search

obynio / certbot-plugin-gandi

Certbot plugin for authentication using Gandi LiveDNS
https://pypi.org/project/certbot-plugin-gandi/
MIT License
195 stars 27 forks source link

How to use this plugin from pip and ansible #32

Open Synchro opened 2 years ago

Synchro commented 2 years ago

This is just to help others that try to do this and have run into issues with certbot snap installation. I was trying to come up with a clean install method to use with ansible, and I've got it working successfully with this config (on Ubuntu):

- name: Install certbot system dependencies
  ansible.builtin.apt:
    package:
      - python3
      - python3-virtualenv
      - libaugeas0
    state: present
    update_cache: yes
  tags: certbot

- name: Install certbot from pip
  ansible.builtin.pip:
    name: certbot
    virtualenv: /opt/certbot
  tags: certbot

- name: Link certbot into path
  ansible.builtin.file:
    src: /opt/certbot/bin/certbot
    dest: /usr/bin/certbot
    state: link
  tags: certbot

- name: Install certbot gandi DNS plugin
  ansible.builtin.pip:
    name: certbot-plugin-gandi
    virtualenv: /opt/certbot
  tags: gandi

This installs using virtualenv, as the EFF recommends, but this means that the gandi plugin needs to be installed in the same virtualenv, or certbot won't see it. HTH.

drzraf commented 2 years ago 
- copy:
    dest: "/etc/letsencrypt/gandi.ini"
    owner: root
    group: root
    mode: 0400
    content: "dns_gandi_api_key={{ api_key }}"

- docker_container:
    image: certbot/certbot
    name: certbot_gandi
    state: started
    auto_remove: no
    cleanup: yes
    detach: no
    debug: yes
    volumes:
      - "/etc/letsencrypt:/etc/letsencrypt"
      - "/var/log/letsencrypt:/var/log/letsencrypt"
    entrypoint: /bin/sh
    command: "-c 'pip install certbot-plugin-gandi && certbot certonly --noninteractive --agree-tos --email {{ email }} --authenticator dns-gandi --dns-gandi-credentials /etc/letsencrypt/gandi.ini -d {{ domains | join(',') }}'"

- cron:
    name: Certbot automatic renewal.
    cron_file: "certbot"
    job: "docker run -v /etc/letsencrypt:/etc/letsencrypt -v /var/log/letsencrypt:/var/log/letsencrypt --entrypoint /bin/sh  certbot/certbot -c 'pip install certbot-plugin-gandi && certbot renew --quiet --no-self-upgrade  --authenticator dns-gandi --dns-gandi-credentials /etc/letsencrypt/gandi.ini'"
    minute: '22'
    hour: '15'
    user: foo

(Note: It'd be so much better certbot-plugin-gandi be either bundled in certbot/certbot or that an official standalone docker image existed)