From 96fd17fb7866ec1e15db688f9b8ef61c9dbf120d Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Wed, 29 Jun 2016 14:53:50 +0000 Subject: [PATCH] first attempt at certbot role Signed-off-by: Ricky Elrod --- roles/certbot/README | 22 ++++++++++++++++++++++ roles/certbot/files/acme-challenge.conf | 3 +++ roles/certbot/tasks/main.yml | 13 +++++++++++++ 3 files changed, 38 insertions(+) create mode 100644 roles/certbot/README create mode 100644 roles/certbot/files/acme-challenge.conf create mode 100644 roles/certbot/tasks/main.yml diff --git a/roles/certbot/README b/roles/certbot/README new file mode 100644 index 0000000000..6e44d28e42 --- /dev/null +++ b/roles/certbot/README @@ -0,0 +1,22 @@ +First go at a certbot/letsencrypt role for Fedora Infra + +To use it: + +1) Include the role in your playbook. This will install certbot and put a + tiny bit of Apache config in place, along with a monthly cron to attempt to + renew certificates. +2) Add the following lines to your Apache virthost: + + RewriteEngine on + RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L] + +2) ssh to the relevant box + + # TODO: Fix selinux stuff - the cron won't work until it's fixed either. + service httpd graceful + setenforce 0 + certbot certonly --manual-public-ip-logging-ok --webroot -w \ + /srv/web/acme-challenge/ -d YOURINSTANCE.fedorainfracloud.org + setenforce 1 + + diff --git a/roles/certbot/files/acme-challenge.conf b/roles/certbot/files/acme-challenge.conf new file mode 100644 index 0000000000..e5bbc747c2 --- /dev/null +++ b/roles/certbot/files/acme-challenge.conf @@ -0,0 +1,3 @@ + + Require all granted + diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml new file mode 100644 index 0000000000..04999260dd --- /dev/null +++ b/roles/certbot/tasks/main.yml @@ -0,0 +1,13 @@ +- name: Install the needed packages + yum: pkg={{item}} state=present + with_items: + - certbot + +- name: Create directory for ACME challenge + file: dest=/srv/web/acme-challenge state=directory + +- name: Allow httpd to see ACME challenge directory + copy: src=acme-challenge.conf dest=/etc/httpd/conf.d/acme-challenge.conf + +- name: Certbot renewal cron + cron: special_time=monthly job="certbot renew"