Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LetsEncrypt cert issuance requires installation of EPEL repo #2048

Open
heatmiser opened this issue Oct 10, 2023 · 0 comments
Open

LetsEncrypt cert issuance requires installation of EPEL repo #2048

heatmiser opened this issue Oct 10, 2023 · 0 comments
Assignees

Comments

@heatmiser
Copy link
Contributor

Problem Summary

Currently, the controller provisioning automation enables the EPEL repo in order to install packages related to SSL cert issuance for LetsEncrypt. The same LetsEncrypt cert issuance can be handled via podman and the docker.io/certbot/certbot:latest container image, in a manner similar to how the LetsEncrypt certificate is handled for Satellite workshop deployments:

- name: create letsencrypt subdirectories
file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: 0750
with_items:
- /etc/letsencrypt
- /var/lib/letsencrypt
- name: make sure httpd is stopped
service:
name: httpd.service
state: stopped
register: stop_httpd
until: stop_httpd is not failed
retries: 5
# If this fails check out status of certbot: https://letsencrypt.status.io/
- name: try to issue SSL certificate
block:
- name: Issue SSL cert
shell: >
podman run -it --rm --name certbot \
-v "/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
-p 80:80 \
-p 443:443 \
docker.io/certbot/certbot:latest certonly \
--key-type rsa \
--rsa-key-size 4096 \
--no-bootstrap \
--standalone \
-d {{ student }}-sat.{{ ec2_name_prefix|lower }}.{{ workshop_dns_zone }} \
--email ansible-network@redhat.com \
--noninteractive \
--agree-tos
register: issue_sat_cert
until: issue_sat_cert is not failed
retries: 5
rescue:
- name: error with SSL cert
debug:
msg: "Unable to retrieve SSL cert, ERROR, continuing on without cert..."
- name: append dns_information failure
set_fact:
dns_information:
- "{{ dns_information }}"
- "The Lets Encrypt certbot failed for the satellite node, please check https://letsencrypt.status.io/ to make sure the service is running"
- name: download LetsEncrypt R3 cert
get_url:
url: https://letsencrypt.org/certs/lets-encrypt-r3.pem
dest: "/etc/letsencrypt/live/{{ student }}-sat.{{ ec2_name_prefix|lower }}.{{ workshop_dns_zone }}"
mode: 0644
checksum: sha256:177e1b8fc43b722b393f4200ff4d92e32deeffbb76fef5ee68d8f49c88cf9d32
group: root
owner: root
- name: download LetsEncrypt root X1 cert
get_url:
url: https://letsencrypt.org/certs/isrgrootx1.pem
dest: "/etc/letsencrypt/live/{{ student }}-sat.{{ ec2_name_prefix|lower }}.{{ workshop_dns_zone }}"
mode: 0644
checksum: sha256:22b557a27055b33606b6559f37703928d3e4ad79f110b407d04986e1843543d1
group: root
owner: root
- name: retrieve LetsEncrypt R3 cert
slurp:
src: "/etc/letsencrypt/live/{{ student }}-sat.{{ ec2_name_prefix|lower }}.{{ workshop_dns_zone }}/lets-encrypt-r3.pem"
register: intermediate_cert
- name: retrieve LetsEncrypt root X1 cert
slurp:
src: "/etc/letsencrypt/live/{{ student }}-sat.{{ ec2_name_prefix|lower }}.{{ workshop_dns_zone }}/isrgrootx1.pem"
register: root_cert
- name: combine R3 and root X1 certs to create LetsEncrypt CA bundle
template:
src: cert_bundle.j2
dest: "/etc/letsencrypt/live/{{ student }}-sat.{{ ec2_name_prefix|lower }}.{{ workshop_dns_zone }}/letsencrypt-ca-bundle.pem"
- name: start httpd
service:
name: httpd.service
state: started
register: start_httpd
until: start_httpd is not failed
retries: 5

...thus avoiding the utilization of EPEL repo.

Issue Type

Feature Request

Extra vars file

N/A

Ansible Playbook Output

N/A

Ansible Version

N/A

Ansible Configuration

N/A

Ansible Execution Node

CLI Ansible (Ansible Core)

Operating System

RHEL

@IPvSean IPvSean self-assigned this Mar 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants