Merge pull request #769 from IPvSean/certbot_fix

Certbot fix for RHEL8, fix provisoiner windows was failing, but @cloin tested the fix in parallel
ansible · Apr 7, 2020 · 8d36e88 · 8d36e88
2 parents 24a3e79 + 41893d0
commit 8d36e88
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 78 deletions.
diff --git a/provisioner/roles/aws_dns/tasks/create.yml b/provisioner/roles/aws_dns/tasks/create.yml
@@ -1,32 +1,11 @@
 ---
-- name: perform DNS and SSL certs for ansible control node
-  block:
-    - name: dns for student webpage
-      become: false
-      route53:
-        state: "{{ s3_state }}"
-        zone: "{{workshop_dns_zone}}"
-        record: "{{username}}.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}}"
-        type: A
-        overwrite: true
-        value: "{{ansible_host}}"
-      delegate_to: localhost
-      register: route53_status
-
-  rescue:
-    - debug:
-        msg: 'DNS entries for control nodes have hit an issue in the aws_dns role, we will fail gracefully'
-
-    - name: appends
-      set_fact:
-        dns_information: |
-          - route53 module hit an error, DNS is not working, please use IP addresses
-      run_once: true
-      delegate_to: localhost
-      delegate_facts: true
-
-- name: CERTBOT FOR TOWER
-  include_tasks: "tower.yml"
-  when:
-    - towerinstall|bool
-    - route53_status is not failed
+- name: dns for student webpage
+  become: false
+  route53:
+    state: "{{ s3_state }}"
+    zone: "{{workshop_dns_zone}}"
+    record: "{{username}}.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}}"
+    type: A
+    overwrite: true
+    value: "{{ansible_host}}"
+  delegate_to: localhost
diff --git a/provisioner/roles/aws_dns/tasks/main.yml b/provisioner/roles/aws_dns/tasks/main.yml
@@ -17,8 +17,19 @@
   when:
     - not teardown
 
-- name: CREATE DNS ENTRIES FOR EACH TOWER NODE AND SSL CERT
-  include_tasks: create.yml
+- name: create DNS entries for Ansible Tower and SSL cert
+  block:
+    - name: create DNS entries for each Ansible Tower node
+      include_tasks: create.yml
+
+    - name: certbot for Ansible Tower
+      include_tasks: tower.yml
+
+    - name: turn on tower
+      shell: ansible-tower-service start
+      register: install_tower
+      until: install_tower is not failed
+      retries: 5
   when:
     - not teardown
     - check_cert.status != 200
diff --git a/provisioner/roles/aws_dns/tasks/tower.yml b/provisioner/roles/aws_dns/tasks/tower.yml
@@ -8,33 +8,27 @@
     tower_username: admin
     tower_password: "{{admin_password}}"
 
-- name: INSTALL CERTBOT
-  yum:
-    name: certbot
+# directions found here https://certbot.eff.org/lets-encrypt/centosrhel8-other
+- name: Download and install certbot
+  get_url:
+    url: https://dl.eff.org/certbot-auto
+    dest: /usr/local/bin/certbot-auto
+    mode: '0755'
+    owner: "root"
 
 # https://docs.ansible.com/ansible-tower/latest/html/administration/init_script.html
-- name: TURN OFF TOWER
+- name: turn off Ansible Tower
   shell: ansible-tower-service stop
 
-# If this fails check out status of certbot: https://letsencrypt.status.io/
-- name: ISSUE CERT
-  shell: certbot certonly --standalone -d {{username}}.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}} --email ansible-network@redhat.com --noninteractive --agree-tos
-  register: issue_cert
-  until: issue_cert is not failed
-  retries: 5
-  ignore_errors: true
-
-- name: APPEND LETS ENCRYPT FAILED
-  set_fact:
-    dns_information: |
-      - The Lets Encrypt certbot failed, please check https://letsencrypt.status.io/ to make sure the service is running
-  run_once: true
-  delegate_to: localhost
-  delegate_facts: true
-  when: issue_cert is failed
-
-- name: If issue cert works install it on tower
+- name: SSL cert block
   block:
+    # If this fails check out status of certbot: https://letsencrypt.status.io/
+    - name: ISSUE CERT
+      shell: /usr/local/bin/certbot-auto certonly --no-bootstrap --standalone -d {{username}}.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}} --email ansible-network@redhat.com --noninteractive --agree-tos
+      register: issue_cert
+      until: issue_cert is not failed
+      retries: 5
+
     - name: MOVE SSL KEY
       copy:
         remote_src: true
@@ -50,10 +44,14 @@
       template:
         src: combined_cert.j2
         dest: /etc/tower/tower.cert
-  when: issue_cert is not failed
-
-- name: TURN ON TOWER
-  shell: ansible-tower-service start
-  register: install_tower
-  until: install_tower is not failed
-  retries: 5
+  rescue:
+    - name: turn on tower
+      shell: ansible-tower-service start
+      register: install_tower
+      until: install_tower is not failed
+      retries: 5
+
+    - name: fail on purpose
+      debug:
+        msg: "failing on purpose - SSL cert problem"
+      failed_when: true
diff --git a/provisioner/roles/code_server/tasks/codeserver.yml b/provisioner/roles/code_server/tasks/codeserver.yml
@@ -1,7 +1,11 @@
 ---
-- name: install cerbot
-  dnf:
-    name: certbot
+# directions found here https://certbot.eff.org/lets-encrypt/centosrhel8-other
+- name: Download and install certbot
+  get_url:
+    url: https://dl.eff.org/certbot-auto
+    dest: /usr/local/bin/certbot-auto
+    mode: '0755'
+    owner: "root"
 
 - name: turn off tower
   shell: ansible-tower-service stop
@@ -91,7 +95,7 @@
     enabled: true
 
 - name: issue cert
-  shell: certbot certonly --standalone -d {{username}}-code.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}} --email ansible-network@redhat.com --noninteractive --agree-tos
+  shell: /usr/local/bin/certbot-auto certonly --no-bootstrap --standalone -d {{username}}-code.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}} --email ansible-network@redhat.com --noninteractive --agree-tos
   register: issue_cert
   until: issue_cert is not failed
   retries: 5

diff --git a/provisioner/roles/code_server/tasks/main.yml b/provisioner/roles/code_server/tasks/main.yml
@@ -37,14 +37,10 @@
       until: install_tower is not failed
       retries: 5
 
-    - name: appends
-      set_fact:
-        coder_information: |
-          - VS code integration has failed, please use direct SSH addresses
-        code_server: false
-      run_once: true
-      delegate_to: localhost
-      delegate_facts: true
+    - name: fail on purpose now to let user know code server failed
+      debug:
+        msg: "VS code integration has failed in provisioner/roles/code_server/tasks/main.yml"
+      failed_when: true
   when:
     - not teardown|bool
     - check_cert.cert is not defined
diff --git a/provisioner/roles/gitlab-server/tasks/certbot.yml b/provisioner/roles/gitlab-server/tasks/certbot.yml
@@ -19,13 +19,22 @@
         name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm"
         state: present
 
-    - name: GitLab post | install cerbot
+    - name: GitLab post | IInstall base packages
       dnf:
-        name: certbot
-        state: present
+        name:
+          - python3-pip
+          - python3-devel
+
+    # directions found here https://certbot.eff.org/lets-encrypt/centosrhel8-other
+    - name: Download and install certbot
+      get_url:
+        url: https://dl.eff.org/certbot-auto
+        dest: /usr/local/bin/certbot-auto
+        mode: '0755'
+        owner: "root"
 
     - name: GitLab post | issue cert
-      shell: certbot certonly --standalone -d gitlab.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}} --email ansible-network@redhat.com --noninteractive --agree-tos
+      shell: /usr/local/bin/certbot-auto certonly --no-bootstrap --standalone -d gitlab.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}} --email ansible-network@redhat.com --noninteractive --agree-tos
       register: issue_cert
       until: issue_cert is not failed
       retries: 5