diff --git a/roles/step_acme_cert/molecule/default/converge.yml b/roles/step_acme_cert/molecule/default/converge.yml index f4c22026..f911262d 100644 --- a/roles/step_acme_cert/molecule/default/converge.yml +++ b/roles/step_acme_cert/molecule/default/converge.yml @@ -28,12 +28,13 @@ step_acme_cert_webroot_path: "{{ webroots[ansible_os_family] }}" step_acme_cert_duration: 1h step_acme_cert_certfile: - path: /etc/ssl/step.crt + # Lazy evaluation testing + #path: /etc/ssl/step.crt mode: "644" owner: root group: "{{ webgroup[ansible_os_family] }}" step_acme_cert_keyfile: - path: /etc/ssl/step.key + #path: /etc/ssl/step.key mode: "640" owner: root group: "{{ webgroup[ansible_os_family] }}" diff --git a/roles/step_acme_cert/tasks/get_cert.yml b/roles/step_acme_cert/tasks/get_cert.yml index d7ff13ad..477b805c 100644 --- a/roles/step_acme_cert/tasks/get_cert.yml +++ b/roles/step_acme_cert/tasks/get_cert.yml @@ -2,8 +2,8 @@ maxhoesel.smallstep.step_ca_certificate: provisioner: "{{ step_acme_cert_ca_provisioner }}" contact: "{{ step_acme_cert_contact }}" - crt_file: "{{ step_acme_cert_certfile.path }}" - key_file: "{{ step_acme_cert_keyfile.path }}" + crt_file: "{{ step_acme_cert_certfile_full.path }}" + key_file: "{{ step_acme_cert_keyfile_full.path }}" force: yes name: "{{ step_acme_cert_name }}" not_after: "{{ step_acme_cert_duration|default(omit) }}" @@ -22,5 +22,5 @@ owner: "{{ item.owner }}" group: "{{ item.group }}" loop: - - "{{ step_acme_cert_keyfile_defaults | combine(step_acme_cert_keyfile) }}" - - "{{ step_acme_cert_certfile_defaults | combine(step_acme_cert_certfile) }}" + - "{{ step_acme_cert_keyfile_full }}" + - "{{ step_acme_cert_certfile_full }}" diff --git a/roles/step_acme_cert/tasks/main.yml b/roles/step_acme_cert/tasks/main.yml index e6598b0f..3303d495 100644 --- a/roles/step_acme_cert/tasks/main.yml +++ b/roles/step_acme_cert/tasks/main.yml @@ -2,13 +2,19 @@ # tasks file for step_acme_cert - include: check.yml +- name: Update cert/keyfile dicts with defaults + set_fact: + # Role params take precedence over set_fact, so we need to declare a new private variable + step_acme_cert_keyfile_full: "{{ step_acme_cert_keyfile_defaults | combine(step_acme_cert_keyfile) }}" + step_acme_cert_certfile_full: "{{ step_acme_cert_certfile_defaults | combine(step_acme_cert_certfile) }}" + - name: Look for existing certificate stat: - path: "{{ step_acme_cert_certfile.path }}" + path: "{{ step_acme_cert_certfile_full.path }}" register: step_acme_cert_current_cert - name: Check if certificate is valid - command: "step-cli certificate verify {{ step_acme_cert_certfile.path }}" + command: "step-cli certificate verify {{ step_acme_cert_certfile_full.path }}" changed_when: no check_mode: no ignore_errors: true diff --git a/roles/step_acme_cert/templates/step-renew.service.j2 b/roles/step_acme_cert/templates/step-renew.service.j2 index 02645436..ff9607ec 100644 --- a/roles/step_acme_cert/templates/step-renew.service.j2 +++ b/roles/step_acme_cert/templates/step-renew.service.j2 @@ -8,7 +8,7 @@ Type=simple Restart=always RestartSec=1 Environment=STEPPATH={{ step_cli_steppath }} -ExecStart={{ step_cli_executable_absolute.stdout }} ca renew {{ step_acme_cert_certfile.path }} {{ step_acme_cert_keyfile.path }} --daemon --force{% if step_acme_cert_renewal_when is defined %} --expires-in {{ step_acme_cert_renewal_when }}{% endif %}{% if step_acme_cert_renewal_reload_services %} --exec "systemctl try-reload-or-restart {{ step_acme_cert_renewal_reload_services | join(' ') }}"{% endif %} +ExecStart={{ step_cli_executable_absolute.stdout }} ca renew {{ step_acme_cert_certfile_full.path }} {{ step_acme_cert_keyfile_full.path }} --daemon --force{% if step_acme_cert_renewal_when is defined %} --expires-in {{ step_acme_cert_renewal_when }}{% endif %}{% if step_acme_cert_renewal_reload_services %} --exec "systemctl try-reload-or-restart {{ step_acme_cert_renewal_reload_services | join(' ') }}"{% endif %} [Install] WantedBy=multi-user.target