aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xroles/web/files/acme/acme-client.sh118
-rw-r--r--roles/web/files/acme/deploy.d/nginx6
-rwxr-xr-xroles/web/files/acme/deploy.sh47
-rw-r--r--roles/web/handlers/main.yml3
-rw-r--r--roles/web/tasks/acme-domainkey.yml21
-rw-r--r--roles/web/templates/domains.txt.j24
6 files changed, 0 insertions, 199 deletions
diff --git a/roles/web/files/acme/acme-client.sh b/roles/web/files/acme/acme-client.sh
deleted file mode 100755
index a8be701..0000000
--- a/roles/web/files/acme/acme-client.sh
+++ /dev/null
@@ -1,118 +0,0 @@
-#!/bin/sh
-#
-# This script can be both used to request/obtain new certificate(s) from
-# Let's Encrypt through ACME challenges:
-# $ ./acme-client.sh -n -N
-# to expand the domains listed in the certificate:
-# $ ./acme-client.sh -e
-# and be used to renew the obtained certificate(s) (default action):
-# $ ./acme-client.sh
-# which can be called by periodic(8).
-#
-# This script will be weekly executed in order to renew the certificate(s)
-# by adding such configurations to "/etc/periodic.conf":
-# weekly_acme_client_enable="YES"
-# weekly_acme_client_renewscript="/usr/local/etc/acme/acme-client.sh"
-# weekly_acme_client_deployscript="/usr/local/etc/acme/deploy.sh"
-#
-# Output files:
-# * etc/acme/privkey.pem : account private key
-# * etc/ssl/acme/private/<domain>.pem : domain private key
-# * etc/ssl/acme/<domain>/fullchain.pem : domain certificate
-#
-# XXX/TODO:
-# * How to remove/revoke a SAN from the certificate?
-#
-#
-# Aaron LI
-# 2017-04-19
-#
-
-umask 027
-
-BASEDIR="/usr/local/etc/acme"
-SSLDIR="/usr/local/etc/ssl/acme"
-DOMAINSFILE="${BASEDIR}/domains.txt"
-CHALLENGEDIR="/usr/local/www/acme/.well-known/acme-challenge"
-# Default to show verbose information
-VERBOSE="true"
-# Additional arguments for "acme-client"
-ARGS=""
-
-
-usage() {
- cat << _EOF_
-usage:
-`basename $0` [-h] [-efLnNv] [-d domains.txt]
-
- -e : allow expanding the domains listed in the certificate
- -f : force updating the certificate signature even if its too soon
- -n : create a new 4096-bit RSA account key if one does not already exist
- -N : create a new 4096-bit RSA domain key if one does not already exist
- -q : be quiet (default to show verbose information)
-
- -d domains.txt : text file with one domain and its sub-domains per line
- (default: ${DOMAINSFILE})
-_EOF_
-}
-
-
-while getopts "efhnNqd:" opt; do
- case "$opt" in
- h)
- usage
- exit 1
- ;;
- e)
- ARGS="${ARGS} -e"
- ;;
- f)
- ARGS="${ARGS} -F"
- ;;
- n)
- ARGS="${ARGS} -n"
- ;;
- N)
- ARGS="${ARGS} -N"
- ;;
- q)
- VERBOSE="false"
- ;;
- d)
- DOMAINSFILE="${OPTARG}"
- ;;
- [?])
- usage
- exit 2
- ;;
- esac
-done
-
-if [ "${VERBOSE}" = "true" ]; then
- ARGS="${ARGS} -v"
-fi
-
-[ ! -d "${CHALLENGEDIR}" ] && mkdir -pv ${CHALLENGEDIR}
-[ ! -d "${SSLDIR}/private" ] && mkdir -pvm700 "${SSLDIR}/private"
-
-printf "\n=== $(date) ===\n=== CMD: $0 $* ===\n"
-
-grep -v '^\s*#' "${DOMAINSFILE}" | while read domain line; do
- printf "-------------------------------------------------------------\n"
- printf "[${domain}] ${line}\n"
- printf "-------------------------------------------------------------\n"
- CERTSDIR="${SSLDIR}/${domain}"
- [ ! -d "${CERTSDIR}" ] && mkdir -pm755 "${CERTSDIR}"
- set +e # RC=2 when time to expire > 30 days
- acme-client -b -C "${CHALLENGEDIR}" \
- -k "${SSLDIR}/private/${domain}.pem" \
- -c "${CERTSDIR}" \
- ${ARGS} \
- ${domain} ${line}
- RC=$?
- set -e
- [ $RC -ne 0 -a $RC -ne 2 ] && exit $RC
-done
-
-printf "-------------------------------------------------------------\n"
-exit 0
diff --git a/roles/web/files/acme/deploy.d/nginx b/roles/web/files/acme/deploy.d/nginx
deleted file mode 100644
index 17b571d..0000000
--- a/roles/web/files/acme/deploy.d/nginx
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-#
-# ACME deployment script
-#
-
-reload nginx
diff --git a/roles/web/files/acme/deploy.sh b/roles/web/files/acme/deploy.sh
deleted file mode 100755
index 7464d02..0000000
--- a/roles/web/files/acme/deploy.sh
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/sh -e
-#
-# Deploy the renewed certificate(s) to services.
-#
-# Aaron LI
-#
-
-reload() {
- local srv="$1"
- local rv=0
- if service ${srv} status >/dev/null 2>&1; then
- echo "Reloading service ${srv} ..."
- service ${srv} reload
- echo "ok"
- else
- echo "WARNING: service ${srv} is not running" >&2
- rv=1
- fi
- return ${rv}
-}
-
-
-restart() {
- local srv="$1"
- local rv=0
- if service ${srv} status >/dev/null 2>&1; then
- echo "Restarting service ${srv} ..."
- service ${srv} restart
- echo "ok"
- else
- echo "WARNING: service ${srv} is not running" >&2
- rv=1
- fi
- return ${rv}
-}
-
-
-echo "============================================================="
-dir="${0%/*}"
-rv=0
-for f in ${dir}/deploy.d/*; do
- if [ -f "${f}" ]; then
- echo "Deploying [${f##*/}] ..."
- . "${f}" || rv=$?
- fi
-done
-exit ${rv}
diff --git a/roles/web/handlers/main.yml b/roles/web/handlers/main.yml
index 7772422..765d2c1 100644
--- a/roles/web/handlers/main.yml
+++ b/roles/web/handlers/main.yml
@@ -1,6 +1,3 @@
---
- name: reload-nginx
command: rcreload nginx
-
-- name: deploy-acme
- command: sh /usr/local/etc/acme/deploy.sh
diff --git a/roles/web/tasks/acme-domainkey.yml b/roles/web/tasks/acme-domainkey.yml
deleted file mode 100644
index ac409c2..0000000
--- a/roles/web/tasks/acme-domainkey.yml
+++ /dev/null
@@ -1,21 +0,0 @@
----
-- name: (local) acme - check domain private key existence
- become: false
- stat:
- path: "{{ playbook_dir }}/private/acme/{{ domain }}.pem"
- delegate_to: localhost
- register: stat_result
-
-- name: (local) acme - generate domain private key (4096 bit)
- become: false
- command: >
- openssl genrsa
- -out "{{ playbook_dir }}/private/acme/{{ domain }}.pem" 4096
- delegate_to: localhost
- when: not stat_result.stat.exists
-
-- name: acme - copy domain private key
- copy:
- src: "{{ playbook_dir }}/private/acme/{{ domain }}.pem"
- dest: /usr/local/etc/ssl/acme/private/{{ domain }}.pem
- mode: 0400
diff --git a/roles/web/templates/domains.txt.j2 b/roles/web/templates/domains.txt.j2
deleted file mode 100644
index dd59388..0000000
--- a/roles/web/templates/domains.txt.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-{% for domain in domains %}
-{{ domain.name }} {% for sub in domain.sub %} {{ sub }}.{{ domain.name }}{% endfor %}
-
-{% endfor %}