jaywink / ansible-letsencrypt Goto Github PK

In a secure environment it is not acceptable to download and execute a script as root, that came from an untrusted source.

The certbot repository is cloned from GitHub without checking against trusted signatures. An attacker compromising the GitHub account might alter existing releases, so that this role would force update and execute the malicious code as root.

A first step could be to run certbot in webroot mode instead of standalone and use the already installed python -m SimpleHTTPServer to serve the content of this directory for the acme-challenge. Optionally an existing server can be used that is configured to serve /.well-known/acme-challenge/ from the output directory.

It would be nice if the certbot renew job was added to cron automatically.
For my purposes, I just invoked Ansible's cron module, like this

https://github.com/perchrh/ansible-letsencrypt/commit/9de388d0783e26633ddfec0929e69a2b820be2f4

It's configured to run twice daily, as per official letsencrypt recommendations.

When attempting to stop a service that is not yet installed on the target system, the letsencrypt role exists with an error. We should therefore check if a specific service exists, before trying to start/stop it.

This becomes important when you decide to first configure your webserver and then install it without exposing the default site for a short moment. When doing so the certificates need also to be in place before installing, so that the server can successfully launch.

I'm trying to use this role to set up letsencrypt, and I'm getting the following error:

TASK: [jaywink.letsencrypt | Starting paused Services] ************************
fatal: [104.131.48.189] => with_items expects a list or a set

Looking through the code, this appears to be the line it's failing on, so _services_stopped.results is returning something unexpected.

Looking further, it appears that variable is set here, but in my case, that step is skipped:

TASK: [jaywink.letsencrypt | Stopping Services] *******************************
skipping: [104.131.48.189]

I'm not quite sure how to solve this. Maybe we need to add something to the when line for the Starting paused Services step, to check if there's anything to be started back up?

When running ansible-galaxy install ansible-letsencrypt with ansible==2.1.1.0 I get

- downloading role 'ansible-letsencrypt', owned by
 [WARNING]: - ansible-letsencrypt was NOT installed successfully: Role has no field named u'owner'

ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.

I had to zap the depth: 1 in tasks/client.yaml in order to fix this:

fatal: [example.com]: FAILED! => {
    "changed": false, 
    "cmd": "/usr/bin/git checkout --force v0.8.1", 
    "failed": true, 
    "invocation": {
        "module_args": {
            "accept_hostkey": false, 
            "bare": false, 
            "clone": true, 
            "depth": 1, 
            "dest": "/opt/certbot", 
            "executable": null, 
            "force": true, 
            "key_file": null, 
            "recursive": true, 
            "reference": null, 
            "refspec": null, 
            "remote": "origin", 
            "repo": "https://github.com/certbot/certbot", 
            "ssh_opts": null, 
            "track_submodules": false, 
            "umask": null, 
            "update": true, 
            "verify_commit": false, 
            "version": "v0.8.1"
        }, 
        "module_name": "git"
    }, 
    "msg": "Failed to checkout v0.8.1", 
    "rc": 1, 
    "stderr": "error: pathspec 'v0.8.1' did not match any file(s) known to git.\n", 
    "stdout": "", 
    "stdout_lines": []
}

My guess is this was probably not failing earlier, when v0.8.1 was current.

There are at least two scenarios that let certbot fail silently with an ignored error that should in fact stop the further execution of the playbook.

Scenario 1: Port 80 already in use

TASK [jaywink.letsencrypt : Stopping Services] *********************************

TASK [jaywink.letsencrypt : Obtain or renew cert for domain] *******************
fatal: [xxx.xxx.xxx.xxx]: FAILED! => {"changed": true, "cmd": "./certbot-auto certonly --text -n --no-self-upgrade -m [email protected] --domains example.com,www.example.com --agree-tos --standalone --expand --keep-until-expiring 2>&1", "delta": "0:00:02.407771", "end": "2016-09-20 11:42:14.899511", "failed": true, "rc": 1, "start": "2016-09-20 11:42:12.491740", "stderr": "", "stdout": "\n-------------------------------------------------------------------------------\nThe program nginx (process ID 21647) is already listening on TCP port 80. This\nwill prevent us from binding to that port. Please stop the nginx program\ntemporarily and then try again.\n-------------------------------------------------------------------------------\nAt least one of the (possibly) required ports is already taken.", "stdout_lines": ["", "-------------------------------------------------------------------------------", "The program nginx (process ID 21647) is already listening on TCP port 80. This", "will prevent us from binding to that port. Please stop the nginx program", "temporarily and then try again.", "-------------------------------------------------------------------------------", "At least one of the (possibly) required ports is already taken."], "warnings": []}
...ignoring

Scenario 2: DNS Entry not existing or resolving to wrong address

TASK [jaywink.letsencrypt : Obtain or renew cert for domain] *******************
fatal: [xxx.xxx.xxx.xxx]: FAILED! => {"changed": true, "cmd": "./certbot-auto certonly --text -n --no-self-upgrade -m [email protected] --domains example.com,www.example.com --agree-tos --standalone --expand --keep-until-expiring 2>&1", "delta": "0:00:06.842255", "end": "2016-09-20 11:43:09.344077", "failed": true, "rc": 1, "start": "2016-09-20 11:43:02.501822", "stderr": "", "stdout": "Failed authorization procedure. www.example.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for www.example.com\nIMPORTANT NOTES:\n - The following errors were reported by the server:\n\n   Domain: www.example.com\n   Type:   connection\n   Detail: DNS problem: NXDOMAIN looking up A for\n   www.example.com\n\n   To fix these errors, please make sure that your domain name was\n   entered correctly and the DNS A record(s) for that domain\n   contain(s) the right IP address. Additionally, please check that\n   your computer has a publicly routable IP address and that no\n   firewalls are preventing the server from communicating with the\n   client. If you're using the webroot plugin, you should also verify\n   that you are serving files from the webroot path you provided.", "stdout_lines": ["Failed authorization procedure. www.example.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for www.example.com", "IMPORTANT NOTES:", " - The following errors were reported by the server:", "", "   Domain: www.example.com", "   Type:   connection", "   Detail: DNS problem: NXDOMAIN looking up A for", "   www.example.com", "", "   To fix these errors, please make sure that your domain name was", "   entered correctly and the DNS A record(s) for that domain", "   contain(s) the right IP address. Additionally, please check that", "   your computer has a publicly routable IP address and that no", "   firewalls are preventing the server from communicating with the", "   client. If you're using the webroot plugin, you should also verify", "   that you are serving files from the webroot path you provided."], "warnings": []}
...ignoring

Thanks for making this. I'm trying to use it in my first ansible project, but I'm struggling to get the extra arguments option to work as I'd expect:

TASK [jaywink.letsencrypt : set_fact] ******************************************
fatal: [staging1]: FAILED! => {"failed": true, "msg": "Unexpected templating type error occurred on ({{ letsencrypt_certbot_args + ['--keep-until-expiring'] }}): coercing to Unicode: need string or buffer, list found"}

in my playbook:
- {role: jaywink.letsencrypt,
letsencrypt_domain: example.com,
letsencrypt_certbot_args: --staging --webroot -w /mnt -d example.com
}

(other things in my vars file)

As far as I can understand, the problem is related to concatenating strings in python, and possibly that python is reading what I'm giving it as a 'list' rather than a string. I wondered if I should quote the arguments, but I didn't manage to get that to work.

If it's PEBKAC, perhaps we could add an example use of that argument to the documentation.

I'm using:
Python 2.7.9
ansible 2.2.1.0
on Debian 7

Thanks again for putting this out there!

Sometimes either due to existing conflicting old certificates or via removal of domains from the original certificate (for example dropping of www. version), Certbot generates the actual cert files under a postfix -001.

This makes usage of these certs tricky since the user will most likely be pointing the web server to the cert without the -001 postfix.

Grep the output of cert renewal/issuing and if the right format name is not generated, fail the role execution (though only after restarting services).

Consider using the debs from Xenial (https://iliketoast.net/posts/874468)

Thanks for this role, I have managed to run this and have certbot to generate SSL stuff. Great.

I understand that I can run multiple subdomains validation with the following:

- role: jaywink.letsencrypt
  letsencrypt_domain: domain1.example.com
  letsencrypt_email: [email protected]
- role: jaywink.letsencrypt
  letsencrypt_domain: domain1.example.com
  letsencrypt_email: [email protected]

However this is going to go each time throught the whole process of updating certbot and then requesting validation. What I think could be implemented is something like this:

- role: jaywink.letsencrypt
  letsencrypt_entries:
    - letsencrypt_domain: domain1.example.com
      letsencrypt_email: [email protected]
    - letsencrypt_domain: domain2.example.com
      letsencrypt_email: [email protected]
    - letsencrypt_domain: domain3.example.com
      letsencrypt_email: [email protected]