-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
simp_le client running as unprivileged user #18
Closed
Closed
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
5d5086d
Make the entirety of the command args configurable
robbyoconnor 68763f2
simp_le client running as unprivileged user
gronke d0ccc8b
fix simp_le arguments after rebase
gronke 3e7da56
address feedback from @jaywink
gronke c7b4bb7
re-enable default LetsEncrypt tos hash
gronke 994b850
fix missing 'state=directory' in client task
gronke 8b32a54
make role a bit less invasive
gronke 841d793
upstart job for python webserver
gronke 8ef3439
support upstart to start/stop python web server
gronke File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,3 @@ | ||
Jason Robinson (@jaywink) | ||
Robert O'Connor (@robbyoconnor) | ||
Stefan Grönke (@gronke) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,38 +1,77 @@ | ||
--- | ||
|
||
- set_fact: _letsencrypt_certbot_args="{{letsencrypt_certbot_args + ['--renew-by-default']}}" | ||
when: letsencrypt_force_renew == true | ||
|
||
- set_fact: _letsencrypt_certbot_args="{{letsencrypt_certbot_args + ['--keep-until-expiring']}}" | ||
when: letsencrypt_force_renew != true | ||
|
||
- set_fact: _letsencrypt_domains="{{letsencrypt_domain}},www.{{letsencrypt_domain}}" | ||
- set_fact: _letsencrypt_domains="{{ [letsencrypt_domain] }}" | ||
- set_fact: _letsencrypt_domains="{{ _letsencrypt_domains + [{{ 'www.' + letsencrypt_domain }}] }}" | ||
when: letsencrypt_request_www | ||
|
||
- set_fact: _letsencrypt_combined_args="{{ letsencrypt_default_args + ['-d ' + (_letsencrypt_domains | join(' -d '))] + letsencrypt_args }}" | ||
|
||
- name: Stopping Services | ||
service: name="{{item}}" state=stopped | ||
with_items: "{{ letsencrypt_pause_services }}" | ||
ignore_errors: yes | ||
register: _services_stopped | ||
|
||
- name: Start SimpleHTTPServer for ACME Challenges | ||
service: | ||
name: letsencrypt-simplehttpd | ||
state: started | ||
|
||
- name: fullchain.pem, cert.pem and chain.pem are linked | ||
file: | ||
src: "{{ letsencrypt_export_dir }}/{{ item }}" | ||
dest: "{{ letsencrypt_home_dir }}/simp_le/{{ item }}" | ||
state: link | ||
owner: "{{ letsencrypt_user }}" | ||
group: "{{ letsencrypt_group }}" | ||
force: yes | ||
with_items: | ||
- "fullchain.pem" | ||
- "cert.pem" | ||
- "chain.pem" | ||
|
||
- name: privkey.pem is linked | ||
file: | ||
src: "{{ letsencrypt_export_dir }}/privkey.pem" | ||
dest: "{{ letsencrypt_home_dir }}/simp_le/key.pem" | ||
state: link | ||
owner: "{{ letsencrypt_user }}" | ||
group: "{{ letsencrypt_group }}" | ||
force: yes | ||
|
||
- name: LetsEncrypt account key is linked | ||
file: | ||
src: "{{ letsencrypt_account_file }}" | ||
dest: "{{ letsencrypt_home_dir }}/simp_le/account_key.json" | ||
state: link | ||
owner: "{{ letsencrypt_user }}" | ||
group: "{{ letsencrypt_group }}" | ||
force: yes | ||
|
||
- name: Obtain or renew cert for domain | ||
shell: ./certbot-auto certonly --text -n --no-self-upgrade -m {{ letsencrypt_email }} --domains {{ _letsencrypt_domains | default(letsencrypt_domain) }} --agree-tos --standalone --expand {{_letsencrypt_certbot_args | join(' ')}} 2>&1 | ||
shell: PATH="{{ letsencrypt_virtualenv_dir }}/bin" "{{ letsencrypt_virtualenv_dir }}/bin/python" ./simp_le.py {{_letsencrypt_combined_args | join(' ')}} 2>&1 | ||
args: | ||
chdir: /opt/certbot | ||
chdir: "{{ letsencrypt_home_dir }}/simp_le" | ||
executable: /bin/bash | ||
become: yes | ||
become_user: "{{ letsencrypt_user }}" | ||
ignore_errors: true | ||
register: _certbot_command | ||
|
||
- set_fact: _signing_successful='{{ certbot_success_message in _certbot_command.stdout }}' | ||
- set_fact: _signing_skipped='{{ (letsencrypt_force_renew != true) and (certbot_skip_renewal_message in _certbot_command.stdout) }}' | ||
|
||
- set_fact: _signing_skipped='{{ (certbot_skip_renewal_message in _certbot_command.stdout) and not letsencrypt_force_renew }}' | ||
- debug: msg="{{ (_certbot_command.stdout_lines if _certbot_command.stdout_lines is defined else _certbot_command.stderr_lines) | pprint }}" | ||
when: letsencrypt_certbot_verbose or ((_signing_successful == false) and (_signing_skipped == false)) | ||
when: letsencrypt_verbose or not (_signing_successful and _signing_skipped) | ||
|
||
- name: Stop SimpleHTTPServer after running certbot | ||
service: | ||
name: letsencrypt-simplehttpd | ||
state: stopped | ||
|
||
- name: Starting paused Services | ||
service: name="{{item.item}}" state=started | ||
when: (item.state is defined and item.state == "stopped") | ||
with_items: "{{ _services_stopped.results }}" | ||
|
||
- fail: msg="Error signing the certificate" | ||
when: (_signing_successful == false) and (_signing_skipped == false) | ||
when: (not _signing_successful) and not _signing_skipped |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since it's in the defaults, no need to mention it here - nice section related to it in the readme which could also have this variable name.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry. The plan was to remove it from the default, so that the user needs to confirm the terms first. I think it's a good idea to use the hash of the document for that. It's important to leave a hint in the Readme and provide proper error messages when the hash is invalid or missing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd still like this default to be enabled in the defaults. The rationale is that the role should make things as easy as possible to use. Requiring the user to add extra variables to their role that could be provided as defaults IMHO is going backwards. The current role already has
--agree-terms
etc. The readme can clearly state which ToS the user will be accepting by using the role, and note that the user can change which ToS is being accepted via the variables.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LetsEncrypt TOS handling can be discussed in a separate issue. To keep the previous behavior of
--agree-terms
being enabled by default, we can just set the default to the hash of the current terms of service document and make a new release whenever this document was updated.