ansible/roles/letsencrypt/tasks/main.yml

- name: setup defaults file
  copy: >
    dest=/etc/letsencrypt/cli.ini
    src=cli.ini
    owner=root
    group=root
    mode=0644
  tags:
  - letsencrypt
  
- name: Generate (or renew) the certificate
  delegate_to: "certgetter01.iad2.fedoraproject.org"
  command: certbot certonly --expand --keep -n --webroot --webroot-path /var/www/html/ -d {{','.join([site_name] + server_aliases)}}
  run_once: true
  register: certbot_output
  check_mode: no
  changed_when: "not ('not yet due for renewal' in certbot_output.stderr)"
  tags:
  - letsencrypt

# Find the directory to use
- name: Get the directory to use
  delegate_to: "certgetter01.iad2.fedoraproject.org"
  # Sometimes we get directories like site-0001, site-0002, etc. We want the latest
  shell: "file /etc/letsencrypt/live/{{site_name}}* | tail -1 | sed -e 's/: directory//' | tr -d '\n'"
  register: certbot_dir
  changed_when: 'false'
  check_mode: no
  tags:
  - letsencrypt

# And once we do that, we need to copy some things.
- name: Obtain the certificate
  delegate_to: "certgetter01.iad2.fedoraproject.org"
  command: "cat {{certbot_dir.stdout}}/cert.pem"
  register: certbot_certificate
  changed_when: 'false'
  check_mode: no
  tags:
  - letsencrypt

- name: Obtain the intermediate certificate
  delegate_to: "certgetter01.iad2.fedoraproject.org"
  command: cat {{certbot_dir.stdout}}/chain.pem
  register: certbot_chain
  changed_when: 'false'
  check_mode: no
  tags:
  - letsencrypt

- name: Obtain the key
  delegate_to: "certgetter01.iad2.fedoraproject.org"
  command: cat {{certbot_dir.stdout}}/privkey.pem
  register: certbot_key
  changed_when: 'false'
  check_mode: no
  tags:
  - letsencrypt

- name: Install the certificate
  copy: >
    dest=/etc/pki/tls/certs/{{site_name}}.cert
    content="{{certbot_certificate.stdout}}"
    owner=root
    group=root
    mode=0644
  notify:
  - reload proxyhttpd
  tags:
  - letsencrypt

- name: Install the intermediate/chain certificate
  copy: >
    dest=/etc/pki/tls/certs/{{site_name}}.intermediate.cert
    content="{{certbot_chain.stdout}}"
    owner=root
    group=root
    mode=0644
  notify:
  - reload proxyhttpd
  tags:
  - letsencrypt

- name: Install the key
  copy: >
    dest=/etc/pki/tls/private/{{site_name}}.key
    content="{{certbot_key.stdout}}"
    owner=root
    group=root
    mode=0600
  notify:
  - reload proxyhttpd
  tags:
  - letsencrypt

- name: Install the certificate (additional host)
  copy: >
    dest=/etc/pki/tls/certs/{{site_name}}.cert
    content="{{certbot_certificate.stdout}}"
    owner=root
    group=root
    mode=0644
  notify:
  - reload proxyhttpd
  tags:
  - letsencrypt
  delegate_to: "{{ certbot_addhost }}"
  when: certbot_addhost is defined

- name: Install the intermediate/chain certificate (additional host)
  copy: >
    dest=/etc/pki/tls/certs/{{site_name}}.intermediate.cert
    content="{{certbot_chain.stdout}}"
    owner=root
    group=root
    mode=0644
  notify:
  - reload proxyhttpd
  tags:
  - letsencrypt
  delegate_to: "{{ certbot_addhost }}"
  when: certbot_addhost is defined

- name: Install the key (additional host)
  copy: >
    dest=/etc/pki/tls/private/{{site_name}}.key
    content="{{certbot_key.stdout}}"
    owner=root
    group=root
    mode=0600
  notify:
  - reload proxyhttpd
  tags:
  - letsencrypt
  delegate_to: "{{ certbot_addhost }}"
  when: certbot_addhost is defined