Certbot: simplify use of snakeoil, support one cert per site

This change drops the "linaro_environment" var in favor
of "snakeoil" as a simple boolean.  Instead of trying
to set the "ssl_*" vars it simply creates the path to
LE cert and symlinks to snakeoil.

Also updated to create independent certs for each
domain listed in "certbot_domains" instead of one for
all domains.

Change-Id: I29ceefe0b9ae790d29548cc41f90a9757638def2
Reviewed-on: https://review.linaro.org/28420
Reviewed-by: Riku Voipio <riku.voipio@linaro.org>

4 files changed, 97 insertions, 33 deletions

diff --git a/docs/README.ssl.md b/docs/README.ssl.md
index 7f4f069a..ffd452ce 100644
--- a/docs/README.ssl.md
+++ b/docs/README.ssl.md
@@ -1,12 +1,49 @@
-Overview
-========
+Quickstart for Bootstrapping Certbot
+=====================================
+
+1. Edit the apache config file and make sure the acme-challenge
+   code has been added to the port 80 vhost (see "Apache Config" below)
+
+2. Edit the host_vars for the server and set "certbot_domains" to a list of all hostnames that should have a certificate on the server
+
+3. Ensure that the 'certbot' role is called before the 'apache-site' role in
+   the playbook and has the "ssl" tag associated with it
+
+4. Install the apache configs (use --skip-tags ssl) to allow the acme-challenge
+   configs
+
+5. Ensure the acme-challenge exemption is working:
+
+cat hello > /srv/certbot/.well-known/acme-challenge/foo.txt
+curl http://{{hostname}}/.well-known/acme-challenge/foo.txt
+
+6. Install 'certbot' role by itself (use --tags ssl to create the certs)
+
+Once the playbook has been successfully bootstrapped on the server, it will
+no longer require any special action.
+
+
+Certbot Renewal
+===============
+
+Part of the certbot install includes a cron job that runs every 12 hours
+that calls "certbot renew".  If a cert is within 30 days of expiring, it
+will automatically renew.  If you a see a 20 day or less warning that means
+the cron job is failing for some reason.
+
+After fixing whatever the problem is, you can either run "certbot renew" as
+root on the server, or you can simply run the playbook again with "--tags ssl".
+
+
+Overview of all SSL Playbooks
+=============================
 
 Our playbooks currently have five roles dedicated to setting up SSL
 certificates on a server.  Most of these are obsolete and will be
 removed from our roles in the future, so please do not use them
 in any new development work.
 
-- ssl
+- certbot
 
   This is the currently preferred role for creating and maintaining ssl
   certs on a server.  It installs the 'certbot' program from the PPA.
@@ -15,7 +52,7 @@ in any new development work.
 
 - letsencrypt
 
-  Obsoleted by 'ssl'.  Do not use.
+  Obsoleted by 'certbot'.  Do not use.
 
   This role sets up and maintains a LetsEncrypt certificate for the server
   using the obsoleted 'letsencrypt' script provided by the EFF.  'letsencrypt'
@@ -45,26 +82,21 @@ in any new development work.
   There should be nothing left dependent upon this role.
 
 
-Details for the 'ssl' role - certbot support
+Details for the 'certbot' role - certbot support
 ============================================
 
-The 'ssl' role will behave differently based on the setting of the
-"linaro_environment" variable.  If the variable is absent or set
-to anything other than "testing", the role will:
+The 'certbot' role will ensure that a cert/key pair for each FQDN
+listed in the "certbot_domains" variable for the host is created on
+the server.  If the extra arg "snakeoil" is set to True, the certs will
+be created and symlinked to the snakeoil cert.  If it's not defined or
+not set to True, the certbot program will be run and will either request
+or renew LE certificates for each item in "certbot_domains".
 
-  - install the PPA for certbot
-  - run `certbot certificates` to examine the current settings
-  - if a domain is missing from the cert or the cert is not present,
-    it will run `certbot --apache certonly -d <domains> -e <email>`
-    to either create a new cert or renew an existing one
-  - finally it will set the following vars based on the information
-    gained from the output of `certbot certificates`:
+The command that is run for each domain is:
+certbot --apache certonly -d <domain> -e <email>
 
-     ssl_cert
-     ssl_key
-     ssl_ca (usually same as ssl_cert as it is a fullchain certificate)
 
-The behavior of certbot may be influenced by setting the following vars:
+The following host_vars may be set:
 
   certbot_domains:  A list of domains that the cert will be valid for
   certbot_email: The email address to use when registering for a cert
@@ -74,10 +106,29 @@ you need to add more hostnames, override the list in the host_vars for the
 server.
 
 
-Details for the 'ssl' role - snakeoil support
-=============================================
+Apache Config
+=============
+
+Ensure that the following directives exist in the port 80 vhost on the server:
+
+    Alias "/.well-known/acme-challenge/" "/srv/certbot/.well-known/acme-challenge/"
+    <Directory "/srv/certbot/.well-known/acme-challenge/">
+        Require all granted
+    </Directory>
+
+Next, make sure that an exemption is made for any redirect or rewrite rules for the /.well-known/acme-challenge/ URL
+
+  * For mod_rewrite, use:
+
+      RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/.*$
+
+  * For a redirect, use:
+
+      RedirectMatch permanent \
+      "^/(?!\.well-known/acme-challenge)(.*)" \
+      "https://{{hostname}}/$1"
+
+  * For a config with mod_proxy, use:
+
+      ProxyPass /.well-known/acme-challenge/ !
 
-In order to ease testing and allow for setting up services in a dev environment
-you may instruct this role to use the native snakeoil certs on the system
-by setting the "linaro_environment" variable to "testing" through either
-the ansible command line or temporarily inside of a hosts file.
diff --git a/roles/certbot/handlers/main.yml b/roles/certbot/handlers/main.yml
index 639ac6eb..e7acde15 100644
--- a/roles/certbot/handlers/main.yml
+++ b/roles/certbot/handlers/main.yml
@@ -1,4 +1,5 @@
 ---
 #note: won't make a request if the cert isn't due for renewal or no new domains
 - name: run-certbot
-  command: certbot --expand --agree-tos -n certonly -m "{{certbot_email}}" -d "{{certbot_domains|join(',')}}" --webroot -w /srv/certbot
+  command: certbot --expand --agree-tos -n certonly -m "{{certbot_email}}" -d "{{item}}" --webroot -w /srv/certbot
+  with_items: "{{certbot_domains}}"
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index 0a86e873..aea52159 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -1,8 +1,8 @@
 ---
 - name: Include snakeoil cert settings
   include_tasks: snakeoil.yml
-  when: (linaro_environment is defined) and (linaro_environment == 'testing')
+  when: (snakeoil is defined) and (snakeoil == True)
 
 - name: Include certbot tasks
   include_tasks: certbot.yml
-  when: (linaro_environment is undefined) or (linaro_environment != 'testing')
+  when: (snakeoil is undefined) or (snakeoil != True)
diff --git a/roles/certbot/tasks/snakeoil.yml b/roles/certbot/tasks/snakeoil.yml
index 56f04ef5..ae638d80 100644
--- a/roles/certbot/tasks/snakeoil.yml
+++ b/roles/certbot/tasks/snakeoil.yml
@@ -1,6 +1,18 @@
 ---
-- name: Set ssl vars to point to self signed cert
-  set_fact:
-   ssl_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem
-   ssl_key: /etc/ssl/private/ssl-cert-snakeoil.key
-   ssl_ca: /etc/ssl/certs/ssl-cert-snakeoil.pem
+- name: Ensure certbot directory exists
+  file:
+    path: /etc/letsencrypt/live/{{item}}
+    state: directory
+  with_items: "{{certbot_domains}}"
+
+- name: Link LE cert to snakeoil cert
+  file:
+    src: /etc/ssl/certs/ssl-cert-snakeoil.pem
+    dest: /etc/letsencrypt/live/{{item}}/fullchain.pem
+  with_items: "{{certbot_domains}}"
+
+- name: Link LE key to snakeoil key
+  file:
+    src: /etc/ssl/certs/ssl-cert-snakeoil.key
+    dest: /etc/letsencrypt/live/{{item}}/privkey.pem
+  with_items: "{{certbot_domains}}"