Feature/update cert validity check

CHANGELOG.md

@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to 
 [Semantic Versioning](http://semver.org/).
 
+## 3.0.0
+
+### Added
+
+- use `community.crypto.x509_certificate_info` instead of `openssl_certificate`,
+  As of Ansible 2.10, the 'openssl_certificate' was moved to the 'community.crypto'
+  collection and the 'assertonly' provider was removed.
+
 ## 2.3.0
 
 ### Added

README.md

@@ -9,11 +9,11 @@ During deployment certificates are created only if thy do not exist, however
 they are not renewed at this stage.  
 Cron jobs for renewal are set up for all domains, this is the only mechanism of renewal in use.  
 
-Currently "dns" and "http" challenges are supported.
+Currently, "dns" and "http" challenges are supported.
 
 
 ## Requirements
- - Ansible 2.8.0+
+ - Ansible 2.10.0+
  - Python21
  - pip (installs dependencies if required)
 
@@ -23,7 +23,7 @@ Add this role to your requirements file:
 
 ```
 - src: "https://github.com/sitewards/ansible-role-lego-lets-encrypt"
-  version: "1.0.0"
+  version: "3.0.0"
   name: "sitewards.lego-lets-encrypt"
 ```
 
@@ -60,7 +60,7 @@ roles
 
 ## Limitations
 
-Currently this role does not provide mechanism of authentication against selected dns providers, this has to be handled externally
+Currently, this role does not provide mechanism of authentication against selected dns providers, this has to be handled externally
 
 ## Configuration
 The variables that are available are defined in [defaults/main.yml](./defaults/main.yml). There are various requirements; 

tasks/add-staging-as-trusted.yml

@@ -1,11 +1,11 @@
 - name: "add folder for staging CA files"
-  file:
+  ansible.builtin.file:
       path: "/usr/local/share/ca-certificates/letsencrypt-staging/"
       state: "directory"
   become: true
 
 - name: "Download let's encrypt RSA intermedia cert"
-  get_url:
+  ansible.builtin.get_url:
       url: "https://letsencrypt.org/certs/staging/letsencrypt-stg-int-r3.pem"
       dest: "/usr/local/share/ca-certificates/letsencrypt-staging/letsencrypt-stg-int-r3.crt"
       checksum: "sha256:a7b89d7955532169a3660865f5e394aa0e180c4d00ca02ebd677ad07242b2150"
@@ -14,7 +14,7 @@
   notify: "Update CA index"
 
 - name: "Download let's encrypt ECDSA intermedia cert"
-  get_url:
+  ansible.builtin.get_url:
       url: "https://letsencrypt.org/certs/staging/letsencrypt-stg-int-e1.pem"
       dest: "/usr/local/share/ca-certificates/letsencrypt-staging/letsencrypt-stg-int-e1.crt"
       checksum: "sha256:a67504501308ffa5ba2a9e1f9dd4fd19aabc8918e29bc9dc2074209533140208"
@@ -23,7 +23,7 @@
   notify: "Update CA index"
 
 - name: "Download let's encrypt RSA root cert"
-  get_url:
+  ansible.builtin.get_url:
       url: "https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem"
       dest: "/usr/local/share/ca-certificates/letsencrypt-staging/letsencrypt-stg-root-x1.crt"
       checksum: "sha256:3a5e1171e5f5c2d41522d438f225602e4236a68fb29c32399a95921a4ae80e73"
@@ -32,7 +32,7 @@
   notify: "Update CA index"
 
 - name: "Download let's encrypt ECDSA root cert"
-  get_url:
+  ansible.builtin.get_url:
       url: "https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x2.pem"
       dest: "/usr/local/share/ca-certificates/letsencrypt-staging/letsencrypt-stg-root-x2.crt"
       checksum: "sha256:497c36c1b50c0daff30870d5908c9b97af29223d5510c5e6c24957d0cc502fb8"

tasks/certificate.yml

@@ -1,31 +1,32 @@
 ---
 
 - name: "Check if certificates exist or not"
-  stat:
+  ansible.builtin.stat:
     path: "{{ lets_encrypt_directory_path }}/certificates/{{ lets_encrypt_resource.common_name }}.crt"
   register: lets_encrypt_resource_stat_result
 
-- name: "Check if a certificate is currently still valid and generated by lets encrypt"
-  openssl_certificate:
+- name: "Gather certificate information"
+  community.crypto.x509_certificate_info:
     path: "{{ lets_encrypt_directory_path }}/certificates/{{ lets_encrypt_resource.common_name }}.crt"
-    provider: assertonly
-    issuer:
-      O: "Let's Encrypt"
-    has_expired: False
-  ignore_errors: True
-  register: lets_encrypt_ressource_validity_check
+  register: lets_encrypt_resource_info
+  when: lets_encrypt_resource_stat_result.stat.exists == true
+
+- name: "Check if the certificate is still valid and generated by lets encrypt"
+  ansible.builtin.set_fact:
+    lets_encrypt_resource_validity_check_failed: "{{ true if (( lets_encrypt_resource_info.issuer.organizationName != \"Let's Encrypt\" ) or ( lets_encrypt_resource_info.expired )) else false }}"
+  when: lets_encrypt_resource_stat_result.stat.exists == true
 
 - name: "Remove wrong/expired cert"
-  file:
+  ansible.builtin.file:
     path: "{{ lets_encrypt_directory_path }}/certificates/{{ lets_encrypt_resource.common_name }}.crt"
     state: absent
   when:
     - lets_encrypt_resource is not skipped
     - lets_encrypt_resource_stat_result.stat.exists == true
-    - lets_encrypt_ressource_validity_check.failed
+    - lets_encrypt_resource_validity_check_failed == true
 
 - name: "Create certificates"
-  shell: "{{ lets_encrypt_additional_env | default('') }} lego \
+  ansible.builtin.shell: "{{ lets_encrypt_additional_env | default('') }} lego \
         --email='{{ lets_encrypt_account_email }}' \
         --csr='{{ lets_encrypt_directory_path }}/requests/{{ lets_encrypt_resource.common_name }}.csr' \
         --path='{{ lets_encrypt_directory_path }}' \
@@ -38,4 +39,4 @@
         {% if lets_encrypt_resource.preferred_chain is defined %}--preferred-chain='{{ lets_encrypt_resource.preferred_chain }}'{% endif %}"
   when:
     - lets_encrypt_resource is not skipped
-    - ( lets_encrypt_resource_stat_result.stat.exists == false ) or ( lets_encrypt_ressource_validity_check.failed )
+    - ( lets_encrypt_resource_stat_result.stat.exists == false ) or ( lets_encrypt_resource_validity_check_failed == true )

tasks/cron.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: "Add cron job for lego renewal certificate"
-  cron:
+  ansible.builtin.cron:
     name: "### Lego automatic certificate renewal {{ item.common_name }}"
     job: "{{ lets_encrypt_additional_env | default('') }} lego \
           --email='{{ lets_encrypt_account_email }}' \

tasks/csr.yml

@@ -1,11 +1,11 @@
 ---
 
 - name: "Create the resource wide key"
-  openssl_privatekey:
+  community.crypto.openssl_privatekey:
     path: "{{ lets_encrypt_directory_path }}/private/{{ lets_encrypt_resource_name }}.key"
 
 - name: "Create the certificate signing request"
-  openssl_csr:
+  community.crypto.openssl_csr:
     path: "{{ lets_encrypt_directory_path }}/requests/{{ item.common_name }}.csr"
     privatekey_path: "{{ lets_encrypt_directory_path }}/private/{{ lets_encrypt_resource_name }}.key"
     state: "present"

tasks/dependencies.yml

@@ -1,19 +1,19 @@
 ---
 
 - name: "Install required packages DEBIAN"
-  package:
+  ansible.builtin.package:
     name: ["libcurl4-openssl-dev"]
     state: "present"
   when: ansible_os_family == 'Debian'
 
 - name: "Install required packages RedHat"
-  package:
+  ansible.builtin.package:
     name: ["openssl-devel"]
     state: "present"
   when: ansible_os_family == 'RedHat'
 
 - name: "Install required pip libraries"
-  pip:
+  ansible.builtin.pip:
     name: ["cryptography ", "pyopenssl"]
     state: "latest"
     executable: "pip"

tasks/lego.yml

@@ -1,34 +1,34 @@
 ---
 
 - name: "Ensure directory for csr exists"
-  file:
+  ansible.builtin.file:
     path: "{{ lets_encrypt_directory_path }}/requests"
     state: directory
 
 - name: "Ensure directory for private keys exists"
-  file:
+  ansible.builtin.file:
     path: "{{ lets_encrypt_directory_path }}/private"
     state: directory
 
 - name: "Ensure directory for certificates exists"
-  file:
+  ansible.builtin.file:
     path: "{{ lets_encrypt_directory_path }}/certificates"
     state: directory
 
 - name: "Ensure directory for letsencrypt exists"
-  file:
+  ansible.builtin.file:
     path: "{{ lets_encrypt_directory_path }}/lego"
     state: directory
 
 - name: "Download Lego (Let's Encrypt client)"
-  unarchive:
+  ansible.builtin.unarchive:
     src: "{{ lets_encrypt_lego_archive_http_path }}"
     dest: "{{ lets_encrypt_directory_path }}/lego"
     creates: "{{ lets_encrypt_directory_path }}/lego/lego"
     remote_src: yes
 
 - name: "Create lego link in bin folder"
-  file:
+  ansible.builtin.file:
     src: "{{ lets_encrypt_directory_path }}/lego/lego"
     dest: "/usr/bin/lego"
     state: link