--- # Use acme.sh instead of certbot because they only support installation via # snap now. - block: - name: Remove certbot apt: name: certbot state: absent - name: Remove old certbot post and pre hooks for nginx file: dest: "{{ item }}" state: absent with_items: - /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh - /etc/letsencrypt/renewal-hooks/post/start-nginx.sh - name: Download acme.sh get_url: url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh dest: "{{ letsencrypt_acme_script }}" mode: 0700 # Run the "install" for acme.sh so it creates the .acme.sh dir (currently I # have to chdir to the /root directory where the script exists or else it # fails. Ansible runs it, but the script can't find itself...). - name: Install acme.sh ansible.builtin.command: cmd: "{{ letsencrypt_acme_script }} --install --no-profile --no-cron" creates: "{{ letsencrypt_acme_home }}/acme.sh" chdir: /root - name: Set default certificate authority for acme.sh ansible.builtin.command: cmd: "{{ letsencrypt_acme_script }} --set-default-ca --server letsencrypt" - name: Prepare Let's Encrypt well-known directory file: state: directory path: /var/lib/letsencrypt/.well-known owner: root group: nginx mode: g+s - name: Copy systemd service to renew Let's Encrypt certs template: src: renew-letsencrypt.service.j2 dest: /etc/systemd/system/renew-letsencrypt.service mode: 0644 owner: root group: root - name: Copy systemd timer to renew Let's Encrypt certs copy: src: renew-letsencrypt.timer dest: /etc/systemd/system/renew-letsencrypt.timer mode: 0644 owner: root group: root # always issues daemon-reload just in case the service/timer changed - name: Start and enable systemd timer to renew Let's Encrypt certs systemd: name: renew-letsencrypt.timer state: started enabled: yes daemon_reload: yes when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==')) tags: letsencrypt # vim: set ts=2 sw=2: