ansible-acme-sh/tasks/main.yml

---

- name: Install dependencies
  package:
    name: "{{ item }}"
    state: "present"
  loop: "{{ acme_sh_dependencies }}"
  when: not acme_sh_uninstall

- name: Create git clone path
  file:
    path: "{{ acme_sh_git_clone_dest | dirname }}"
    state: "directory"
    owner: "{{ acme_sh_become_user }}"
    group: "{{ acme_sh_become_user }}"
    mode: "0755"
  when: not acme_sh_uninstall

- name: Git clone https://github.com/acmesh-official/acme.sh
  git:
    repo: "{{ acme_sh_git_url }}"
    version: "{{ acme_sh_git_version }}"
    dest: "{{ acme_sh_git_clone_dest }}"
    update: "{{ acme_sh_git_update }}"
  when: not acme_sh_uninstall
  become_user: "{{ acme_sh_become_user }}"

- name: Install acme.sh
  command: >-
    ./acme.sh --install --log
    --days {{ acme_sh_renew_time_in_days }}
    {{ "--accountemail " + acme_sh_account_email if acme_sh_account_email else "" }}
  args:
    chdir: "{{ acme_sh_git_clone_dest }}"
    creates: "~/.acme.sh/acme.sh"
  when: not acme_sh_uninstall
  become_user: "{{ acme_sh_become_user }}"

- name: Determine if acme.sh is installed
  stat:
    path: "~/.acme.sh/acme.sh"
  register: is_acme_sh_installed
  become_user: "{{ acme_sh_become_user }}"

- name: Upgrade acme.sh
  command: ./acme.sh --upgrade
  args:
    chdir: "~/.acme.sh"
  when:
    - acme_sh_upgrade
    - is_acme_sh_installed.stat.exists
    - not acme_sh_uninstall
  register: upgrade_result
  changed_when: upgrade_result.rc == 0 and "Upgrade success" in upgrade_result.stdout
  become_user: "{{ acme_sh_become_user }}"

- name: Create certificate path
  file:
    path: "{{ acme_sh_copy_certs_to_path }}"
    state: "directory"
    owner: "{{ acme_sh_become_user }}"
    group: "{{ acme_sh_become_user }}"
    mode: "0755"
  when: not acme_sh_uninstall

- name: Uninstall acme.sh and disable all certificate renewals
  command: ./acme.sh --uninstall
  args:
    chdir: "~/.acme.sh"
  when:
    - acme_sh_uninstall
    - is_acme_sh_installed.stat.exists
  become_user: "{{ acme_sh_become_user }}"

- name: Remove acme.sh certificate(s) renewals from cron job
  command: >-
    ./acme.sh --remove -d {{ item.domains | first }}
    {{ "--debug" if item.debug | default(acme_sh_default_debug) else "" }}
  args:
    chdir: "~/.acme.sh"
    removes: "~/.acme.sh/{{ item.domains | first }}"
  loop: "{{ acme_sh_domains }}"
  when:
    - acme_sh_domains and item.domains is defined and item.domains
    - item.remove is defined and item.remove
    - not acme_sh_uninstall
  become_user: "{{ acme_sh_become_user }}"
  register: remove_result

- name: Remove acme.sh internal certificate files
  file:
    path: "~/.acme.sh/{{ item.domains | first }}"
    state: "absent"
  when:
    - acme_sh_domains and item.domains is defined and item.domains
    - item.remove is defined and item.remove
    - not acme_sh_uninstall
  loop: "{{ acme_sh_domains }}"
  become_user: "{{ acme_sh_become_user }}"

- name: Remove acme.sh installed certificate files
  file:
    path: "{{ acme_sh_copy_certs_to_path }}/{{ item.domains | first }}*"
    state: "absent"
  loop: "{{ acme_sh_domains }}"
  when:
    - acme_sh_domains and item.domains is defined and item.domains
    - item.remove is defined and item.remove
    - not acme_sh_uninstall

- name: Remove acme.sh's cloned source code, installation path and log files
  file:
    path: "{{ item }}"
    state: "absent"
  loop:
    - "{{ acme_sh_git_clone_dest }}"
    - "~/.acme.sh"
  when:
    - acme_sh_uninstall
  become_user: "{{ acme_sh_become_user }}"

- name: Run custom acme.sh command
  command: ./acme.sh {{ item.custom_command }}
  args:
    chdir: "~/.acme.sh"
  environment: "{{ item.dns_provider_api_keys | default(acme_sh_default_dns_provider_api_keys) }}"
  loop: "{{ acme_sh_domains }}"
  when:
    - acme_sh_domains and item.domains is defined and item.domains
    - item.dns_provider | default(acme_sh_default_dns_provider)
    - item.dns_provider_api_keys | default(acme_sh_default_dns_provider_api_keys)
    - item.custom_command is defined and item.custom_command
    - item.remove is undefined or not item.remove
    - not acme_sh_uninstall
  become_user: "{{ acme_sh_become_user }}"

- name: Issue acme.sh certificate(s) (this will sleep for dns_sleep seconds)
  command: >-
    ./acme.sh --issue -d {{ item.domains | join(" -d ") }}
    --set-default-ca  --server  {{ acme_sh_default_ca }}
    --dns {{ item.dns_provider | default(acme_sh_default_dns_provider) }}
    --dnssleep {{ item.dns_sleep | default(acme_sh_default_dns_sleep) }}
    {{ "--force" if item.force_issue | default(acme_sh_default_force_issue) else "" }}
    {{ "--staging" if item.staging | default(acme_sh_default_staging) else "" }}
    {{ "--debug" if item.debug | default(acme_sh_default_debug) else "" }}
    {{ "--pre-hook " + '"' + item.issue_pre_hook | default(acme_sh_default_issue_pre_hook) + '"' if item.issue_pre_hook | default(acme_sh_default_issue_pre_hook) else "" }}
    {{ "--post-hook " + '"' + item.issue_post_hook | default(acme_sh_default_issue_post_hook) + '"' if item.issue_post_hook | default(acme_sh_default_issue_post_hook) else "" }}
    {{ "--renew-hook " + '"' + item.issue_renew_hook | default(acme_sh_default_issue_renew_hook) + '"' if item.issue_renew_hook | default(acme_sh_default_issue_renew_hook) else "" }}
    {{ item.extra_flags_issue | default(acme_sh_default_extra_flags_issue) }}
  args:
    chdir: "~/.acme.sh"
  environment: "{{ item.dns_provider_api_keys | default(acme_sh_default_dns_provider_api_keys) }}"
  loop: "{{ acme_sh_domains }}"
  when:
    - acme_sh_domains and item.domains is defined and item.domains
    - item.dns_provider | default(acme_sh_default_dns_provider)
    - item.dns_provider_api_keys | default(acme_sh_default_dns_provider_api_keys)
    - item.force_renew is undefined or not item.force_renew
    - item.custom_command is undefined or not item.custom_command
    - item.remove is undefined or not item.remove
    - not acme_sh_uninstall
  become_user: "{{ acme_sh_become_user }}"
  register: issue_result
  changed_when: issue_result.rc == 0 and "Cert success" in issue_result.stdout
  failed_when: issue_result.rc != 0 and "Domains not changed" not in issue_result.stdout

- name: Force renew acme.sh certificate(s)
  command: >-
    ./acme.sh --renew -d {{ item.domains | first }} --force
    {{ "--debug" if item.debug | default(acme_sh_default_debug) else "" }}
    {{ item.extra_flags_renew | default(acme_sh_default_extra_flags_renew) }}
  args:
    chdir: "~/.acme.sh"
  loop: "{{ acme_sh_domains }}"
  when:
    - acme_sh_domains and item.domains is defined and item.domains
    - item.force_issue is undefined or not item.force_issue
    - item.force_renew is defined and item.force_renew
    - item.remove is undefined or not item.remove
    - not acme_sh_uninstall
  become_user: "{{ acme_sh_become_user }}"
  register: renew_result
  failed_when: renew_result.rc != 0 and "Reload error for" not in renew_result.stderr

- name: Ensure installed certificates have correct user / group ownership
  file:
    path: "{{ acme_sh_copy_certs_to_path }}/{{ item.domains | first }}*"
    group: "{{ acme_sh_become_user }}"
    owner: "{{ acme_sh_become_user }}"
    mode: "0644"
  loop:
    - "{{ acme_sh_domains }}"
  when:
    - acme_sh_domains and item.domains is defined and item.domains
    - item.custom_command is undefined or not item.custom_command
    - item.remove is undefined or not item.remove
    - not acme_sh_uninstall

- name: Install acme.sh certificate(s)
  command: >-
    ./acme.sh --install-cert -d {{ item.domains | first }}
    --key-file {{ acme_sh_copy_certs_to_path }}/{{ item.domains | first }}.key
    --fullchain-file {{ acme_sh_copy_certs_to_path }}/{{ item.domains | first }}.pem
    --reloadcmd "{{ item.install_cert_reloadcmd | default(acme_sh_default_install_cert_reloadcmd) }}"
    {{ "--debug" if item.debug | default(acme_sh_default_debug) else "" }}
    {{ item.extra_flags_install_cert | default(acme_sh_default_extra_flags_install_cert) }}
  args:
    chdir: "~/.acme.sh"
  loop: "{{ acme_sh_domains }}"
  loop_control:
    index_var: domains_index
  when:
    - acme_sh_domains and item.domains is defined and item.domains
    - item.custom_command is undefined or not item.custom_command
    - item.remove is undefined or not item.remove
    - not acme_sh_uninstall
  become_user: "{{ acme_sh_become_user }}"
  register: install_cert_result
  changed_when: issue_result.results[domains_index].changed or renew_result.results[domains_index].changed
  failed_when: install_cert_result.rc != 0 and "Reload error for" not in install_cert_result.stderr

- name: Register acme.sh certificate information
  command: ./acme.sh --list
  args:
    chdir: "~/.acme.sh"
  when: acme_sh_list_domains and not acme_sh_uninstall
  changed_when: False
  register: list_domains
  become_user: "{{ acme_sh_become_user }}"

- name: List acme.sh certificate information
  debug:
    msg: "{{ list_domains.stdout_lines }}"
  when: not ansible_check_mode and acme_sh_list_domains and not acme_sh_uninstall
Initial commit 2018-09-29 17:19:18 +02:00			`---`

			`- name: Install dependencies`
Allow specifying a list of dependency packages Signed-off-by: Alexander Trost <galexrt@googlemail.com> 2020-02-13 23:53:20 +01:00			`package:`
Initial commit 2018-09-29 17:19:18 +02:00			`name: "{{ item }}"`
Allow specifying a list of dependency packages Signed-off-by: Alexander Trost <galexrt@googlemail.com> 2020-02-13 23:53:20 +01:00			`state: "present"`
			`loop: "{{ acme_sh_dependencies }}"`
Initial commit 2018-09-29 17:19:18 +02:00			`when: not acme_sh_uninstall`

			`- name: Create git clone path`
			`file:`
			`path: "{{ acme_sh_git_clone_dest \| dirname }}"`
			`state: "directory"`
			`owner: "{{ acme_sh_become_user }}"`
			`group: "{{ acme_sh_become_user }}"`
			`mode: "0755"`
			`when: not acme_sh_uninstall`

Update github org for acme.sh. I missed this in #17 2021-06-25 01:52:37 +02:00			`- name: Git clone https://github.com/acmesh-official/acme.sh`
Initial commit 2018-09-29 17:19:18 +02:00			`git:`
			`repo: "{{ acme_sh_git_url }}"`
			`version: "{{ acme_sh_git_version }}"`
			`dest: "{{ acme_sh_git_clone_dest }}"`
			`update: "{{ acme_sh_git_update }}"`
			`when: not acme_sh_uninstall`
			`become_user: "{{ acme_sh_become_user }}"`

			`- name: Install acme.sh`
			`command: >-`
			`./acme.sh --install --log`
			`--days {{ acme_sh_renew_time_in_days }}`
			`{{ "--accountemail " + acme_sh_account_email if acme_sh_account_email else "" }}`
			`args:`
			`chdir: "{{ acme_sh_git_clone_dest }}"`
			`creates: "~/.acme.sh/acme.sh"`
			`when: not acme_sh_uninstall`
			`become_user: "{{ acme_sh_become_user }}"`

			`- name: Determine if acme.sh is installed`
			`stat:`
			`path: "~/.acme.sh/acme.sh"`
			`register: is_acme_sh_installed`
			`become_user: "{{ acme_sh_become_user }}"`

			`- name: Upgrade acme.sh`
			`command: ./acme.sh --upgrade`
			`args:`
			`chdir: "~/.acme.sh"`
			`when:`
			`- acme_sh_upgrade`
			`- is_acme_sh_installed.stat.exists`
			`- not acme_sh_uninstall`
			`register: upgrade_result`
			`changed_when: upgrade_result.rc == 0 and "Upgrade success" in upgrade_result.stdout`
			`become_user: "{{ acme_sh_become_user }}"`

			`- name: Create certificate path`
			`file:`
			`path: "{{ acme_sh_copy_certs_to_path }}"`
			`state: "directory"`
			`owner: "{{ acme_sh_become_user }}"`
			`group: "{{ acme_sh_become_user }}"`
			`mode: "0755"`
			`when: not acme_sh_uninstall`

			`- name: Uninstall acme.sh and disable all certificate renewals`
			`command: ./acme.sh --uninstall`
			`args:`
			`chdir: "~/.acme.sh"`
			`when:`
			`- acme_sh_uninstall`
			`- is_acme_sh_installed.stat.exists`
			`become_user: "{{ acme_sh_become_user }}"`

			`- name: Remove acme.sh certificate(s) renewals from cron job`
			`command: >-`
			`./acme.sh --remove -d {{ item.domains \| first }}`
			`{{ "--debug" if item.debug \| default(acme_sh_default_debug) else "" }}`
			`args:`
			`chdir: "~/.acme.sh"`
			`removes: "~/.acme.sh/{{ item.domains \| first }}"`
			`loop: "{{ acme_sh_domains }}"`
			`when:`
			`- acme_sh_domains and item.domains is defined and item.domains`
			`- item.remove is defined and item.remove`
			`- not acme_sh_uninstall`
			`become_user: "{{ acme_sh_become_user }}"`
			`register: remove_result`

			`- name: Remove acme.sh internal certificate files`
			`file:`
			`path: "~/.acme.sh/{{ item.domains \| first }}"`
			`state: "absent"`
			`when:`
			`- acme_sh_domains and item.domains is defined and item.domains`
			`- item.remove is defined and item.remove`
			`- not acme_sh_uninstall`
			`loop: "{{ acme_sh_domains }}"`
			`become_user: "{{ acme_sh_become_user }}"`

			`- name: Remove acme.sh installed certificate files`
			`file:`
			`path: "{{ acme_sh_copy_certs_to_path }}/{{ item.domains \| first }}*"`
			`state: "absent"`
			`loop: "{{ acme_sh_domains }}"`
			`when:`
			`- acme_sh_domains and item.domains is defined and item.domains`
			`- item.remove is defined and item.remove`
			`- not acme_sh_uninstall`

			`- name: Remove acme.sh's cloned source code, installation path and log files`
			`file:`
			`path: "{{ item }}"`
			`state: "absent"`
			`loop:`
			`- "{{ acme_sh_git_clone_dest }}"`
			`- "~/.acme.sh"`
			`when:`
			`- acme_sh_uninstall`
			`become_user: "{{ acme_sh_become_user }}"`

			`- name: Run custom acme.sh command`
			`command: ./acme.sh {{ item.custom_command }}`
			`args:`
			`chdir: "~/.acme.sh"`
			`environment: "{{ item.dns_provider_api_keys \| default(acme_sh_default_dns_provider_api_keys) }}"`
			`loop: "{{ acme_sh_domains }}"`
			`when:`
			`- acme_sh_domains and item.domains is defined and item.domains`
			`- item.dns_provider \| default(acme_sh_default_dns_provider)`
			`- item.dns_provider_api_keys \| default(acme_sh_default_dns_provider_api_keys)`
			`- item.custom_command is defined and item.custom_command`
			`- item.remove is undefined or not item.remove`
			`- not acme_sh_uninstall`
			`become_user: "{{ acme_sh_become_user }}"`

			`- name: Issue acme.sh certificate(s) (this will sleep for dns_sleep seconds)`
			`command: >-`
			`./acme.sh --issue -d {{ item.domains \| join(" -d ") }}`
Allow for easily setting the default CA: default to Letsencrypt.org 2021-06-23 00:25:31 +02:00			`--set-default-ca --server {{ acme_sh_default_ca }}`
Initial commit 2018-09-29 17:19:18 +02:00			`--dns {{ item.dns_provider \| default(acme_sh_default_dns_provider) }}`
			`--dnssleep {{ item.dns_sleep \| default(acme_sh_default_dns_sleep) }}`
			`{{ "--force" if item.force_issue \| default(acme_sh_default_force_issue) else "" }}`
			`{{ "--staging" if item.staging \| default(acme_sh_default_staging) else "" }}`
			`{{ "--debug" if item.debug \| default(acme_sh_default_debug) else "" }}`
			`{{ "--pre-hook " + '"' + item.issue_pre_hook \| default(acme_sh_default_issue_pre_hook) + '"' if item.issue_pre_hook \| default(acme_sh_default_issue_pre_hook) else "" }}`
			`{{ "--post-hook " + '"' + item.issue_post_hook \| default(acme_sh_default_issue_post_hook) + '"' if item.issue_post_hook \| default(acme_sh_default_issue_post_hook) else "" }}`
			`{{ "--renew-hook " + '"' + item.issue_renew_hook \| default(acme_sh_default_issue_renew_hook) + '"' if item.issue_renew_hook \| default(acme_sh_default_issue_renew_hook) else "" }}`
			`{{ item.extra_flags_issue \| default(acme_sh_default_extra_flags_issue) }}`
			`args:`
			`chdir: "~/.acme.sh"`
			`environment: "{{ item.dns_provider_api_keys \| default(acme_sh_default_dns_provider_api_keys) }}"`
			`loop: "{{ acme_sh_domains }}"`
			`when:`
			`- acme_sh_domains and item.domains is defined and item.domains`
			`- item.dns_provider \| default(acme_sh_default_dns_provider)`
			`- item.dns_provider_api_keys \| default(acme_sh_default_dns_provider_api_keys)`
			`- item.force_renew is undefined or not item.force_renew`
			`- item.custom_command is undefined or not item.custom_command`
			`- item.remove is undefined or not item.remove`
			`- not acme_sh_uninstall`
			`become_user: "{{ acme_sh_become_user }}"`
			`register: issue_result`
			`changed_when: issue_result.rc == 0 and "Cert success" in issue_result.stdout`
			`failed_when: issue_result.rc != 0 and "Domains not changed" not in issue_result.stdout`

			`- name: Force renew acme.sh certificate(s)`
			`command: >-`
			`./acme.sh --renew -d {{ item.domains \| first }} --force`
			`{{ "--debug" if item.debug \| default(acme_sh_default_debug) else "" }}`
			`{{ item.extra_flags_renew \| default(acme_sh_default_extra_flags_renew) }}`
			`args:`
			`chdir: "~/.acme.sh"`
			`loop: "{{ acme_sh_domains }}"`
			`when:`
			`- acme_sh_domains and item.domains is defined and item.domains`
			`- item.force_issue is undefined or not item.force_issue`
			`- item.force_renew is defined and item.force_renew`
			`- item.remove is undefined or not item.remove`
			`- not acme_sh_uninstall`
			`become_user: "{{ acme_sh_become_user }}"`
			`register: renew_result`
			`failed_when: renew_result.rc != 0 and "Reload error for" not in renew_result.stderr`

			`- name: Ensure installed certificates have correct user / group ownership`
			`file:`
			`path: "{{ acme_sh_copy_certs_to_path }}/{{ item.domains \| first }}*"`
			`group: "{{ acme_sh_become_user }}"`
			`owner: "{{ acme_sh_become_user }}"`
Add file mode to certificate file 2021-02-25 17:23:01 +01:00			`mode: "0644"`
Initial commit 2018-09-29 17:19:18 +02:00			`loop:`
			`- "{{ acme_sh_domains }}"`
			`when:`
			`- acme_sh_domains and item.domains is defined and item.domains`
			`- item.custom_command is undefined or not item.custom_command`
			`- item.remove is undefined or not item.remove`
			`- not acme_sh_uninstall`

			`- name: Install acme.sh certificate(s)`
			`command: >-`
			`./acme.sh --install-cert -d {{ item.domains \| first }}`
			`--key-file {{ acme_sh_copy_certs_to_path }}/{{ item.domains \| first }}.key`
			`--fullchain-file {{ acme_sh_copy_certs_to_path }}/{{ item.domains \| first }}.pem`
			`--reloadcmd "{{ item.install_cert_reloadcmd \| default(acme_sh_default_install_cert_reloadcmd) }}"`
			`{{ "--debug" if item.debug \| default(acme_sh_default_debug) else "" }}`
			`{{ item.extra_flags_install_cert \| default(acme_sh_default_extra_flags_install_cert) }}`
			`args:`
			`chdir: "~/.acme.sh"`
			`loop: "{{ acme_sh_domains }}"`
			`loop_control:`
			`index_var: domains_index`
			`when:`
			`- acme_sh_domains and item.domains is defined and item.domains`
			`- item.custom_command is undefined or not item.custom_command`
			`- item.remove is undefined or not item.remove`
			`- not acme_sh_uninstall`
			`become_user: "{{ acme_sh_become_user }}"`
			`register: install_cert_result`
			`changed_when: issue_result.results[domains_index].changed or renew_result.results[domains_index].changed`
			`failed_when: install_cert_result.rc != 0 and "Reload error for" not in install_cert_result.stderr`

			`- name: Register acme.sh certificate information`
			`command: ./acme.sh --list`
			`args:`
			`chdir: "~/.acme.sh"`
			`when: acme_sh_list_domains and not acme_sh_uninstall`
			`changed_when: False`
			`register: list_domains`
			`become_user: "{{ acme_sh_become_user }}"`

			`- name: List acme.sh certificate information`
			`debug:`
			`msg: "{{ list_domains.stdout_lines }}"`
Don't try to list certificate information when on ansible check mode In check mode ansible does not execute shell scripts, so there are no certificate information to show 2020-08-23 16:50:40 +02:00			`when: not ansible_check_mode and acme_sh_list_domains and not acme_sh_uninstall`