-
Notifications
You must be signed in to change notification settings - Fork 1
/
acme.yml
118 lines (110 loc) · 5.06 KB
/
acme.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# Issue ACME https ssl certificates automatically.
#
# It is used the certbot on standalone mode on the HAProxy load balancer.
# After the certificates are issued or renewed, they are copied to a Ceph S3 bucket.
# Then all certificates are downloaded on all HAProxy load balancer instances
# and the HAProxy is updated live to know new certificate and key.
# The certificate and its key is also downloaded on Open edX app servers,
# so they can be used by nginx using a docker volume. It's run nginx check
# configuration and then it's run nginx reload configuration command.
#
# The domains that we are going to issue the certificate are defined on
# the `acme_domains_to_issue_certs` variable.
# To issue new certificates add that domain to the `acme_domains_to_issue_certs` variable.
#
# Examples:
# To run auto issue certificates using ACME for all configured domains:
# ansible-playbook -i nau-data/envs/<env>/hosts.ini acme.yml
#
# To force the re-issue of the certificates. Warning about the Let's Encrypt limits
# of 5 certificates in 7 days per domain.
# -e acme_force_issue=true
#
---
- name: (Re)Issue ssl https certificates using auto issue certificates using ACME
hosts: balancer_servers[0]
become: True
gather_facts: True
tasks:
- name: (Re)Issue ssl https certificates using auto issue certificates using ACME on primary HAProxy load balancer
import_role:
name: acme_issue
vars:
acme_certbot_email: [email protected]
acme_certbot_root_folder: /nau/ops/certbot/conf
s3_host: "{{ AWS_S3_DBS_BACKUP_HOST }}"
s3_host_bucket: "{{ AWS_S3_DBS_BACKUP_BUCKET_NAME }}"
s3_path_prefix: "/acme_certificates"
s3_access_key_id: "{{ EDXAPP_BACKUPS_AWS_ACCESS_KEY_ID }}"
s3_secret_access_key: "{{ EDXAPP_BACKUPS_AWS_SECRET_ACCESS_KEY }}"
- name: Download auto issue certificates using ACME certificates to HAProxy load balancers
hosts: balancer_servers
become: True
gather_facts: True
tasks:
- name: Download and update certificates on HAProxy
import_role:
name: haproxy_update_certs
vars:
s3_host: "{{ AWS_S3_DBS_BACKUP_HOST }}"
s3_host_bucket: "{{ AWS_S3_DBS_BACKUP_BUCKET_NAME }}"
s3_path_prefix: "/acme_certificates"
s3_access_key_id: "{{ EDXAPP_BACKUPS_AWS_ACCESS_KEY_ID }}"
s3_secret_access_key: "{{ EDXAPP_BACKUPS_AWS_SECRET_ACCESS_KEY }}"
haproxy_certs_folder: "{{ docker_deploy_base_folder }}/certs"
tags: haproxy_update_certs
# - name: Download auto issue certificates using ACME certificates to nginx on Open edX app servers
# hosts: openedx_docker_servers
# become: True
# gather_facts: True
# vars:
# certificates_folder: "{{ openedx_docker_deploy_base_folder }}/nginx/ssl"
# s3_host: "{{ AWS_S3_DBS_BACKUP_HOST }}"
# s3_host_bucket: "{{ AWS_S3_DBS_BACKUP_BUCKET_NAME }}"
# s3_path_prefix: "/acme_certificates"
# s3_access_key_id: "{{ EDXAPP_BACKUPS_AWS_ACCESS_KEY_ID }}"
# s3_secret_access_key: "{{ EDXAPP_BACKUPS_AWS_SECRET_ACCESS_KEY }}"
# tasks:
# - name: Install required packages
# package:
# name: s3cmd
# state: present
# tags:
# - openedx_update_certs
# - install
# - name: Download auto issue certificates using ACME certificates
# vars:
# s3cmd_prefix: s3cmd get --force --host {{ s3_host }} --host-bucket {{ s3_host_bucket }}
# shell: "{{ s3cmd_prefix }} s3://{{ s3_host_bucket }}{{ s3_path_prefix }}/{{ domain_config['cert-name'] | default(domain_config.domain) }}.pem {{ certificates_folder }}/{{ domain_config['cert-name'] | default(domain_config.domain) }}.pem && \
# {{ s3cmd_prefix }} s3://{{ s3_host_bucket }}{{ s3_path_prefix }}/{{ domain_config['cert-name'] | default(domain_config.domain) }}.pem.key {{ certificates_folder }}/{{ domain_config['cert-name'] | default(domain_config.domain) }}.pem.key"
# environment:
# AWS_ACCESS_KEY_ID: "{{ s3_access_key_id }}"
# AWS_SECRET_ACCESS_KEY: "{{ s3_secret_access_key }}"
# loop: "{{ acme_domains_to_issue_certs }}"
# loop_control:
# loop_var: domain_config
# tags: openedx_update_certs
# - name: nginx check config
# shell: make --no-print-directory --directory {{ openedx_docker_deploy_base_folder }} check-config-nginx
# tags:
# - openedx_update_certs
# - nginx
# - ngxin_check_config
# - name: nginx reload
# shell: make --no-print-directory --directory {{ openedx_docker_deploy_base_folder }} reload-nginx
# tags:
# - openedx_update_certs
# - nginx
# - ngxin_reload
# - name: Run Makefile healthcheck
# shell: make --jobs 20 --no-print-directory --directory {{ item }} healthcheck
# retries: "{{ healthcheck_retries | default(50) }}"
# delay: "{{ healthcheck_delay | default(30) }}"
# register: result
# until: result.rc == 0
# when: makefile_healthcheck is defined
# changed_when: False
# with_items: "{{ makefile_healthcheck }}"
# tags:
# - openedx_update_certs
# - healthcheck