--- # Update _domain wildcard certificate and private key on web servers running Apache, Gitlab, Nginx & Tomcat" - name: "Apache group: set group-wide variables" hosts: apache vars: new_cert: "include/current/_domain.cert" new_bundle: "include/current/root-chain_domain.pem" new_fullchain_root_bundle: "include/current/fullchain_bundle_domain.pem" new_private_key: "include/current/_domain.key" ########################################################################## apache_config_test_command: "apachectl -t" apache_apply_command: "systemctl reload httpd.service" tasks: - name: "Apache group: dump group-wide variables" debug: msg: - "host is: {{ ansible_host }}" - "Group from inventory file is: {{ group_names }} " - "------------------------------------------------------------------" - "new_cert is: {{ new_cert }}" - "new_bundle is: {{ new_bundle }}" - "new_fullchain_root_bundle is: {{ new_fullchain_root_bundle }}" - "new_private_key is: {{ new_private_key }}" - "------------------------------------------------------------------" - "apache_config_test_command is: {{ apache_config_test_command }}" - "apache_apply_command is: {{ apply_command }}" - name: "Apache group: dump host-specific variables" debug: msg: - "host is: {{ ansible_host }}" - "--- Running for group apache only ---" - "------------------------------------------------------------------" - "cert_path is: {{ cert_path }}" - "private_key_path is: {{ private_key_path }}" - "post_test_command is: {{ post_test_command }}" - "webserver_hostname is: {{ webserver_hostname }}" - "------------------------------------------------------------------" - name: "Apache group: dump OPTIONAL host-specific variable: root_bundle_path" debug: msg: - "host is: {{ ansible_host }}" - "--- Running for group apache only ---" - "root_bundle_path is: {{ root_bundle_path }}" when: root_bundle_path is defined ################# copy cert section ########## - name: "Apache hosts: Copy the new certificate file" copy: backup: true src: "{{ new_cert }}" dest: "{{ cert_path }}" - name: "Apache: Copy the intermediate certs file" copy: backup: true src: "{{ new_bundle }}" dest: "{{ root_bundle_path }}" when: root_bundle_path is defined - name: "Apache: Copy the private key" copy: backup: true src: "{{ new_private_key }}" dest: "{{ private_key_path }}" ################# test section ############## - name: "Apache: run apache_config_test_command and register output" command: "{{ apache_config_test_command }}" register: apache_config_test_result ignore_errors: yes - debug: msg: "{{ apache_config_test_result.stderr }}" - name: "Set test_outcome to pass if criteria are met" set_fact: config_test_outcome: pass when: '"Syntax OK" in apache_config_test_result.stderr' ignore_errors: yes - debug: msg: "{{ config_test_outcome }}" ignore_errors: yes #################### restart embedded nginx if test is ok $$$$$$$$$ - name: "Apache: restart apache if config test is successful" command: "{{ apache_apply_command }}" when: config_test_outcome == "pass" ignore_errors: yes - name: "Apache: fail if config test is NOT successful" debug: msg: - '======================================================================================' - '=== !!!FAILURE!!!' - '=== APACHE CONFIG MODIFICATIONS ON "{{ inventory_hostname }}"AT"{{ ansible_host }}" FAILED.' - '=== THESE WILL HAVE TO BE FIXED MANUALLY. THESE FILES WERE MODIFIED but also backed up:' - '===' - === "{{ cert_path }}" - === "{{ root_bundle_path }}" - === "{{ private_key_path }}" - "=== *** The actual apache configuration wasn't changed, just the cert & key files the config points to." - "=======================================================================================" when: config_test_outcome is undefined - name: "Get new cert info by contacting site locally" get_certificate: host: "{{ ansible_host }}" port: "{{ webserver_port }}" server_name: "{{ webserver_hostname }}" register: new_cert_info delegate_to: localhost when: config_test_outcome == "pass" - name: "Show results of locally connecting to remote site" debug: msg: - "New cert expires in: {{ new_cert_days_left }} days." vars: new_cert_days_left: >- {{ ( (new_cert_info.not_after | ansible.builtin.to_datetime('%Y%m%d%H%M%SZ')) - (ansible_date_time.iso8601 | ansible.builtin.to_datetime('%Y-%m-%dT%H:%M:%SZ')) ).days }} register: new_cert_days_left when: config_test_outcome == "pass" - name: "set_fact from this host's test outputs to display at end of playbook run" set_fact: changed_site_hostname_and_new_exp_date: "{{ webserver_hostname }} {{ new_cert_days_left }}" when: config_test_outcome == "pass" - name: "Gitlab group: set group-wide variables" hosts: gitlab vars: new_bundle: "include/current/root-chain_domain.pem" new_fullchain_root_bundle: "include/current/fullchain_bundle_domain.pem" new_private_key: "include/current/_domain.key" gitlab_apply_command: "gitlab-ctl restart nginx" #gitlab_apply_command: " gitlab-ctl hup nginx; gitlab-ctl hup registry" tasks: - name: "GitLab group: dump group-wide variables" debug: msg: - "host is: {{ ansible_host }}" - "This is only showing info from GitLab group" - "------------------------------------------------------------------" - "new_bundle is: {{ new_bundle }}" - "new_fullchain_root_bundle is: {{ new_fullchain_root_bundle }}" - "new_private_key is: {{ new_private_key }}" - name: "Gitlab group: dump host-specific variables" debug: msg: - "host is: {{ ansible_host }}" - "This is only showing info from GitLab group" - "------------------------------------------------------------------" - "fullchain_root_bundle_path is: {{ fullchain_root_bundle_path }}" - "private_key_path path is: {{ private_key_path }}" - "------------------------------------------------------------------" - "gitlab_nginx_config_test_command is: {{ gitlab_nginx_config_test_command }}" - "healthcheck_url is: {{ healthcheck_url }}" - "new_fullchain_root_bundle is: {{ new_fullchain_root_bundle }}" - "fullchain_root_bundle_path is: {{ fullchain_root_bundle_path }}" ############# copy new cert files ############## - name: "GitLab hosts: Copy the new_fullchain_root_bundle" copy: backup: true # follow: true src: "{{ new_fullchain_root_bundle }}" dest: "{{ fullchain_root_bundle_path }}" - name: "GitLab: Copy the private key" copy: backup: true src: "{{ new_private_key }}" dest: "{{ private_key_path }}" ################# test section ############## - name: "GitLab: run embedded nginx config check command and register output" command: "{{ gitlab_nginx_config_test_command }}" register: gitlab_nginx_config_test_result ignore_errors: yes - name: "Dump output from gitlab_nginx_config_test_result" debug: msg: "gitlab_nginx_config_test_result is {{ gitlab_nginx_config_test_result }}" - name: "Dump gitlab_nginx_config_test_result" debug: msg: "gitlab_nginx_config_test_result is {{ gitlab_nginx_config_test_result }}" - name: "dump gitlab_nginx_config_test_result.stderr" debug: msg: "{{ gitlab_nginx_config_test_result.stderr }}" - name: "Set test_outcome to pass if criteria are met" set_fact: config_test_outcome: pass when: '"test is successful" in gitlab_nginx_config_test_result.stderr' ignore_errors: yes - debug: msg: "{{ config_test_outcome }}" ignore_errors: yes - name: "Get new cert info by contacting site remotely" get_certificate: host: "{{ ansible_host }}" port: "{{ webserver_port }}" server_name: "{{ webserver_hostname }}" register: new_cert_info delegate_to: localhost when: config_test_outcome == "pass" - name: "Show results of remotely connecting to remote site" debug: msg: - "New cert expires in: {{ new_cert_days_left }} days." vars: new_cert_days_left: >- {{ ( (new_cert_info.not_after | ansible.builtin.to_datetime('%Y%m%d%H%M%SZ')) - (ansible_date_time.iso8601 | ansible.builtin.to_datetime('%Y-%m-%dT%H:%M:%SZ')) ).days }} register: new_cert_days_left when: config_test_outcome == "pass" - name: "set_fact from this host's test outputs to display at end of playbook run" set_fact: changed_site_hostname_and_new_exp_date: "{{ webserver_hostname }} {{ new_cert_days_left }}" when: config_test_outcome == "pass" ################## apply changes if successful ############### - name: "GitLab: restart GitLab embedded Nginx if config test is successful" command: "{{ gitlab_apply_command }}" when: config_test_outcome == "pass" ignore_errors: yes ########## nginx group ################################################################################################################### - name: "Nginx group: set group-wide variables" hosts: nginx vars: new_bundle: "include/current/root-chain_domain.pem" new_fullchain_root_bundle: "include/current/fullchain_bundle_domain.pem" new_private_key: "include/current/_domain.key" nginx_config_test_command: "nginx -t -c /etc/nginx/nginx.conf" nginx_apply_command: "systemctl reload nginx.service" tasks: - name: "nginx group: dump group-wide variables" debug: msg: - "host is: {{ ansible_host }}" - "This is only showing info from GitLab group" - "------------------------------------------------------------------" - "new_bundle is: {{ new_bundle }}" - "new_fullchain_root_bundle is: {{ new_fullchain_root_bundle }}" - "new_private_key is: {{ new_private_key }}" - "nginx_config_test_command is: {{ nginx_config_test_command }}" - "nginx_apply_command is: {{ nginx_apply_command }}" - name: "nginx group: dump host-specific variables" debug: msg: - "host is: {{ ansible_host }}" - "This is only showing info from GitLab group" - "------------------------------------------------------------------" - "fullchain_root_bundle_path is: {{ fullchain_root_bundle_path }}" - "private_key is: {{ private_key }}" - "------------------------------------------------------------------" - "healthcheck_url is: {{ healthcheck_url }}" - name: "nginx group: dump OPTIONAL host-specific variables" debug: msg: - "host is: {{ ansible_host }}" - "------------------------------------------------------------------" - name: "nginx hosts: Copy the new_fullchain_root_bundle" copy: backup: true # follow: true src: "{{ new_fullchain_root_bundle }}" dest: "{{ fullchain_root_bundle_path }}" - name: "nginx: Copy the private key" copy: backup: true src: "{{ new_private_key }}" dest: "{{ private_key }}" ################# test section ############## - name: "Nginx: run nginx config check command and register output" command: "{{ nginx_config_test_command }}" register: nginx_config_test_command_result ignore_errors: yes - name: "Dump nginx_config_test_command_result" debug: msg: "nginx_config_test_command_result is {{ nginx_config_test_command_result }}" - name: "dump nginx_config_test_command_result.stderr" debug: msg: "{{ nginx_config_test_command_result.stderr }}" - name: "Set test_outcome to pass if criteria are met" set_fact: config_test_outcome: pass when: '"test is successful" in nginx_config_test_command_result.stderr' ignore_errors: yes - debug: msg: "{{ config_test_outcome }}" ignore_errors: yes ################# apply section ############## - name: "Nginx: reload nginx service if config test is successful" command: "{{ nginx_apply_command }}" ignore_errors: yes when: config_test_outcome == "pass" ########## others group ################################################################################################################### - name: "others group" hosts: others vars: new_cert: "include/current/_domain.cert" new_bundle: "include/current/root-chain_domain.pem" new_fullchain_root_bundle: "include/current/fullchain_bundle_domain.pem" new_private_key: "include/current/_domain.key" tasks: - name: "others: dump debugging messages" debug: msg: - "host is: {{ ansible_host }}" - "Group from inventory file is: {{ group_names }} " - "This host's post_test_command is: {{ post_test_command }}" - "This host's apply_command is: {{ apply_command }}" - "------------------------------------------------------------------" - "fullchain_root_bundle_path: {{ fullchain_root_bundle_path }}" - "private_key_path: {{ private_key_path }}" - name: "other hosts: Copy the new_fullchain_root_bundle" copy: backup: true # follow: true src: "{{ new_fullchain_root_bundle }}" dest: "{{ fullchain_root_bundle_path }}" - name: "other: Copy the private key" copy: backup: true src: "{{ new_private_key }}" dest: "{{ private_key }}" ################# other section ############## - name: "other: run other host-specific config check command and register output" command: "{{ post_test_command }}" register: other_hosts_config_test_command_result ignore_errors: yes - name: "Dump other_hosts_config_test_command_result" debug: msg: "other_hosts_config_test_command_result is {{ other_hosts_config_test_command_result }}" - name: "dump other_hosts_config_test_command_result.stderr" debug: msg: "{{ other_hosts_config_test_command_result.stderr }}" - name: "Set test_outcome to pass if criteria are met" set_fact: config_test_outcome: pass when: '{{ post_test_command_success_output }} in other_hosts_config_test_command_result.stderr' ignore_errors: yes - debug: msg: "{{ config_test_outcome }}" ignore_errors: yes ################# other apply section ############## - name: "others: host-specific command" command: "{{ apply_command }}" ignore_errors: yes when: config_test_outcome == "pass"