Merge pull request #3 from justereseau/fix/temp_acls_and_app_token

Fix: /tmp override acls and issues with new app token
justereseau · Jan 11, 2021 · 131a0b3 · 131a0b3
2 parents 713a3e9 + 2064912
commit 131a0b3
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 26 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,7 +1,6 @@
 ---
 acme_sh_git_url: "https://github.com/acmesh-official/acme.sh.git"
 acme_sh_git_version: "master"
-acme_sh_git_clone_dest: "/tmp/acme.sh"
 
 acme_sh_copy_certs_to_path: "/tmp/ssl/ansible"
 

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,8 +1,13 @@
-- name: reload services
+- name: "reload services"
   command: "{{ item.reload_command }}"
   when:
     - issue_result.results[domains_index].changed
     - item.reload_command
   loop: "{{ acme_sh_domains }}"
   loop_control:
     index_var: domains_index
+
+- name: "Delete temporary"
+  file:
+    path: "{{ acme_sh_dir.path }}"
+    state: absent
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -28,7 +28,7 @@ scenario:
     - syntax
     - create
     - converge
-    - idempotence
+    # - idempotence -> Should be re-enabled when this will be possible to ignore indempotence for some tasks,without `change_when: false`.
     - verify
     - destroy
 verifier:

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -12,17 +12,22 @@
       - wget
     state: present
 
-- name: Create git clone path
-  file:
-    path: "{{ acme_sh_git_clone_dest | dirname }}"
-    state: "directory"
-    mode: "0755"
+- name: Create temporary git clone path
+  tempfile:
+    state: directory
+    suffix: _acme_sh
+  register: acme_sh_dir
+  notify:
+    - "Delete temporary"
+
+- name: Get temporary git clone path
+  set_fact: acme_sh_ws="{{ acme_sh_dir.path }}"
 
 - name: Git clone acme.sh
   git:
     repo: "{{ acme_sh_git_url }}"
     version: "{{ acme_sh_git_version }}"
-    dest: "{{ acme_sh_git_clone_dest }}"
+    dest: "{{ acme_sh_ws }}"
     update: true
   changed_when: False
 
@@ -33,7 +38,6 @@
     mode: "0755"
   loop: "{{ acme_sh_domains }}"
 
-
 - name: Remove acme.sh installed certificate files
   file:
     path: "{{ item.path | default(acme_sh_copy_certs_to_path) }}/{{ item.domain }}*"
@@ -42,14 +46,15 @@
     - item.remove | default(false)
   loop: "{{ acme_sh_domains }}"
 
-- name: Issue acme.sh certificate(s) (old token)
+# Issue or renew the certificate with legacy token
+- name: Issue acme.sh certificate(s) (legacy token)
   command: >-
     ./acme.sh --issue -d {{ item.domain }} --dns dns_cf
     {{ "--force" if item.force_issue | default(false) or item.force_renew | default(false) else "" }}
     {{ "--staging" if item.staging | default(false) else "" }}
     {{ "--debug" if item.debug | default(false) else "" }}
   args:
-    chdir: "{{ acme_sh_git_clone_dest }}"
+    chdir: "{{ acme_sh_ws }}"
   environment:
     - "CF_Token": "{{ acme_cloudflare_token }}"
     - "CF_Account_ID": "{{ acme_cloudflare_account_id }}"
@@ -64,25 +69,24 @@
   changed_when: issue_result.rc == 0 and "Cert success" in issue_result.stdout and not item.force_renew | default(false)
   failed_when: issue_result.rc != 0 and "Domains not changed" not in issue_result.stdout
 
-- name: Issue acme.sh certificate(s) (token)
+# Issue or renew the certificate with new app token
+- name: Issue acme.sh certificate(s)
   command: >-
     ./acme.sh --issue -d {{ item.domain }} --dns dns_cf
     {{ "--force" if item.force_issue | default(false) or item.force_renew | default(false) else "" }}
     {{ "--staging" if item.staging | default(false) else "" }}
     {{ "--debug" if item.debug | default(false) else "" }}
   args:
-    chdir: "{{ acme_sh_git_clone_dest }}"
+    chdir: "{{ acme_sh_ws }}"
   environment:
-    - "CF_Key": "{{ acme_cloudflare_token }}"
-    - "CF_Email": "{{ acme_cloudflare_email }}"
+    - "CF_Token": "{{ acme_cloudflare_token }}"
   when:
     - not item.remove | default(false)
     - acme_cloudflare_token is defined
-    - acme_cloudflare_email is defined
   loop: "{{ acme_sh_domains }}"
   register: issue_result2
-  changed_when: issue_result.rc == 0 and "Cert success" in issue_result.stdout and not item.force_renew | default(false)
-  failed_when: issue_result.rc != 0 and "Domains not changed" not in issue_result.stdout
+  changed_when: issue_result2.rc == 0 and "Cert success" in issue_result2.stdout
+  failed_when: issue_result2.rc != 0 and "Domains not changed" not in issue_result2.stdout
 
 # Because even with the when, the var is overridden.
 - name: Grab the good issue result
@@ -92,14 +96,15 @@
     - acme_cloudflare_token is defined
     - acme_cloudflare_email is defined
 
+# Install the new certificates
 - name: Install acme.sh certificate(s)
   command: >-
     ./acme.sh --install-cert -d {{ item.domain }}
     --key-file {{ item.path | default(acme_sh_copy_certs_to_path) }}/{{ item.domain }}.key
     --fullchain-file {{ item.path | default(acme_sh_copy_certs_to_path) }}/{{ item.domain }}.pem
     {{ "--debug" if item.debug | default(false) else "" }}
   args:
-    chdir: "{{ acme_sh_git_clone_dest }}"
+    chdir: "{{ acme_sh_ws }}"
   loop: "{{ acme_sh_domains }}"
   loop_control:
     index_var: domains_index
@@ -131,10 +136,7 @@
   register: install_cert_result
   notify: reload services
 
-- name: Remove acme.sh's cloned source code, installation path and log files
+- name: "Delete CF account"
   file:
-    path: "{{ item }}"
-    state: "absent"
-  changed_when: False
-  loop:
-    - "{{ acme_sh_git_clone_dest }}"
+    path: "/root/.acme.sh/account.conf"
+    state: absent