From 9d7e5a71cac4793c7683f8d5456f1f7b4e4a51e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexander=20K=C3=A4b?= <alexander.kaeb@h-da.de>
Date: Thu, 6 Jul 2023 11:07:51 +0200
Subject: [PATCH] feat: create single cert file and fullchain.pem
lego doe not create when a standalone cert file by default, only the
fullchain file. This commit adds functionality to create both files
when using the dns-challenge.
---
tasks/dns-challenge.yml | 32 ++++++++++++++++++++----------
templates/dns-challenge.service.j2 | 6 ++++--
2 files changed, 25 insertions(+), 13 deletions(-)
diff --git a/tasks/dns-challenge.yml b/tasks/dns-challenge.yml
index 7aef01a..a3e65b4 100644
--- a/tasks/dns-challenge.yml
+++ b/tasks/dns-challenge.yml
@@ -47,22 +47,32 @@
lego -a --dns {{ certbot_dns_provider }}
--email {{ certbot_admin_email }} -d {{ lego_dflag }}
--path {{ certbot_live_dir }}
- run
+ run --no-bundle
environment: "{{ dns_provider_auth_env_variables }}"
register: lego
changed_when: lego.rc == 0
- name: Mirror Letsencrypt Structure
- ansible.builtin.copy:
- src: "{{ item.src }}"
- dest: "{{ item.dest }}"
- owner: root
- group: root
- mode: '0600'
- remote_src: true
- loop:
- - { src: "{{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt", dest: "{{ certbot_live_dir }}/fullchain.pem" }
- - { src: "{{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.key", dest: "{{ certbot_live_dir }}/privkey.pem" }
+ block:
+ - name: Copy cert and key files
+ ansible.builtin.copy:
+ src: "{{ item.src }}"
+ dest: "{{ item.dest }}"
+ owner: root
+ group: root
+ mode: '0600'
+ remote_src: true
+ loop:
+ - { src: "{{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt", dest: "{{ certbot_live_dir }}/cert.pem" }
+ - { src: "{{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.key", dest: "{{ certbot_live_dir }}/privkey.pem" }
+
+ - name: Build fullchain.pem file
+ ansible.builtin.shell:
+ cmd: >-
+ cat "{{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt" >> "{{ certbot_live_dir }}/fullchain.pem" &&
+ cat "{{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.issuer.crt" >> "{{ certbot_live_dir }}/fullchain.pem"
+ changed_when: false
+
- name: Render Systemd Files
become: true
diff --git a/templates/dns-challenge.service.j2 b/templates/dns-challenge.service.j2
index be5ca9e..a0dfb72 100644
--- a/templates/dns-challenge.service.j2
+++ b/templates/dns-challenge.service.j2
@@ -5,8 +5,10 @@ Description=LEGO DNS challenge
[Service]
Type=oneshot
-ExecStart=/usr/bin/lego -a --dns {{ certbot_dns_provider }} --email {{ certbot_admin_email }} -d {{ lego_dflag }} --path {{ certbot_live_dir }} renew
-ExecStartPost=cp {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt {{ certbot_live_dir }}/fullchain.pem
+ExecStart=/usr/bin/lego -a --dns {{ certbot_dns_provider }} --email {{ certbot_admin_email }} -d {{ lego_dflag }} --path {{ certbot_live_dir }} renew --no-bundle
+ExecStartPost=cp {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt {{ certbot_live_dir }}/cert.pem
ExecStartPost=cp {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.key {{ certbot_live_dir }}/privkey.pem
+ExecStartPost=cat {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt >> {{ certbot_live_dir }}/fullchain.pem
+ExecStartPost=cat {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.issuer.crt >> {{ certbot_live_dir }}/fullchain.pem
{{ "ExecStartPost=/etc/letsencrypt/renewal-hooks/deploy/" + certbot_application if certbot_application is defined else "" }}
EnvironmentFile=/etc/default/dns-challenge.env
--
GitLab