From 00f1aefa8217882bd6eb18df7e4bfb4183d5d167 Mon Sep 17 00:00:00 2001
From: David Ribeiro <dribeiro@adista.fr>
Date: Thu, 30 Nov 2017 13:52:45 +0100
Subject: [PATCH 1/2] http-01 wellknown support + ansible galaxy file structure
 : + http-01 wellknown support + dynamic ssl url var set + haproxy crt + key
 concatenation + ansible galaxy file structure

---
 CHANGELOG.md                          | 12 ++++++
 README.md                             |  2 +-
 defaults/main.yml                     | 12 +++++-
 handlers/main.yml                     |  2 +
 meta/main.yml                         | 57 +++++++++++++++++++++++++++
 tasks/haproxy.yml                     | 14 +++++++
 tasks/lets_encrypt.yml                |  2 +
 tasks/main.yml                        | 24 +++++++++++
 tasks/providers/http-01/wellknown.yml | 18 +++++++++
 tasks/wellknow.yml                    | 18 +++++++++
 tests/inventory                       |  2 +
 tests/test.yml                        |  5 +++
 vars/main.yml                         |  2 +
 13 files changed, 168 insertions(+), 2 deletions(-)
 create mode 100644 handlers/main.yml
 create mode 100644 meta/main.yml
 create mode 100644 tasks/haproxy.yml
 create mode 100644 tasks/providers/http-01/wellknown.yml
 create mode 100644 tasks/wellknow.yml
 create mode 100644 tests/inventory
 create mode 100644 tests/test.yml
 create mode 100644 vars/main.yml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6029352..4054a88 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to 
 [Semantic Versioning](http://semver.org/).
 
+## 1.1.0
+
+### Added
+- http-01 (wellknow acme-challenge) support.
+- SSL crt & key concatenation for HAProxy compatibility.
+- Ansible Galaxy file structure (to be used with ansible-galaxy install git@...).
+
+### Changed
+- README : adding http-01 support.
+- lets_encrypt_directory var is dynamically set (stage or prod URL). 
+- main.yml to be used with http-01.
+
 ## 1.0.0
 
 ### Added
diff --git a/README.md b/README.md
index 489995b..012fece 100644
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@ itself.
 ### Limited Support
 
 While the role was written in an extensible way, and wll be extended as requirements dicatate to include other
-Lets Encrypt auth mechanisms or cloud providers, only DNS by Route53 has been implemented so far.
+Lets Encrypt auth mechanisms or cloud providers, new DNS by Route53 and wellknown acme-challenge have been implemented.
 
 ### Manually combines full chain
 
diff --git a/defaults/main.yml b/defaults/main.yml
index 461ca0e..97dab20 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -10,7 +10,11 @@ lets_encrypt_agreement: "https://letsencrypt.org/documents/LE-SA-v1.2-November-1
 
 ## The directory used for Lets Encrypt to generate certificates
 ## Defaults to staging for testing.
-lets_encrypt_directory: "https://acme-staging.api.letsencrypt.org/directory"
+lets_encrypt_mode: "stage"
+lets_encrypt_url_prod: "https://acme-v01.api.letsencrypt.org/directory" # PROD
+lets_encrypt_url_stage: "https://acme-staging.api.letsencrypt.org/directory" # STAGE
+
+lets_encrypt_directory: "{{ vars['lets_encrypt_url_'+lets_encrypt_mode] }}" # set STAGE or PROD URL
 
 ## How many days before the certificate expires it should be renewed
 lets_encrypt_renew_limit: 30
@@ -25,6 +29,12 @@ lets_encrypt_resource_name: "website"
 ## - tls-sni-02
 lets_encrypt_challenge_type: "dns-01"
 
+## The type of the ssl services for SSL generation
+# - haproxy
+# - nginx # not yet implemented
+# - apache # not yet implemented
+lets_encrypt_ssl_mode: "haproxy"
+
 ## The common or "root" name of this TLS certificate
 ## (Required)
 # lets_encrypt_common_name:
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..7185aa3
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,2 @@
+---
+# handlers file for sitewards.ansible-role-lets-encrypt
\ No newline at end of file
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..1e0a67b
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,57 @@
+galaxy_info:
+  author: Sitewards & DnR-iData
+  description: Let's Encrypt roles
+  company: Sitewards
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Some suggested licenses:
+  # - BSD (default)
+  # - MIT
+  # - GPLv2
+  # - GPLv3
+  # - Apache
+  # - CC-BY
+  license: license (GPLv2, CC-BY, etc)
+
+  min_ansible_version: 1.2
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  # Optionally specify the branch Galaxy will use when accessing the GitHub
+  # repo for this role. During role install, if no tags are available,
+  # Galaxy will use this branch. During import Galaxy will access files on
+  # this branch. If Travis integration is configured, only notifications for this
+  # branch will be accepted. Otherwise, in all cases, the repo's default branch
+  # (usually master) will be used.
+  #github_branch:
+
+  #
+  # platforms is a list of platforms, and each platform has a name and a list of versions.
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
\ No newline at end of file
diff --git a/tasks/haproxy.yml b/tasks/haproxy.yml
new file mode 100644
index 0000000..5239251
--- /dev/null
+++ b/tasks/haproxy.yml
@@ -0,0 +1,14 @@
+---
+- name: Ensure HAProxy SSL dir exist
+  become: true
+  file:
+    path: /etc/haproxy/ssl
+    state: directory
+  when: lets_encrypt_certificate_invalidated == true
+  
+# TODO : change raw modules with assemble or other.
+# Concatenate crt & key fort HAProxy SSL Support
+- name: Assemble key and crt for HAProxy
+  become: true
+  raw: cat /etc/ssl/certs/{{ lets_encrypt_resource_name }}.fullchain.crt /etc/ssl/private/{{ lets_encrypt_resource_name }}.key > /etc/haproxy/ssl/{{ lets_encrypt_resource_name }}.pem
+  when: lets_encrypt_certificate_invalidated == true
diff --git a/tasks/lets_encrypt.yml b/tasks/lets_encrypt.yml
index bd77b56..6322b42 100644
--- a/tasks/lets_encrypt.yml
+++ b/tasks/lets_encrypt.yml
@@ -84,6 +84,8 @@
     seconds: 30
   when:
     - lets_encrypt_certificate_invalidated == true
+    # Wait only if it's the DNS provider
+    - lets_encrypt_challenge_type == "dns-01"
 
 - name: "Ask Lets Encrypt to validate and issue a new key"
   letsencrypt:
diff --git a/tasks/main.yml b/tasks/main.yml
index de64adc..17964a6 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,4 +1,28 @@
 ---
 - include: "dependencies.yml"
+
+# Create the /.well-known/acme-challenge dir
+- include: "wellknow.yml"
+  vars:
+    lets_encrypt_resource_state: present
+  when:
+    - lets_encrypt_challenge_type == 'http-01'
+
+
 - include: "lets_encrypt.yml"
   when: lets_encrypt_common_name is not undefined
+
+
+# Remove the /.well-known/acme-challenge dir
+- include: "wellknow.yml"
+  vars:
+    lets_encrypt_resource_state: absent
+  when:
+    - lets_encrypt_challenge_type == 'http-01'
+
+# Concatenate crt & key for HAproxy SSL support
+- include: "haproxy.yml"
+  when:
+    - lets_encrypt_ssl_mode == 'haproxy'
+    - lets_encrypt_common_name is not undefined
+    - lets_encrypt_challenge_type == 'http-01'
diff --git a/tasks/providers/http-01/wellknown.yml b/tasks/providers/http-01/wellknown.yml
new file mode 100644
index 0000000..237f413
--- /dev/null
+++ b/tasks/providers/http-01/wellknown.yml
@@ -0,0 +1,18 @@
+---
+#      # acme_data.challenge_data =>
+#      # "DNS NAME": {
+#      #       "dns-01": {
+#      #           "resource": "_acme-challenge", 
+#      #           "resource_value": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+#      #       }, 
+#      #       "http-01": {
+#      #           "resource": ".well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 
+#      #           "resource_value": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.yyyyyyyy-yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"
+#      #       }
+#      #   },
+
+- name: Copy HTTP well-know ACME Challege data to file
+  copy:
+    content: "{{ acme_data.challenge_data[lets_encrypt_resource_domain]['http-01']['resource_value'] }}"
+    dest: "{{ lets_encrypt_http_path }}/{{ acme_data.challenge_data[lets_encrypt_resource_domain]['http-01']['resource'] }}"
+  when: lets_encrypt_resource_state == "present"
diff --git a/tasks/wellknow.yml b/tasks/wellknow.yml
new file mode 100644
index 0000000..e210929
--- /dev/null
+++ b/tasks/wellknow.yml
@@ -0,0 +1,18 @@
+---
+
+- set_fact:
+    dir_state: "{{ lets_encrypt_resource_state }}"
+
+- set_fact:
+    dir_state: "directory"
+  when: lets_encrypt_resource_state == "present"
+
+- name: Ensure well-known dir exist
+  file:
+    path: "{{ lets_encrypt_http_path }}/.well-known"
+    state: "{{ dir_state }}"
+
+- name: Ensure acme-challenge dir exist
+  file:
+    path: "{{ lets_encrypt_http_path }}/.well-known/acme-challenge"
+    state: "{{ dir_state }}"
diff --git a/tests/inventory b/tests/inventory
new file mode 100644
index 0000000..878877b
--- /dev/null
+++ b/tests/inventory
@@ -0,0 +1,2 @@
+localhost
+
diff --git a/tests/test.yml b/tests/test.yml
new file mode 100644
index 0000000..c726efd
--- /dev/null
+++ b/tests/test.yml
@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - sitewards.ansible-role-lets-encrypt
\ No newline at end of file
diff --git a/vars/main.yml b/vars/main.yml
new file mode 100644
index 0000000..247d7ce
--- /dev/null
+++ b/vars/main.yml
@@ -0,0 +1,2 @@
+---
+# vars file for sitewards.ansible-role-lets-encrypt
\ No newline at end of file

From d8d6115f7bff4e66be5e77d5a345cf0723be5cd0 Mon Sep 17 00:00:00 2001
From: RIBEIRO David <ribeiro.david@gmail.com>
Date: Fri, 1 Dec 2017 19:23:58 +0100
Subject: [PATCH 2/2] Correcting some typo error + clean up debug comments : +
 Changing min ansible version compatibility + Correcting some error (wellknow
 => wellknown) - Removing debug comments

---
 CHANGELOG.md                          | 10 +++++++++-
 meta/main.yml                         |  2 +-
 tasks/main.yml                        |  4 ++--
 tasks/providers/http-01/wellknown.yml | 14 ++------------
 tasks/{wellknow.yml => wellknown.yml} |  0
 5 files changed, 14 insertions(+), 16 deletions(-)
 rename tasks/{wellknow.yml => wellknown.yml} (100%)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4054a88..443123f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,10 +4,18 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to 
 [Semantic Versioning](http://semver.org/).
 
+## 1.1.1
+
+### changed
+- Correcting some typo error (wellknow => wellknown)
+
+### Removed
+- Debug comments
+
 ## 1.1.0
 
 ### Added
-- http-01 (wellknow acme-challenge) support.
+- http-01 (wellknown acme-challenge) support.
 - SSL crt & key concatenation for HAProxy compatibility.
 - Ansible Galaxy file structure (to be used with ansible-galaxy install git@...).
 
diff --git a/meta/main.yml b/meta/main.yml
index 1e0a67b..a9add48 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -16,7 +16,7 @@ galaxy_info:
   # - CC-BY
   license: license (GPLv2, CC-BY, etc)
 
-  min_ansible_version: 1.2
+  min_ansible_version: 2.4
 
   # If this a Container Enabled role, provide the minimum Ansible Container version.
   # min_ansible_container_version:
diff --git a/tasks/main.yml b/tasks/main.yml
index 17964a6..49d7e7b 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -2,7 +2,7 @@
 - include: "dependencies.yml"
 
 # Create the /.well-known/acme-challenge dir
-- include: "wellknow.yml"
+- include: "wellknown.yml"
   vars:
     lets_encrypt_resource_state: present
   when:
@@ -14,7 +14,7 @@
 
 
 # Remove the /.well-known/acme-challenge dir
-- include: "wellknow.yml"
+- include: "wellknown.yml"
   vars:
     lets_encrypt_resource_state: absent
   when:
diff --git a/tasks/providers/http-01/wellknown.yml b/tasks/providers/http-01/wellknown.yml
index 237f413..d7bd0fe 100644
--- a/tasks/providers/http-01/wellknown.yml
+++ b/tasks/providers/http-01/wellknown.yml
@@ -1,17 +1,7 @@
 ---
-#      # acme_data.challenge_data =>
-#      # "DNS NAME": {
-#      #       "dns-01": {
-#      #           "resource": "_acme-challenge", 
-#      #           "resource_value": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-#      #       }, 
-#      #       "http-01": {
-#      #           "resource": ".well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 
-#      #           "resource_value": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.yyyyyyyy-yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"
-#      #       }
-#      #   },
+## Creating & adding the well-known acme-challenge file with data
 
-- name: Copy HTTP well-know ACME Challege data to file
+- name: Copy HTTP well-known ACME Challege data to file
   copy:
     content: "{{ acme_data.challenge_data[lets_encrypt_resource_domain]['http-01']['resource_value'] }}"
     dest: "{{ lets_encrypt_http_path }}/{{ acme_data.challenge_data[lets_encrypt_resource_domain]['http-01']['resource'] }}"
diff --git a/tasks/wellknow.yml b/tasks/wellknown.yml
similarity index 100%
rename from tasks/wellknow.yml
rename to tasks/wellknown.yml