opendev/system-config
Code Issues Proposed changes
ac5acbca92
system-config/playbooks/roles/letsencrypt-request-certs/tasks/acme.yaml
Ian Wienand 86c5bc2b45 letsencrypt: split staging and self-signed generation 
We currently only have letsencrypt_test_only as a single flag that
sets tests to use the letsencrypt staging environment and also
generates a self-signed certificate.

However, for initial testing we actually want to fully generate
certificates on hosts, but using the staging environment (i.e. *not*
generate self-signed certs).  Thus we need to split this option into
two, so the gate tests still use staging+self-signed, but in-progress
production hosts can just using the staging flag.

These variables are split, and graphite01.opendev.org is made to
create staging certificates.

Also remove some debugging that is no longer necessary.

Change-Id: I08959ba904f821c9408d8f363542502cd76a30a4
2019-04-10 08:47:32 +10:00

31 lines
1.4 KiB
YAML
Raw Blame History

- name: 'Build arguments for letsencrypt acme.sh driver for: {{ cert.key }}'
set_fact:
# NOTE(ianw): note the domains are passed in one string (between
# ") as it makes argument parsing a little easier in the driver.sh
acme_args: '"{% for domain in cert.value %}-d {{ domain }} {% endfor %}"'
- name: Run acme.sh driver for certificate issue
shell:
cmd: |
/opt/acme.sh/driver.sh issue {{ acme_args }}
args:
chdir: /opt/acme.sh/
register: acme_output
environment:
LETSENCRYPT_STAGING: '{{ "1" if letsencrypt_use_staging else "0" }}'
# NOTE(ianw): The output is challenge-domain:txt-key which we split
# into a tuple here. acme.sh by default puts the hostname into the
# challenge domain it outputs. For simplicity, we don't actually make
# use of the full challenge-domain part; our default CNAME setup
# points "_acme-challenge.host.opendev.org" to just "acme.opendev.org"
# -- thus we put all the keys into "top-level" TXT records directly at
# acme.opendev.org. letsencyrpt doesn't care; it just follows the
# CNAME and enumerates all the TXT records in acme.opendev.org looking
# for one that matches. So even though we don't put it in the dns
# records, having the hostname the TXT record is for is handy for
# debugging, etc, so we pass it through.
- set_fact:
acme_txt_required: '{{ acme_txt_required + [(item.split(":")[0], item.split(":")[1])] }}'
loop: '{{ acme_output.stdout_lines }}'
View Git Blame Copy Permalink