system-config/playbooks/roles/letsencrypt-install-txt-record/tasks/main.yaml

- name: Make key list
  set_fact:
    acme_txt_keys: []

- name: Build key list
  set_fact:
    acme_txt_keys: '{{ acme_txt_keys }} + {{ hostvars[item]["acme_txt_required"] | default([]) }}'
  with_inventory_hostnames:
    - letsencrypt:!disabled

# NOTE(ianw): Most of the time, we won't have anything to actually do
# as we don't have new keys or renewals due.
- name: Deploy TXT records
  block:
    - name: Deploy new zone.db
      template:
        src: zone.db.j2
        dest: /var/lib/bind/zones/acme.opendev.org/zone.db

    - name: Ensure domain is valid
      shell: named-checkzone acme.opendev.org /var/lib/bind/zones/acme.opendev.org/zone.db

    - name: Reload domain
      shell: rndc reload acme.opendev.org

    - name: Pause to allow nameserver propagation
      pause:
        minutes: 1

  when: acme_txt_keys | length > 0
letsencrypt support This change contains the roles and testing for deploying certificates on hosts using letsencrypt with domain authentication. From a top level, the process is implemented in the roles as follows: 1) letsencrypt-acme-sh-install This role installs the acme.sh tool on hosts in the letsencrypt group, along with a small custom driver script to help parse output that is used by later roles. 2) letsencrypt-request-certs This role runs on each host, and reads a host variable describing the certificates required. It uses the acme.sh tool (via the driver) to request the certificates from letsencrypt. It populates a global Ansible variable with the authentication TXT records required. If the certificate exists on the host and is not within the renewal period, it should do nothing. 3) letsencrypt-install-txt-record This role runs on the adns server. It installs the TXT records generated in step 2 to the acme.opendev.org domain and then refreshes the server. Hosts wanting certificates will have pre-provisioned CNAME records for _acme-challenge.host.opendev.org pointing to acme.opendev.org. 4) letsencrypt-create-certs This role runs on each host, reading the same variable as in step 2. However this time the acme.sh tool is run to authenticate and create the certificates, which should now work correctly via the TXT records from step 3. After this, the host will have the full certificate material. Testing is added via testinfra. For testing purposes requests are made to the staging letsencrypt servers and a self-signed certificate is provisioned in step 4 (as the authentication is not available during CI). We test that the DNS TXT records are created locally on the CI adns server, however. Related-Spec: https://review.openstack.org/587283 Change-Id: I1f66da614751a29cc565b37cdc9ff34d70fdfd3f 2019-02-14 08:10:51 +11:00			`- name: Make key list`
			`set_fact:`
			`acme_txt_keys: []`

			`- name: Build key list`
			`set_fact:`
Handle offline hosts in LE role If a host is offline, Ansible will not have set the required txt keys host variable for that host. When the task to update the dns master with new txt records runs, it will fail due to an undefined variable: 'ansible.vars.hostvars.HostVarsVars object' has no attribute 'acme_txt_required' This supplies a default value so that in that case, the task may proceed and other hosts will have their LE certs serviced. Change-Id: I62efbe086d801d803b2f2c3223ece8f608c668a1 2020-01-08 10:21:53 -08:00			`acme_txt_keys: '{{ acme_txt_keys }} + {{ hostvars[item]["acme_txt_required"] \| default([]) }}'`
letsencrypt-install-txt-record: skip disabled hosts We are seeing: fatal: [adns1.opendev.org]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'ansible.vars.hostvars.HostVarsVars object' has no attribute 'acme_txt_required' I belive this is because we have a disabled mirror host now. So the iad.rx.opendev.org mirror is in the "letsencrypt" group, but because it is also disabled the prior role (letsencrypt-request-certs) has not run and it has not populated it's "acme_txt_required" variable. We should skip disabled hosts when inspecting the hosts for this variable. Add this to the "with_inventory_hostnames" match. Change-Id: I33a1c8b6f7e8499248e370f69a9f573a2bf106a5 2019-07-01 13:06:57 +10:00			`with_inventory_hostnames:`
			`- letsencrypt:!disabled`
letsencrypt support This change contains the roles and testing for deploying certificates on hosts using letsencrypt with domain authentication. From a top level, the process is implemented in the roles as follows: 1) letsencrypt-acme-sh-install This role installs the acme.sh tool on hosts in the letsencrypt group, along with a small custom driver script to help parse output that is used by later roles. 2) letsencrypt-request-certs This role runs on each host, and reads a host variable describing the certificates required. It uses the acme.sh tool (via the driver) to request the certificates from letsencrypt. It populates a global Ansible variable with the authentication TXT records required. If the certificate exists on the host and is not within the renewal period, it should do nothing. 3) letsencrypt-install-txt-record This role runs on the adns server. It installs the TXT records generated in step 2 to the acme.opendev.org domain and then refreshes the server. Hosts wanting certificates will have pre-provisioned CNAME records for _acme-challenge.host.opendev.org pointing to acme.opendev.org. 4) letsencrypt-create-certs This role runs on each host, reading the same variable as in step 2. However this time the acme.sh tool is run to authenticate and create the certificates, which should now work correctly via the TXT records from step 3. After this, the host will have the full certificate material. Testing is added via testinfra. For testing purposes requests are made to the staging letsencrypt servers and a self-signed certificate is provisioned in step 4 (as the authentication is not available during CI). We test that the DNS TXT records are created locally on the CI adns server, however. Related-Spec: https://review.openstack.org/587283 Change-Id: I1f66da614751a29cc565b37cdc9ff34d70fdfd3f 2019-02-14 08:10:51 +11:00
			`# NOTE(ianw): Most of the time, we won't have anything to actually do`
			`# as we don't have new keys or renewals due.`
			`- name: Deploy TXT records`
			`block:`
			`- name: Deploy new zone.db`
			`template:`
			`src: zone.db.j2`
			`dest: /var/lib/bind/zones/acme.opendev.org/zone.db`

			`- name: Ensure domain is valid`
			`shell: named-checkzone acme.opendev.org /var/lib/bind/zones/acme.opendev.org/zone.db`

			`- name: Reload domain`
			`shell: rndc reload acme.opendev.org`
letsencrypt-install-txt-record: pause after adding TXT records The rdnc reload should notify the child nameservers which will update quickly, but for general sanity pause 1 minute to allow for propagation of the added authentication records before continuing. Change-Id: Ic0f9398e056df77c96824eff8215395947997d82 2020-10-28 13:43:50 +11:00
			`- name: Pause to allow nameserver propagation`
			`pause:`
			`minutes: 1`

			`when: acme_txt_keys \| length > 0`