feat: create single cert file and fullchain.pem

lego doe not create when a standalone cert file by default, only the fullchain file. This commit adds functionality to create both files when using the dns-challenge.

feat: create single cert file and fullchain.pem
9d7e5a71 · Alexander Käb · 110088e9 · 9d7e5a71 · 9d7e5a71
Commit 9d7e5a71 authored 1 year ago by Alexander Käb
--- a/tasks/dns-challenge.yml
+++ b/tasks/dns-challenge.yml
@@ -47,22 +47,32 @@
        lego -a --dns {{ certbot_dns_provider }}
        --email {{ certbot_admin_email }} -d {{ lego_dflag }}
        --path {{ certbot_live_dir }}
-        run
+        run --no-bundle
      environment: "{{ dns_provider_auth_env_variables }}"
      register: lego
      changed_when: lego.rc == 0
    - name: Mirror Letsencrypt Structure
-      ansible.builtin.copy:
+      block:
-        src: "{{ item.src }}"
+        - name: Copy cert and key files
-        dest: "{{ item.dest }}"
+          ansible.builtin.copy:
-        owner: root
+            src: "{{ item.src }}"
-        group: root
+            dest: "{{ item.dest }}"
-        mode: '0600'
+            owner: root
-        remote_src: true
+            group: root
-      loop:
+            mode: '0600'
-        - { src: "{{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt", dest: "{{ certbot_live_dir }}/fullchain.pem" }
+            remote_src: true
-        - { src: "{{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.key", dest: "{{ certbot_live_dir }}/privkey.pem" }
+          loop:
+            - { src: "{{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt", dest: "{{ certbot_live_dir }}/cert.pem" }
+            - { src: "{{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.key", dest: "{{ certbot_live_dir }}/privkey.pem" }
+        - name: Build fullchain.pem file
+          ansible.builtin.shell:
+            cmd: >-
+              cat "{{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt" >> "{{ certbot_live_dir }}/fullchain.pem" &&
+              cat "{{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.issuer.crt" >> "{{ certbot_live_dir }}/fullchain.pem"
+          changed_when: false
 - name: Render Systemd Files
  become: true

--- a/templates/dns-challenge.service.j2
+++ b/templates/dns-challenge.service.j2
@@ -5,8 +5,10 @@ Description=LEGO DNS challenge
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/lego -a --dns {{ certbot_dns_provider }} --email {{ certbot_admin_email }} -d {{ lego_dflag }} --path {{ certbot_live_dir }} renew
+ExecStart=/usr/bin/lego -a --dns {{ certbot_dns_provider }} --email {{ certbot_admin_email }} -d {{ lego_dflag }} --path {{ certbot_live_dir }} renew --no-bundle
-ExecStartPost=cp {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt {{ certbot_live_dir }}/fullchain.pem
+ExecStartPost=cp {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt {{ certbot_live_dir }}/cert.pem
 ExecStartPost=cp {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.key {{ certbot_live_dir }}/privkey.pem
+ExecStartPost=cat {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt >> {{ certbot_live_dir }}/fullchain.pem
+ExecStartPost=cat {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.issuer.crt >> {{ certbot_live_dir }}/fullchain.pem
 {{ "ExecStartPost=/etc/letsencrypt/renewal-hooks/deploy/" + certbot_application if certbot_application is defined else "" }}
 EnvironmentFile=/etc/default/dns-challenge.env