Merge pull request #16 from eengstrom/reuse-account-key

Reuse Let's Encrypt Account (key)
clutterbox · May 3, 2020 · b6ee7a4 · b6ee7a4
2 parents 3793174 + 7587ffd
commit b6ee7a4
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -32,6 +32,7 @@ Variable | Function | Default
 --- | --- | ---
 dehydrated_accept_letsencrypt_terms | Set to yes to automatically register and accept Let's Encrypt terms | no
 dehydrated_contactemail | E-Mail address (required) |
+dehydrated_account_key | If set, deploy this file containing pre-registered private key |
 dehydrated_domains | List of domains to request SSL certificates for |
 dehydrated_deploycert | Script to run to deploy a certificate (see below) |
 dehydrated_wellknown | Directory where to deploy http-01 challenges |
@@ -57,6 +58,14 @@ dehydrated_install_pip | Whether pip will be installed when using lexicon | yes
 dehydrated_pip_package | Name of pip package | python3-pip if ansible is running on python3, otherwise python-pip
 dehydrated_pip_executable | Name of pip executable to use | autodetected by pip module
 
+## Account registration
+
+The first time this role is used, and when `dehydrated_accept_letsencrypt_terms` is true, register with Let's Encrypt, using the value of `dehydrated_contactemail` (required).   Your account details, and private key, will be created by `dehydrated` and stored in `/etc/dehydrated/accounts/<HASH>` on the target system.
+
+Alternatively, if you've already setup `dehydrated` once and want to use the same account for all installations, copy your Lets' Encrypt private key (`account_key.pem`) into your ansible configuration, and set `dehydrated_account_key` to the name that file.  Subsequent installations will use that key instead of registering a **new** account.
+
+**IMPORTANT** The `account_key.pem` is a private key with no passphrase.  When you copy it into your Ansible configuration, make sure to use `ansible-vault` or similar to encrypt the contents of that file, at rest.  If you use `ansible-vault` to encrypt it, `ansible` will automatically decrypt when referenced and installed on the target system.
+
 ## Using dns-01 challenges
 
 When `dehydrated_challengetype` is set to `dns-01`, this role will automatically install `lexicon` from python pip to be able to set and remove the necessary DNS records needed to obtain an SSL certificate.

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,4 +1,10 @@
 ---
+
+# This handler needs to be defined before "run dehydrated",
+# as handlers run in the order __defined__, not _called__.
+- name: update account details
+  command: "{{ dehydrated_install_root }}/dehydrated --account"
+
 - name: run dehydrated
   command: "{{ dehydrated_install_root }}/dehydrated -c"
   when: dehydrated_run_on_changes

diff --git a/meta/.gitignore b/meta/.gitignore
@@ -0,0 +1 @@
+.galaxy_install_info
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -59,20 +59,6 @@
 
 - import_tasks: systemd.yml
 
-# /opt/dehydrated/dehydrated --register --accept-terms
-- name: Check if already registered
-  stat:
-    path: "/etc/dehydrated/accounts/{{ ((dehydrated_ca + '\n')|b64encode).rstrip('=').replace('+', '-').replace('/', '_') }}"
-  register: ca_stat
-
-- block:
-    - name: "assert dehydrated_accept_letsencrypt_terms is true"
-      assert:
-        that: dehydrated_accept_letsencrypt_terms
-
-    - name: Register to CA
-      command: "{{ dehydrated_install_root }}/dehydrated --register --accept-terms"
-  # \end block register
-  when: "not ca_stat.stat.exists or (ca_stat.stat.isdir is defined and not ca_stat.stat.isdir)"
+- import_tasks: registration.yml
 
 - meta: flush_handlers
diff --git a/tasks/registration.yml b/tasks/registration.yml
@@ -0,0 +1,34 @@
+---
+
+- name: Determine CA account key file location
+  set_fact:
+    ca_account_key_file: "/etc/dehydrated/accounts/{{ ((dehydrated_ca + '\n')|b64encode).rstrip('=').replace('+', '-').replace('/', '_') }}/account_key.pem"
+
+- name: Create CA account directory
+  file: dest="{{ ca_account_key_file | dirname }}" state=directory owner=root group=root mode=0700
+  when: dehydrated_account_key is defined
+
+- name: Deploy CA account key
+  copy:
+    src: "{{ dehydrated_account_key }}"
+    dest: "{{ ca_account_key_file }}"
+    owner: root
+    group: root
+    mode: 0600
+  when: dehydrated_account_key is defined
+  notify: update account details
+
+- name: Check if already registered
+  stat:
+    path: "{{ ca_account_key_file }}"
+  register: ca_stat
+
+- block:
+    - name: "assert dehydrated_accept_letsencrypt_terms is true"
+      assert:
+        that: dehydrated_accept_letsencrypt_terms
+
+    - name: Register to CA
+      command: "{{ dehydrated_install_root }}/dehydrated --register --accept-terms"
+  # \end block register
+  when: "not ca_stat.stat.exists or (ca_stat.stat.isreg is defined and not ca_stat.stat.isreg)"