Leverage fullchain_dest from the acme_certificate module

mprahl · mprahl · commit 538c407d2b94 · 2024-08-02T08:51:20.000-04:00
This simplifies the role by not requiring custom tasks to create the full certificate chain.

Signed-off-by: mprahl &lt;mprahl@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -53,10 +53,6 @@ Ansible 2.7+ is required for this role. If you are using an older version of Ans
   `{{ ler53_cert_common_name }}.crt`.
 * **ler53_csr_file_name** - the file name of the certificate signing request (CSR) being generated.
   This defaults to `{{ ler53_cert_common_name }}.csr`.
-* **ler53_intermediate_download** - whether or not the Let's Encrypt intermediate CA should be
-  downloaded. This defaults to `true`.
-* **ler53_intermediate_download_url** - the URL to download the Let's Encrypt intermediate CA. This
-  defaults to `https://letsencrypt.org/certs/lets-encrypt-r3.pem`.
 * **ler53_intermediate_file_name** - the file name of the intermediate CA downloaded from Let's
   Encrypt. This defaults to `{{ ler53_cert_common_name }}.intermediate.pem`.
 * **ler53_cert_and_intermediate_file_name** - the name of the file created with the certificate and
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -10,7 +10,6 @@ ler53_cert_dir: "/etc/ssl/{{ ler53_cert_common_name }}"
 ler53_key_file_name: "{{ ler53_cert_common_name }}.key"
 ler53_cert_file_name: "{{ ler53_cert_common_name }}.crt"
 ler53_csr_file_name: "{{ ler53_cert_common_name }}.csr"
-ler53_intermediate_download: true
 ler53_intermediate_file_name: "{{ ler53_cert_common_name }}.intermediate.crt"
 ler53_cert_and_intermediate_file_name: "{{ ler53_cert_common_name }}.pem"
 ler53_cert_files_mode: 0600
@@ -23,4 +22,3 @@ ler53_account_key_file_name: lets_encrypt_account.key
 ler53_new_cert_when_csr_changes: false
 ler53_service_handlers: []
 ler53_acme_directory: https://acme-v02.api.letsencrypt.org/directory
-ler53_intermediate_download_url: https://letsencrypt.org/certs/lets-encrypt-r3.pem
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -176,6 +176,7 @@
     data: "{{ lets_encrypt_challenge }}"
     remaining_days: "{{ ler53_cert_remaining_days_before_renewal }}"
     chain_dest: "{{ ler53_cert_dir }}/{{ ler53_intermediate_file_name }}"
+    fullchain_dest: "{{ ler53_cert_dir }}/{{ ler53_cert_and_intermediate_file_name }}"
   notify: handle services
   register: lets_encrypt_validation_result
 
@@ -205,23 +206,16 @@
     group: "{{ ler53_cert_files_group }}"
     mode: "{{ ler53_cert_files_mode }}"
 
-- name: get content of the certificate
-  command: "cat {{ ler53_cert_dir }}/{{ ler53_cert_file_name }}"
-  register: ler53_certificate_content
-  changed_when: false
-  when: ler53_intermediate_download | bool
-
-- name: get content of the intermediate CA
-  command: "cat {{ ler53_cert_dir }}/{{ ler53_intermediate_file_name }}"
-  register: ler53_intermediate_content
-  changed_when: false
-  when: ler53_intermediate_download | bool
-
-- name: create a file with the certificate and intermediate CA concatenated
-  copy:
-    content: "{{ ler53_certificate_content['stdout'] + '\n' + ler53_intermediate_content['stdout'] + '\n' }}"
-    dest: "{{ ler53_cert_dir }}/{{ ler53_cert_and_intermediate_file_name }}"
+- name: set the intermediate cert file permissions
+  file:
+    path: "{{ ler53_cert_dir }}/{{ ler53_intermediate_file_name }}"
+    owner: "{{ ler53_cert_files_owner }}"
+    group: "{{ ler53_cert_files_group }}"
+    mode: "{{ ler53_cert_files_mode }}"
+
+- name: set the full cert chain file permissions
+  file:
+    path:  "{{ ler53_cert_dir }}/{{ ler53_cert_and_intermediate_file_name }}"
     owner: "{{ ler53_cert_files_owner }}"
     group: "{{ ler53_cert_files_group }}"
     mode: "{{ ler53_cert_files_mode }}"
-  when: ler53_intermediate_download | bool
