in [defaults/main.yml](./defaults/main.yml). There are various requirements; From bd9b0f923f96680b610306da5df091fabcb48045 Mon Sep 17 00:00:00 2001 From: Anton Boritskiy Date: Fri, 8 Sep 2023 12:30:16 +0200 Subject: [PATCH 3/5] [feat] replace module names fully-qualified names to improve compatibility with newer ansible versions. this commit is not changing all module names though, this still to be finalized --- tasks/add-staging-as-trusted.yml | 10 +++++----- tasks/cron.yml | 2 +- tasks/csr.yml | 4 ++-- tasks/dependencies.yml | 6 +++--- tasks/lego.yml | 12 ++++++------ 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/tasks/add-staging-as-trusted.yml b/tasks/add-staging-as-trusted.yml index 5036f04..3448b83 100644 --- a/tasks/add-staging-as-trusted.yml +++ b/tasks/add-staging-as-trusted.yml @@ -1,11 +1,11 @@ - name: "add folder for staging CA files" - file: + ansible.builtin.file: path: "/usr/local/share/ca-certificates/letsencrypt-staging/" state: "directory" become: true - name: "Download let's encrypt RSA intermedia cert" - get_url: + ansible.builtin.get_url: url: "https://letsencrypt.org/certs/staging/letsencrypt-stg-int-r3.pem" dest: "/usr/local/share/ca-certificates/letsencrypt-staging/letsencrypt-stg-int-r3.crt" checksum: "sha256:a7b89d7955532169a3660865f5e394aa0e180c4d00ca02ebd677ad07242b2150" @@ -14,7 +14,7 @@ notify: "Update CA index" - name: "Download let's encrypt ECDSA intermedia cert" - get_url: + ansible.builtin.get_url: url: "https://letsencrypt.org/certs/staging/letsencrypt-stg-int-e1.pem" dest: "/usr/local/share/ca-certificates/letsencrypt-staging/letsencrypt-stg-int-e1.crt" checksum: "sha256:a67504501308ffa5ba2a9e1f9dd4fd19aabc8918e29bc9dc2074209533140208" @@ -23,7 +23,7 @@ notify: "Update CA index" - name: "Download let's encrypt RSA root cert" - get_url: + ansible.builtin.get_url: url: "https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem" dest: "/usr/local/share/ca-certificates/letsencrypt-staging/letsencrypt-stg-root-x1.crt" checksum: "sha256:3a5e1171e5f5c2d41522d438f225602e4236a68fb29c32399a95921a4ae80e73" @@ -32,7 +32,7 @@ notify: "Update CA index" - name: "Download let's encrypt ECDSA root cert" - get_url: + ansible.builtin.get_url: url: "https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x2.pem" dest: "/usr/local/share/ca-certificates/letsencrypt-staging/letsencrypt-stg-root-x2.crt" checksum: "sha256:497c36c1b50c0daff30870d5908c9b97af29223d5510c5e6c24957d0cc502fb8" diff --git a/tasks/cron.yml b/tasks/cron.yml index ce7c26f..48199d2 100644 --- a/tasks/cron.yml +++ b/tasks/cron.yml @@ -1,7 +1,7 @@ --- - name: "Add cron job for lego renewal certificate" - cron: + ansible.builtin.cron: name: "### Lego automatic certificate renewal {{ item.common_name }}" job: "{{ lets_encrypt_additional_env | default('') }} lego \ --email='{{ lets_encrypt_account_email }}' \ diff --git a/tasks/csr.yml b/tasks/csr.yml index 1432fa0..5269f15 100644 --- a/tasks/csr.yml +++ b/tasks/csr.yml @@ -1,11 +1,11 @@ --- - name: "Create the resource wide key" - openssl_privatekey: + community.crypto.openssl_privatekey: path: "{{ lets_encrypt_directory_path }}/private/{{ lets_encrypt_resource_name }}.key" - name: "Create the certificate signing request" - openssl_csr: + community.crypto.openssl_csr: path: "{{ lets_encrypt_directory_path }}/requests/{{ item.common_name }}.csr" privatekey_path: "{{ lets_encrypt_directory_path }}/private/{{ lets_encrypt_resource_name }}.key" state: "present" diff --git a/tasks/dependencies.yml b/tasks/dependencies.yml index ac986c8..29f049c 100644 --- a/tasks/dependencies.yml +++ b/tasks/dependencies.yml @@ -1,19 +1,19 @@ --- - name: "Install required packages DEBIAN" - package: + ansible.builtin.package: name: ["libcurl4-openssl-dev"] state: "present" when: ansible_os_family == 'Debian' - name: "Install required packages RedHat" - package: + ansible.builtin.package: name: ["openssl-devel"] state: "present" when: ansible_os_family == 'RedHat' - name: "Install required pip libraries" - pip: + ansible.builtin.pip: name: ["cryptography ", "pyopenssl"] state: "latest" executable: "pip" \ No newline at end of file diff --git a/tasks/lego.yml b/tasks/lego.yml index 2ceb6ab..c886de7 100644 --- a/tasks/lego.yml +++ b/tasks/lego.yml @@ -1,34 +1,34 @@ --- - name: "Ensure directory for csr exists" - file: + ansible.builtin.file: path: "{{ lets_encrypt_directory_path }}/requests" state: directory - name: "Ensure directory for private keys exists" - file: + ansible.builtin.file: path: "{{ lets_encrypt_directory_path }}/private" state: directory - name: "Ensure directory for certificates exists" - file: + ansible.builtin.file: path: "{{ lets_encrypt_directory_path }}/certificates" state: directory - name: "Ensure directory for letsencrypt exists" - file: + ansible.builtin.file: path: "{{ lets_encrypt_directory_path }}/lego" state: directory - name: "Download Lego (Let's Encrypt client)" - unarchive: + ansible.builtin.unarchive: src: "{{ lets_encrypt_lego_archive_http_path }}" dest: "{{ lets_encrypt_directory_path }}/lego" creates: "{{ lets_encrypt_directory_path }}/lego/lego" remote_src: yes - name: "Create lego link in bin folder" - file: + ansible.builtin.file: src: "{{ lets_encrypt_directory_path }}/lego/lego" dest: "/usr/bin/lego" state: link \ No newline at end of file From fa94609ec07fc2e1aa7b3d374a035514b0be0b19 Mon Sep 17 00:00:00 2001 From: Anton Boritskiy Date: Fri, 8 Sep 2023 12:33:57 +0200 Subject: [PATCH 4/5] [docs] added note about future 3.0.0 release --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d31feed..196a152 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +## 3.0.0 + +### Added + +- use `community.crypto.x509_certificate_info` instead of `openssl_certificate`, + As of Ansible 2.10, the 'openssl_certificate' was moved to the 'community.crypto' + collection and the 'assertonly' provider was removed. + ## 2.3.0 ### Added From 93daeba6bb8606aa1fa644ac5418fa2e2f7570cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C5=82awomir=20Magdziarz?= Date: Tue, 12 Sep 2023 11:00:19 +0200 Subject: [PATCH 5/5] [fix] check certificate information only if it exists --- tasks/certificate.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/certificate.yml b/tasks/certificate.yml index 1b1ce60..3a68072 100644 --- a/tasks/certificate.yml +++ b/tasks/certificate.yml @@ -9,10 +9,12 @@ community.crypto.x509_certificate_info: path: "{{ lets_encrypt_directory_path }}/certificates/{{ lets_encrypt_resource.common_name }}.crt" register: lets_encrypt_resource_info + when: lets_encrypt_resource_stat_result.stat.exists == true - name: "Check if the certificate is still valid and generated by lets encrypt" ansible.builtin.set_fact: lets_encrypt_resource_validity_check_failed: "{{ true if (( lets_encrypt_resource_info.issuer.organizationName != \"Let's Encrypt\" ) or ( lets_encrypt_resource_info.expired )) else false }}" + when: lets_encrypt_resource_stat_result.stat.exists == true - name: "Remove wrong/expired cert" ansible.builtin.file: