jaywink / ansible-letsencrypt Goto Github PK
View Code? Open in Web Editor NEWAnsible role for LetsEncrypt
Ansible role for LetsEncrypt
In a secure environment it is not acceptable to download and execute a script as root, that came from an untrusted source.
The certbot repository is cloned from GitHub without checking against trusted signatures. An attacker compromising the GitHub account might alter existing releases, so that this role would force update and execute the malicious code as root.
A first step could be to run certbot in webroot
mode instead of standalone
and use the already installed python -m SimpleHTTPServer
to serve the content of this directory for the acme-challenge. Optionally an existing server can be used that is configured to serve /.well-known/acme-challenge/
from the output directory.
It would be nice if the certbot renew job was added to cron automatically.
For my purposes, I just invoked Ansible's cron module, like this
https://github.com/perchrh/ansible-letsencrypt/commit/9de388d0783e26633ddfec0929e69a2b820be2f4
It's configured to run twice daily, as per official letsencrypt recommendations.
When attempting to stop a service that is not yet installed on the target system, the letsencrypt role exists with an error. We should therefore check if a specific service exists, before trying to start/stop it.
This becomes important when you decide to first configure your webserver and then install it without exposing the default site for a short moment. When doing so the certificates need also to be in place before installing, so that the server can successfully launch.
I'm trying to use this role to set up letsencrypt, and I'm getting the following error:
TASK: [jaywink.letsencrypt | Starting paused Services] ************************
fatal: [104.131.48.189] => with_items expects a list or a set
Looking through the code, this appears to be the line it's failing on, so _services_stopped.results
is returning something unexpected.
Looking further, it appears that variable is set here, but in my case, that step is skipped:
TASK: [jaywink.letsencrypt | Stopping Services] *******************************
skipping: [104.131.48.189]
I'm not quite sure how to solve this. Maybe we need to add something to the when
line for the Starting paused Services
step, to check if there's anything to be started back up?
When running ansible-galaxy install ansible-letsencrypt
with ansible==2.1.1.0
I get
- downloading role 'ansible-letsencrypt', owned by
[WARNING]: - ansible-letsencrypt was NOT installed successfully: Role has no field named u'owner'
ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.
I had to zap the depth: 1
in tasks/client.yaml
in order to fix this:
fatal: [example.com]: FAILED! => {
"changed": false,
"cmd": "/usr/bin/git checkout --force v0.8.1",
"failed": true,
"invocation": {
"module_args": {
"accept_hostkey": false,
"bare": false,
"clone": true,
"depth": 1,
"dest": "/opt/certbot",
"executable": null,
"force": true,
"key_file": null,
"recursive": true,
"reference": null,
"refspec": null,
"remote": "origin",
"repo": "https://github.com/certbot/certbot",
"ssh_opts": null,
"track_submodules": false,
"umask": null,
"update": true,
"verify_commit": false,
"version": "v0.8.1"
},
"module_name": "git"
},
"msg": "Failed to checkout v0.8.1",
"rc": 1,
"stderr": "error: pathspec 'v0.8.1' did not match any file(s) known to git.\n",
"stdout": "",
"stdout_lines": []
}
My guess is this was probably not failing earlier, when v0.8.1 was current.
There are at least two scenarios that let certbot fail silently with an ignored error that should in fact stop the further execution of the playbook.
TASK [jaywink.letsencrypt : Stopping Services] *********************************
TASK [jaywink.letsencrypt : Obtain or renew cert for domain] *******************
fatal: [xxx.xxx.xxx.xxx]: FAILED! => {"changed": true, "cmd": "./certbot-auto certonly --text -n --no-self-upgrade -m [email protected] --domains example.com,www.example.com --agree-tos --standalone --expand --keep-until-expiring 2>&1", "delta": "0:00:02.407771", "end": "2016-09-20 11:42:14.899511", "failed": true, "rc": 1, "start": "2016-09-20 11:42:12.491740", "stderr": "", "stdout": "\n-------------------------------------------------------------------------------\nThe program nginx (process ID 21647) is already listening on TCP port 80. This\nwill prevent us from binding to that port. Please stop the nginx program\ntemporarily and then try again.\n-------------------------------------------------------------------------------\nAt least one of the (possibly) required ports is already taken.", "stdout_lines": ["", "-------------------------------------------------------------------------------", "The program nginx (process ID 21647) is already listening on TCP port 80. This", "will prevent us from binding to that port. Please stop the nginx program", "temporarily and then try again.", "-------------------------------------------------------------------------------", "At least one of the (possibly) required ports is already taken."], "warnings": []}
...ignoring
TASK [jaywink.letsencrypt : Obtain or renew cert for domain] *******************
fatal: [xxx.xxx.xxx.xxx]: FAILED! => {"changed": true, "cmd": "./certbot-auto certonly --text -n --no-self-upgrade -m [email protected] --domains example.com,www.example.com --agree-tos --standalone --expand --keep-until-expiring 2>&1", "delta": "0:00:06.842255", "end": "2016-09-20 11:43:09.344077", "failed": true, "rc": 1, "start": "2016-09-20 11:43:02.501822", "stderr": "", "stdout": "Failed authorization procedure. www.example.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for www.example.com\nIMPORTANT NOTES:\n - The following errors were reported by the server:\n\n Domain: www.example.com\n Type: connection\n Detail: DNS problem: NXDOMAIN looking up A for\n www.example.com\n\n To fix these errors, please make sure that your domain name was\n entered correctly and the DNS A record(s) for that domain\n contain(s) the right IP address. Additionally, please check that\n your computer has a publicly routable IP address and that no\n firewalls are preventing the server from communicating with the\n client. If you're using the webroot plugin, you should also verify\n that you are serving files from the webroot path you provided.", "stdout_lines": ["Failed authorization procedure. www.example.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for www.example.com", "IMPORTANT NOTES:", " - The following errors were reported by the server:", "", " Domain: www.example.com", " Type: connection", " Detail: DNS problem: NXDOMAIN looking up A for", " www.example.com", "", " To fix these errors, please make sure that your domain name was", " entered correctly and the DNS A record(s) for that domain", " contain(s) the right IP address. Additionally, please check that", " your computer has a publicly routable IP address and that no", " firewalls are preventing the server from communicating with the", " client. If you're using the webroot plugin, you should also verify", " that you are serving files from the webroot path you provided."], "warnings": []}
...ignoring
Thanks for making this. I'm trying to use it in my first ansible project, but I'm struggling to get the extra arguments option to work as I'd expect:
TASK [jaywink.letsencrypt : set_fact] ******************************************
fatal: [staging1]: FAILED! => {"failed": true, "msg": "Unexpected templating type error occurred on ({{ letsencrypt_certbot_args + ['--keep-until-expiring'] }}): coercing to Unicode: need string or buffer, list found"}
in my playbook:
- {role: jaywink.letsencrypt,
letsencrypt_domain: example.com,
letsencrypt_certbot_args: --staging --webroot -w /mnt -d example.com
}
(other things in my vars file)
As far as I can understand, the problem is related to concatenating strings in python, and possibly that python is reading what I'm giving it as a 'list' rather than a string. I wondered if I should quote the arguments, but I didn't manage to get that to work.
If it's PEBKAC, perhaps we could add an example use of that argument to the documentation.
I'm using:
Python 2.7.9
ansible 2.2.1.0
on Debian 7
Thanks again for putting this out there!
Sometimes either due to existing conflicting old certificates or via removal of domains from the original certificate (for example dropping of www.
version), Certbot generates the actual cert files under a postfix -001
.
This makes usage of these certs tricky since the user will most likely be pointing the web server to the cert without the -001
postfix.
Grep the output of cert renewal/issuing and if the right format name is not generated, fail the role execution (though only after restarting services).
Consider using the debs from Xenial (https://iliketoast.net/posts/874468)
Thanks for this role, I have managed to run this and have certbot to generate SSL stuff. Great.
I understand that I can run multiple subdomains validation with the following:
- role: jaywink.letsencrypt
letsencrypt_domain: domain1.example.com
letsencrypt_email: [email protected]
- role: jaywink.letsencrypt
letsencrypt_domain: domain1.example.com
letsencrypt_email: [email protected]
However this is going to go each time throught the whole process of updating certbot and then requesting validation. What I think could be implemented is something like this:
- role: jaywink.letsencrypt
letsencrypt_entries:
- letsencrypt_domain: domain1.example.com
letsencrypt_email: [email protected]
- letsencrypt_domain: domain2.example.com
letsencrypt_email: [email protected]
- letsencrypt_domain: domain3.example.com
letsencrypt_email: [email protected]
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.