roles/nginx: minor rework of acme.sh tasks

After the inital acme.sh script is downloaded and bootstrapped we
can remove it. If a host already has been bootstrapped then there
is no need to download it and do it over again.
This commit is contained in:
Alan Orth 2021-09-27 13:40:17 +03:00
parent 65e6dd34cd
commit 89fd642b78
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
2 changed files with 20 additions and 5 deletions

View File

@ -33,8 +33,8 @@ letsencrypt_root: /etc/ssl
# Location where to save initial acme.sh script. After installation the script
# will automatically create its home in the /root/.acme.sh directory (including
# a copy of the script itself).
letsencrypt_acme_script: /root/acme.sh
# a copy of the script itself). The initial script is not needed after.
letsencrypt_acme_script_temp: /root/acme.sh
letsencrypt_acme_home: /root/.acme.sh
# stable is 1.20.x

View File

@ -16,24 +16,39 @@
- /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
- /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
- name: Check if acme.sh is installed
stat:
path: "{{ letsencrypt_acme_home }}"
register: acme_home
- name: Download acme.sh
get_url:
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
dest: "{{ letsencrypt_acme_script }}"
dest: "{{ letsencrypt_acme_script_temp }}"
mode: 0700
register: acme_download
when: not acme_home.stat.exists
# Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
# have to chdir to the /root directory where the script exists or else it
# fails. Ansible runs it, but the script can't find itself...).
- name: Install acme.sh
ansible.builtin.command:
cmd: "{{ letsencrypt_acme_script }} --install --no-profile --no-cron"
cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
creates: "{{ letsencrypt_acme_home }}/acme.sh"
chdir: /root
register: acme_install
when: acme_download is changed
- name: Remove temporary acme.sh script
file:
dest: "{{ letsencrypt_acme_script_temp }}"
state: absent
when: acme_install.rc is defined and acme_install.rc == 0
- name: Set default certificate authority for acme.sh
ansible.builtin.command:
cmd: "{{ letsencrypt_acme_script }} --set-default-ca --server letsencrypt"
cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"
- name: Prepare Let's Encrypt well-known directory
file: