Skip to content

Commit

Permalink
Leverage fullchain_dest from the acme_certificate module
Browse files Browse the repository at this point in the history 
This simplifies the role by not requiring custom tasks to create the full certificate chain.

Signed-off-by: mprahl <mprahl@users.noreply.github.com>
  • Loading branch information
@mprahl
mprahl committed Aug 2, 2024
1 parent dd205de commit 538c407
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 23 deletions.
4 changes: 0 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,10 +53,6 @@ Ansible 2.7+ is required for this role. If you are using an older version of Ans
`{{ ler53_cert_common_name }}.crt`.
* **ler53_csr_file_name** - the file name of the certificate signing request (CSR) being generated.
This defaults to `{{ ler53_cert_common_name }}.csr`.
* **ler53_intermediate_download** - whether or not the Let's Encrypt intermediate CA should be
downloaded. This defaults to `true`.
* **ler53_intermediate_download_url** - the URL to download the Let's Encrypt intermediate CA. This
defaults to `https://letsencrypt.org/certs/lets-encrypt-r3.pem`.
* **ler53_intermediate_file_name** - the file name of the intermediate CA downloaded from Let's
Encrypt. This defaults to `{{ ler53_cert_common_name }}.intermediate.pem`.
* **ler53_cert_and_intermediate_file_name** - the name of the file created with the certificate and
Expand Down
2 changes: 0 additions & 2 deletions defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ ler53_cert_dir: "/etc/ssl/{{ ler53_cert_common_name }}"
ler53_key_file_name: "{{ ler53_cert_common_name }}.key"
ler53_cert_file_name: "{{ ler53_cert_common_name }}.crt"
ler53_csr_file_name: "{{ ler53_cert_common_name }}.csr"
ler53_intermediate_download: true
ler53_intermediate_file_name: "{{ ler53_cert_common_name }}.intermediate.crt"
ler53_cert_and_intermediate_file_name: "{{ ler53_cert_common_name }}.pem"
ler53_cert_files_mode: 0600
Expand All @@ -23,4 +22,3 @@ ler53_account_key_file_name: lets_encrypt_account.key
ler53_new_cert_when_csr_changes: false
ler53_service_handlers: []
ler53_acme_directory: https://acme-v02.api.letsencrypt.org/directory
ler53_intermediate_download_url: https://letsencrypt.org/certs/lets-encrypt-r3.pem
28 changes: 11 additions & 17 deletions tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,7 @@
data: "{{ lets_encrypt_challenge }}"
remaining_days: "{{ ler53_cert_remaining_days_before_renewal }}"
chain_dest: "{{ ler53_cert_dir }}/{{ ler53_intermediate_file_name }}"
fullchain_dest: "{{ ler53_cert_dir }}/{{ ler53_cert_and_intermediate_file_name }}"
notify: handle services
register: lets_encrypt_validation_result

Expand Down Expand Up @@ -205,23 +206,16 @@
group: "{{ ler53_cert_files_group }}"
mode: "{{ ler53_cert_files_mode }}"

- name: get content of the certificate
command: "cat {{ ler53_cert_dir }}/{{ ler53_cert_file_name }}"
register: ler53_certificate_content
changed_when: false
when: ler53_intermediate_download | bool

- name: get content of the intermediate CA
command: "cat {{ ler53_cert_dir }}/{{ ler53_intermediate_file_name }}"
register: ler53_intermediate_content
changed_when: false
when: ler53_intermediate_download | bool

- name: create a file with the certificate and intermediate CA concatenated
copy:
content: "{{ ler53_certificate_content['stdout'] + '\n' + ler53_intermediate_content['stdout'] + '\n' }}"
dest: "{{ ler53_cert_dir }}/{{ ler53_cert_and_intermediate_file_name }}"
- name: set the intermediate cert file permissions
file:
path: "{{ ler53_cert_dir }}/{{ ler53_intermediate_file_name }}"
owner: "{{ ler53_cert_files_owner }}"
group: "{{ ler53_cert_files_group }}"
mode: "{{ ler53_cert_files_mode }}"

- name: set the full cert chain file permissions
file:
path: "{{ ler53_cert_dir }}/{{ ler53_cert_and_intermediate_file_name }}"
owner: "{{ ler53_cert_files_owner }}"
group: "{{ ler53_cert_files_group }}"
mode: "{{ ler53_cert_files_mode }}"
when: ler53_intermediate_download | bool

0 comments on commit 538c407

Please sign in to comment.