Merge "letsencrypt: Register email with accounts"

playbooks/roles/letsencrypt-acme-sh-install/README.rst

@@ -15,3 +15,9 @@ authentication procedure and parse output.
    on the `/etc/letsencrypt-certificates` directory.  If unset, uses
    system default.  Useful if this conflicts with another role that
    assumes a `gid` value.
+
+.. zuul:rolevar:: letsencrypt_account_email
+   :default: undefined
+
+   The email address to register with accounts.  Renewal mail and
+   other info may be sent here.  Must be defined.

playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml

@@ -35,3 +35,56 @@
     owner: root
     group: letsencrypt
     mode: u=rwx,g=rx,o=,g+s
+
+- name: Create acme.sh config directory
+  file:
+    path: /root/.acme.sh
+    state: directory
+    owner: root
+    group: root
+    mode: u=rwx,g=rx,o=
+
+# An implementation note on accounts: We could share an account key
+# across all our hosts and this would be the logical place to deploy
+# it.  However, really the only thing you can do with an account key
+# is revoke a certificate if you lose the private key.  It makes more
+# sense to have an account per host with key material that never
+# leaves the host rather than keeping a global secret that, if leaked,
+# could revoke all keys simultaneously.
+
+- name: Check for account email
+  assert:
+    that: letsencrypt_account_email is defined
+
+- name: Configure account email
+  lineinfile:
+    path: /root/.acme.sh/account.conf
+    regexp: '^ACCOUNT_EMAIL='
+    line: 'ACCOUNT_EMAIL={{ letsencrypt_account_email }}'
+    create: true
+  register: account_email
+
+# If we updated the email and we have existing accounts, we should
+# update the address.
+
+# NOTE(ianw) 2020-03-04 : acme.sh dumps the 200 response json from the
+# ACME api when creating an account into this file to keep track of
+# the account-id.  However, it doesn't actually then update it in
+# response to --updateaccount although the details in the account
+# *are* correctly updated.  It doesn't make a difference to ongoing
+# operation since all that cares about is the unchanging id, but can
+# be confusing if you check this and don't see an updated email
+# address.  I have filed:
+# https://github.com/acmesh-official/acme.sh/pull/2769
+- name: Check for existing account setup
+  stat:
+    path: '{{ item }}'
+  loop:
+    - /root/.acme.sh/ca/acme-v02.api.letsencrypt.org/account.json
+    - /root/.acme.sh/ca/acme-staging-v02.api.letsencrypt.org/account.json
+  register: existing_accounts
+
+- name: Run account update # noqa 503
+  shell: |
+    /opt/acme.sh/acme.sh --debug --updateaccount
+  when: account_email.changed and (existing_accounts.results | selectattr('stat.exists') | map(attribute='item') | list | length > 0)

playbooks/zuul/templates/group_vars/letsencrypt.yaml.j2

@@ -4,3 +4,5 @@
 # gate, only generate a place-holder self-signed cert for testing.
 letsencrypt_use_staging: True
 letsencrypt_self_sign_only: True
+
+letsencrypt_account_email: le-test@opendev.org

testinfra/test_letsencrypt.py

@@ -130,3 +130,11 @@ def test_updated_handler(host):
 
     else:
         pytest.skip()
+
+def test_acme_sh_config(host):
+    if not host.backend.get_hostname().startswith('letsencrypt0'):
+        pytest.skip()
+
+    config = host.file('/root/.acme.sh/account.conf')
+    assert config.exists
+    assert config.contains("^ACCOUNT_EMAIL='le-test@opendev.org'")