/
certificates.yml
47 lines (42 loc) · 1.83 KB
/
certificates.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
---
- name: Generate private keys
shell: openssl genrsa 4096 > {{ letsencrypt_keys_dir }}/{{ item.key }}.key
args:
creates: "{{ letsencrypt_keys_dir }}/{{ item.key }}.key"
when: site_uses_letsencrypt
with_dict: "{{ wordpress_sites }}"
- name: Ensure correct permissions on private keys
file:
path: "{{ letsencrypt_keys_dir }}/{{ item.key }}.key"
mode: 0600
when: site_uses_letsencrypt
with_dict: "{{ wordpress_sites }}"
- name: Generate Lets Encrypt certificate IDs
shell: |
echo "{{ [site_hosts | join(' '), letsencrypt_ca, acme_tiny_commit, letsencrypt_intermediate_cert_sha256sum] | join('\n') }}" |
cat {{ letsencrypt_account_key }} {{ letsencrypt_keys_dir }}/{{ item.key }}.key - |
md5sum | cut -c -7
register: generate_cert_ids
changed_when: false
when: site_uses_letsencrypt
with_dict: "{{ wordpress_sites }}"
tags: [wordpress, wordpress-setup, nginx-includes]
- name: Generate CSRs
shell: "openssl req -new -sha256 -key '{{ letsencrypt_keys_dir }}/{{ item.key }}.key' -subj '/' -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:{{ site_hosts | join(',DNS:') }}')) > {{ acme_tiny_data_directory }}/csrs/{{ item.key }}-{{ letsencrypt_cert_ids[item.key] }}.csr"
args:
executable: /bin/bash
creates: "{{ acme_tiny_data_directory }}/csrs/{{ item.key }}-{{ letsencrypt_cert_ids[item.key] }}.csr"
when: site_uses_letsencrypt
with_dict: "{{ wordpress_sites }}"
- name: Generate certificate renewal script
template:
src: renew-certs.py
dest: "{{ acme_tiny_data_directory }}/renew-certs.py"
mode: 0700
- name: Generate the certificates
command: ./renew-certs.py
args:
chdir: "{{ acme_tiny_data_directory }}"
register: generate_certs
changed_when: generate_certs.stdout is defined and 'Created' in generate_certs.stdout
notify: reload nginx