2022-02-05 20:32:54 +00:00
|
|
|
---
|
2022-07-18 07:39:08 +00:00
|
|
|
- ansible.builtin.debug:
|
2018-08-29 06:37:44 +00:00
|
|
|
msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}"
|
|
|
|
|
2022-07-18 07:39:08 +00:00
|
|
|
- ansible.builtin.set_fact:
|
2019-05-21 02:58:18 +00:00
|
|
|
domain_name_certificate_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
|
2018-08-29 06:37:44 +00:00
|
|
|
|
|
|
|
- name: Check if a certificate for the domain already exists
|
2022-07-18 08:22:05 +00:00
|
|
|
ansible.builtin.stat:
|
2018-08-29 06:37:44 +00:00
|
|
|
path: "{{ domain_name_certificate_path }}"
|
|
|
|
register: domain_name_certificate_path_stat
|
|
|
|
|
2022-07-18 07:39:08 +00:00
|
|
|
- ansible.builtin.set_fact:
|
2018-08-29 06:37:44 +00:00
|
|
|
domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}"
|
|
|
|
|
2022-09-27 08:38:33 +00:00
|
|
|
- when: "domain_name_needs_cert | bool and matrix_ssl_pre_obtaining_required_service_name != ''"
|
|
|
|
block:
|
2022-02-05 20:32:54 +00:00
|
|
|
- name: Ensure required service for obtaining is started
|
2022-07-18 07:39:08 +00:00
|
|
|
ansible.builtin.service:
|
2022-02-05 20:32:54 +00:00
|
|
|
name: "{{ matrix_ssl_pre_obtaining_required_service_name }}"
|
|
|
|
state: started
|
|
|
|
register: matrix_ssl_pre_obtaining_required_service_start_result
|
2020-11-08 01:34:16 +00:00
|
|
|
|
2022-02-05 20:32:54 +00:00
|
|
|
- name: Wait some time, so that the required service for obtaining can start
|
2022-07-18 08:22:05 +00:00
|
|
|
ansible.builtin.wait_for:
|
2022-02-05 20:32:54 +00:00
|
|
|
timeout: "{{ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds }}"
|
2022-07-18 08:22:05 +00:00
|
|
|
when: "matrix_ssl_pre_obtaining_required_service_start_result.changed | bool"
|
2020-11-08 01:34:16 +00:00
|
|
|
|
2018-08-29 06:37:44 +00:00
|
|
|
# This will fail if there is something running on port 80 (like matrix-nginx-proxy).
|
|
|
|
# We suppress the error, as we'll try another method below.
|
|
|
|
- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
|
2022-07-18 07:39:08 +00:00
|
|
|
ansible.builtin.shell: >-
|
2020-05-27 20:18:24 +00:00
|
|
|
{{ matrix_host_command_docker }} run
|
2018-08-29 06:37:44 +00:00
|
|
|
--rm
|
|
|
|
--name=matrix-certbot
|
2019-02-20 19:21:20 +00:00
|
|
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
|
|
|
|
--cap-drop=ALL
|
2019-12-19 07:07:24 +00:00
|
|
|
-p {{ matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port }}:8080
|
2020-11-25 08:49:59 +00:00
|
|
|
--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
|
|
|
|
--mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
|
2018-12-23 09:00:12 +00:00
|
|
|
{{ matrix_ssl_lets_encrypt_certbot_docker_image }}
|
2018-08-29 06:37:44 +00:00
|
|
|
certonly
|
|
|
|
--non-interactive
|
2019-01-27 18:25:13 +00:00
|
|
|
--work-dir=/tmp
|
|
|
|
--http-01-port 8080
|
2021-12-17 15:30:21 +00:00
|
|
|
{% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %}
|
2018-12-23 09:00:12 +00:00
|
|
|
{% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
|
2022-03-03 16:15:39 +00:00
|
|
|
--key-type {{ matrix_ssl_lets_encrypt_key_type }}
|
2018-08-29 06:37:44 +00:00
|
|
|
--standalone
|
|
|
|
--preferred-challenges http
|
|
|
|
--agree-tos
|
2018-12-23 09:00:12 +00:00
|
|
|
--email={{ matrix_ssl_lets_encrypt_support_email }}
|
2018-08-29 06:37:44 +00:00
|
|
|
-d {{ domain_name }}
|
2022-07-18 08:22:05 +00:00
|
|
|
when: domain_name_needs_cert | bool
|
2018-08-29 06:37:44 +00:00
|
|
|
register: result_certbot_direct
|
|
|
|
ignore_errors: true
|
|
|
|
|
|
|
|
# If matrix-nginx-proxy is configured from a previous run of this playbook,
|
2018-12-23 09:00:12 +00:00
|
|
|
# and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`.
|
2018-08-29 06:37:44 +00:00
|
|
|
- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
|
2022-07-18 07:39:08 +00:00
|
|
|
ansible.builtin.shell: >-
|
2020-05-27 20:18:24 +00:00
|
|
|
{{ matrix_host_command_docker }} run
|
2018-08-29 06:37:44 +00:00
|
|
|
--rm
|
|
|
|
--name=matrix-certbot
|
2019-02-20 19:21:20 +00:00
|
|
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
|
|
|
|
--cap-drop=ALL
|
2019-01-27 18:25:13 +00:00
|
|
|
-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080
|
2018-08-29 06:37:44 +00:00
|
|
|
--network={{ matrix_docker_network }}
|
2020-11-25 08:49:59 +00:00
|
|
|
--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
|
|
|
|
--mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
|
2018-12-23 09:00:12 +00:00
|
|
|
{{ matrix_ssl_lets_encrypt_certbot_docker_image }}
|
2018-08-29 06:37:44 +00:00
|
|
|
certonly
|
|
|
|
--non-interactive
|
2019-01-27 18:25:13 +00:00
|
|
|
--work-dir=/tmp
|
|
|
|
--http-01-port 8080
|
2021-12-17 15:30:21 +00:00
|
|
|
{% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %}
|
2018-12-23 09:00:12 +00:00
|
|
|
{% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
|
2022-03-03 16:15:39 +00:00
|
|
|
--key-type {{ matrix_ssl_lets_encrypt_key_type }}
|
2018-08-29 06:37:44 +00:00
|
|
|
--standalone
|
|
|
|
--preferred-challenges http
|
|
|
|
--agree-tos
|
2018-12-23 09:00:12 +00:00
|
|
|
--email={{ matrix_ssl_lets_encrypt_support_email }}
|
2018-08-29 06:37:44 +00:00
|
|
|
-d {{ domain_name }}
|
|
|
|
when: "domain_name_needs_cert and result_certbot_direct.failed"
|
|
|
|
register: result_certbot_proxy
|
|
|
|
ignore_errors: true
|
|
|
|
|
|
|
|
- name: Fail if all SSL certificate retrieval attempts failed
|
2022-07-18 07:39:08 +00:00
|
|
|
ansible.builtin.fail:
|
2018-08-29 06:37:44 +00:00
|
|
|
msg: |
|
|
|
|
Failed to obtain a certificate directly (by listening on port 80)
|
|
|
|
and also failed to obtain by relying on the server at port 80 to proxy the request.
|
|
|
|
See above for details.
|
2018-12-23 09:00:12 +00:00
|
|
|
You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }} or,
|
2018-08-29 06:37:44 +00:00
|
|
|
more easily, stop the server on port 80 while this playbook runs.
|
2018-12-23 09:00:12 +00:00
|
|
|
when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed"
|