ansible/roles/letsencrypt/tasks/main.yml

---
- name: Setup defaults file
  delegate_to: "certgetter01.iad2.fedoraproject.org"
  ansible.builtin.copy: >
    dest=/etc/letsencrypt/cli.ini
    src=cli.ini
    owner=root
    group=root
    mode=0644
  tags:
  - letsencrypt

- name: Generate (or renew) the certificate
  delegate_to: "certgetter01.iad2.fedoraproject.org"
  ansible.builtin.command: certbot certonly --expand --keep -n --webroot --webroot-path /var/www/html/ -d {{','.join([site_name] + server_aliases)}}
  run_once: true
  register: certbot_output
  check_mode: no
  changed_when: "not ('not yet due for renewal' in certbot_output.stdout)"
  tags:
  - letsencrypt

# Find the directory to use
- name: Get the directory to use
  delegate_to: "certgetter01.iad2.fedoraproject.org"
  # Sometimes we get directories like site-0001, site-0002, etc. We want the latest
  ansible.builtin.shell: "file /etc/letsencrypt/live/{{site_name}}* | tail -1 | sed -e 's/: directory//' | tr -d '\n'"
  register: certbot_dir
  changed_when: 'false'
  check_mode: no
  tags:
  - letsencrypt

# And once we do that, we need to copy some things.
- name: Obtain the certificate
  delegate_to: "certgetter01.iad2.fedoraproject.org"
  ansible.builtin.command: "cat {{certbot_dir.stdout}}/cert.pem"
  register: certbot_certificate
  changed_when: 'false'
  check_mode: no
  tags:
  - letsencrypt

- name: Obtain the intermediate certificate
  delegate_to: "certgetter01.iad2.fedoraproject.org"
  ansible.builtin.command: cat {{certbot_dir.stdout}}/chain.pem
  register: certbot_chain
  changed_when: 'false'
  check_mode: no
  tags:
  - letsencrypt

- name: Obtain the key
  delegate_to: "certgetter01.iad2.fedoraproject.org"
  ansible.builtin.command: cat {{certbot_dir.stdout}}/privkey.pem
  register: certbot_key
  changed_when: 'false'
  check_mode: no
  tags:
  - letsencrypt

- name: Install the certificate
  ansible.builtin.copy: >
    dest=/etc/pki/tls/certs/{{site_name}}.cert
    content="{{certbot_certificate.stdout}}"
    owner=root
    group=root
    mode=0644
  notify:
  - reload proxyhttpd
  tags:
  - letsencrypt

- name: Install the intermediate/chain certificate
  ansible.builtin.copy: >
    dest=/etc/pki/tls/certs/{{site_name}}.intermediate.cert
    content="{{certbot_chain.stdout}}"
    owner=root
    group=root
    mode=0644
  notify:
  - reload proxyhttpd
  tags:
  - letsencrypt

- name: Install the key
  ansible.builtin.copy: >
    dest=/etc/pki/tls/private/{{site_name}}.key
    content="{{certbot_key.stdout}}"
    owner=root
    group=root
    mode=0600
  notify:
  - reload proxyhttpd
  tags:
  - letsencrypt

- name: Install the certificate (additional host)
  ansible.builtin.copy: >
    dest=/etc/pki/tls/certs/{{site_name}}.cert
    content="{{certbot_certificate.stdout}}"
    owner=root
    group=root
    mode=0644
  notify:
  - reload proxyhttpd
  tags:
  - letsencrypt
  delegate_to: "{{ certbot_addhost }}"
  when:
    - certbot_addhost is defined

- name: Install the intermediate/chain certificate (additional host)
  ansible.builtin.copy: >
    dest=/etc/pki/tls/certs/{{site_name}}.intermediate.cert
    content="{{certbot_chain.stdout}}"
    owner=root
    group=root
    mode=0644
  notify:
  - reload proxyhttpd
  tags:
  - letsencrypt
  delegate_to: "{{ certbot_addhost }}"
  when:
    - certbot_addhost is defined

- name: Install the key (additional host)
  ansible.builtin.copy: >
    dest=/etc/pki/tls/private/{{site_name}}.key
    content="{{certbot_key.stdout}}"
    owner=root
    group=root
    mode=0600
  notify:
  - reload proxyhttpd
  tags:
  - letsencrypt
  delegate_to: "{{ certbot_addhost }}"
  when:
    - certbot_addhost is defined

- name: Install certificate bundle
  template: >
    dest=/etc/pki/tls/certs/{{site_name}}.bundle.cert
    src=combined.j2
    owner=root
    group=root
    mode=0644
  notify:
  - restart stunnel
  tags:
  - letsencrypt
  delegate_to: "{{ certbot_bundlehost }}"
  when: certbot_bundlehost is defined