Merge pull request #5 from DnR-iData/master

http-01 wellknown support + ansible galaxy file structure :

CHANGELOG.md

@@ -4,6 +4,26 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to 
 [Semantic Versioning](http://semver.org/).
 
+## 1.1.1
+
+### changed
+- Correcting some typo error (wellknow => wellknown)
+
+### Removed
+- Debug comments
+
+## 1.1.0
+
+### Added
+- http-01 (wellknown acme-challenge) support.
+- SSL crt & key concatenation for HAProxy compatibility.
+- Ansible Galaxy file structure (to be used with ansible-galaxy install git@...).
+
+### Changed
+- README : adding http-01 support.
+- lets_encrypt_directory var is dynamically set (stage or prod URL). 
+- main.yml to be used with http-01.
+
 ## 1.0.0
 
 ### Added

README.md

@@ -23,7 +23,7 @@ itself.
 ### Limited Support
 
 While the role was written in an extensible way, and wll be extended as requirements dicatate to include other
-Lets Encrypt auth mechanisms or cloud providers, only DNS by Route53 has been implemented so far.
+Lets Encrypt auth mechanisms or cloud providers, new DNS by Route53 and wellknown acme-challenge have been implemented.
 
 ### Manually combines full chain
 

defaults/main.yml

@@ -10,7 +10,11 @@ lets_encrypt_agreement: "https://letsencrypt.org/documents/LE-SA-v1.2-November-1
 
 ## The directory used for Lets Encrypt to generate certificates
 ## Defaults to staging for testing.
-lets_encrypt_directory: "https://acme-staging.api.letsencrypt.org/directory"
+lets_encrypt_mode: "stage"
+lets_encrypt_url_prod: "https://acme-v01.api.letsencrypt.org/directory" # PROD
+lets_encrypt_url_stage: "https://acme-staging.api.letsencrypt.org/directory" # STAGE
+
+lets_encrypt_directory: "{{ vars['lets_encrypt_url_'+lets_encrypt_mode] }}" # set STAGE or PROD URL
 
 ## How many days before the certificate expires it should be renewed
 lets_encrypt_renew_limit: 30
@@ -25,6 +29,12 @@ lets_encrypt_resource_name: "website"
 ## - tls-sni-02
 lets_encrypt_challenge_type: "dns-01"
 
+## The type of the ssl services for SSL generation
+# - haproxy
+# - nginx # not yet implemented
+# - apache # not yet implemented
+lets_encrypt_ssl_mode: "haproxy"
+
 ## The common or "root" name of this TLS certificate
 ## (Required)
 # lets_encrypt_common_name:

handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for sitewards.ansible-role-lets-encrypt

meta/main.yml

@@ -0,0 +1,57 @@
+galaxy_info:
+  author: Sitewards & DnR-iData
+  description: Let's Encrypt roles
+  company: Sitewards
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Some suggested licenses:
+  # - BSD (default)
+  # - MIT
+  # - GPLv2
+  # - GPLv3
+  # - Apache
+  # - CC-BY
+  license: license (GPLv2, CC-BY, etc)
+
+  min_ansible_version: 2.4
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  # Optionally specify the branch Galaxy will use when accessing the GitHub
+  # repo for this role. During role install, if no tags are available,
+  # Galaxy will use this branch. During import Galaxy will access files on
+  # this branch. If Travis integration is configured, only notifications for this
+  # branch will be accepted. Otherwise, in all cases, the repo's default branch
+  # (usually master) will be used.
+  #github_branch:
+
+  #
+  # platforms is a list of platforms, and each platform has a name and a list of versions.
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

tasks/haproxy.yml

@@ -0,0 +1,14 @@
+---
+- name: Ensure HAProxy SSL dir exist
+  become: true
+  file:
+    path: /etc/haproxy/ssl
+    state: directory
+  when: lets_encrypt_certificate_invalidated == true
+
+# TODO : change raw modules with assemble or other.
+# Concatenate crt & key fort HAProxy SSL Support
+- name: Assemble key and crt for HAProxy
+  become: true
+  raw: cat /etc/ssl/certs/{{ lets_encrypt_resource_name }}.fullchain.crt /etc/ssl/private/{{ lets_encrypt_resource_name }}.key > /etc/haproxy/ssl/{{ lets_encrypt_resource_name }}.pem
+  when: lets_encrypt_certificate_invalidated == true

tasks/lets_encrypt.yml

@@ -84,6 +84,8 @@
     seconds: 30
   when:
     - lets_encrypt_certificate_invalidated == true
+    # Wait only if it's the DNS provider
+    - lets_encrypt_challenge_type == "dns-01"
 
 - name: "Ask Lets Encrypt to validate and issue a new key"
   letsencrypt:

tasks/main.yml

@@ -1,4 +1,28 @@
 ---
 - include: "dependencies.yml"
+
+# Create the /.well-known/acme-challenge dir
+- include: "wellknown.yml"
+  vars:
+    lets_encrypt_resource_state: present
+  when:
+    - lets_encrypt_challenge_type == 'http-01'
+
+
 - include: "lets_encrypt.yml"
   when: lets_encrypt_common_name is not undefined
+
+
+# Remove the /.well-known/acme-challenge dir
+- include: "wellknown.yml"
+  vars:
+    lets_encrypt_resource_state: absent
+  when:
+    - lets_encrypt_challenge_type == 'http-01'
+
+# Concatenate crt & key for HAproxy SSL support
+- include: "haproxy.yml"
+  when:
+    - lets_encrypt_ssl_mode == 'haproxy'
+    - lets_encrypt_common_name is not undefined
+    - lets_encrypt_challenge_type == 'http-01'

tasks/providers/http-01/wellknown.yml

@@ -0,0 +1,8 @@
+---
+## Creating & adding the well-known acme-challenge file with data
+
+- name: Copy HTTP well-known ACME Challege data to file
+  copy:
+    content: "{{ acme_data.challenge_data[lets_encrypt_resource_domain]['http-01']['resource_value'] }}"
+    dest: "{{ lets_encrypt_http_path }}/{{ acme_data.challenge_data[lets_encrypt_resource_domain]['http-01']['resource'] }}"
+  when: lets_encrypt_resource_state == "present"

tasks/wellknown.yml

@@ -0,0 +1,18 @@
+---
+
+- set_fact:
+    dir_state: "{{ lets_encrypt_resource_state }}"
+
+- set_fact:
+    dir_state: "directory"
+  when: lets_encrypt_resource_state == "present"
+
+- name: Ensure well-known dir exist
+  file:
+    path: "{{ lets_encrypt_http_path }}/.well-known"
+    state: "{{ dir_state }}"
+
+- name: Ensure acme-challenge dir exist
+  file:
+    path: "{{ lets_encrypt_http_path }}/.well-known/acme-challenge"
+    state: "{{ dir_state }}"

tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - sitewards.ansible-role-lets-encrypt

vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for sitewards.ansible-role-lets-encrypt