70 lines
2.7 KiB
YAML
70 lines
2.7 KiB
YAML
- debug:
|
|
msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}"
|
|
|
|
- set_fact:
|
|
domain_name_certificate_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/cert.pem"
|
|
|
|
- name: Check if a certificate for the domain already exists
|
|
stat:
|
|
path: "{{ domain_name_certificate_path }}"
|
|
register: domain_name_certificate_path_stat
|
|
|
|
- set_fact:
|
|
domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}"
|
|
|
|
# This will fail if there is something running on port 80 (like matrix-nginx-proxy).
|
|
# We suppress the error, as we'll try another method below.
|
|
- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
|
|
shell: >-
|
|
/usr/bin/docker run
|
|
--rm
|
|
--name=matrix-certbot
|
|
--net=host
|
|
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
|
|
-v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
|
|
{{ matrix_ssl_certbot_docker_image }}
|
|
certonly
|
|
--non-interactive
|
|
{% if matrix_ssl_use_staging %}--staging{% endif %}
|
|
--standalone
|
|
--preferred-challenges http
|
|
--agree-tos
|
|
--email={{ matrix_ssl_support_email }}
|
|
-d {{ domain_name }}
|
|
when: "domain_name_needs_cert"
|
|
register: result_certbot_direct
|
|
ignore_errors: true
|
|
|
|
# If matrix-nginx-proxy is configured from a previous run of this playbook,
|
|
# and it's running now, it may be able to proxy requests to `matrix_ssl_certbot_standalone_http_port`.
|
|
- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
|
|
shell: >-
|
|
/usr/bin/docker run
|
|
--rm
|
|
--name=matrix-certbot
|
|
-p 127.0.0.1:{{ matrix_ssl_certbot_standalone_http_port }}:80
|
|
--network={{ matrix_docker_network }}
|
|
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
|
|
-v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
|
|
{{ matrix_ssl_certbot_docker_image }}
|
|
certonly
|
|
--non-interactive
|
|
{% if matrix_ssl_use_staging %}--staging{% endif %}
|
|
--standalone
|
|
--preferred-challenges http
|
|
--agree-tos
|
|
--email={{ matrix_ssl_support_email }}
|
|
-d {{ domain_name }}
|
|
when: "domain_name_needs_cert and result_certbot_direct.failed"
|
|
register: result_certbot_proxy
|
|
ignore_errors: true
|
|
|
|
- name: Fail if all SSL certificate retrieval attempts failed
|
|
fail:
|
|
msg: |
|
|
Failed to obtain a certificate directly (by listening on port 80)
|
|
and also failed to obtain by relying on the server at port 80 to proxy the request.
|
|
See above for details.
|
|
You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_certbot_standalone_http_port }} or,
|
|
more easily, stop the server on port 80 while this playbook runs.
|
|
when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed" |