From cd4135f3c47a318db17732fa4775faf7c72d9b0a Mon Sep 17 00:00:00 2001 From: ipvsean Date: Mon, 6 Apr 2020 19:11:06 -0400 Subject: [PATCH 1/4] fixing certbot this will solve issues-> - fixing bug with certbot not working on RHEL8 - https://github.com/ansible/workshops/issues/768 - failing on purpose is certbot fails - https://github.com/ansible/workshops/issues/718 --- provisioner/roles/aws_dns/tasks/create.yml | 41 ++++---------- provisioner/roles/aws_dns/tasks/main.yml | 9 ++- provisioner/roles/aws_dns/tasks/tower.yml | 55 ++++++++----------- .../roles/code_server/tasks/codeserver.yml | 12 ++-- provisioner/roles/code_server/tasks/main.yml | 12 ++-- 5 files changed, 52 insertions(+), 77 deletions(-) diff --git a/provisioner/roles/aws_dns/tasks/create.yml b/provisioner/roles/aws_dns/tasks/create.yml index ffd6ce346..fda4c8b6c 100644 --- a/provisioner/roles/aws_dns/tasks/create.yml +++ b/provisioner/roles/aws_dns/tasks/create.yml @@ -1,32 +1,11 @@ --- -- name: perform DNS and SSL certs for ansible control node - block: - - name: dns for student webpage - become: false - route53: - state: "{{ s3_state }}" - zone: "{{workshop_dns_zone}}" - record: "{{username}}.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}}" - type: A - overwrite: true - value: "{{ansible_host}}" - delegate_to: localhost - register: route53_status - - rescue: - - debug: - msg: 'DNS entries for control nodes have hit an issue in the aws_dns role, we will fail gracefully' - - - name: appends - set_fact: - dns_information: | - - route53 module hit an error, DNS is not working, please use IP addresses - run_once: true - delegate_to: localhost - delegate_facts: true - -- name: CERTBOT FOR TOWER - include_tasks: "tower.yml" - when: - - towerinstall|bool - - route53_status is not failed +- name: dns for student webpage + become: false + route53: + state: "{{ s3_state }}" + zone: "{{workshop_dns_zone}}" + record: "{{username}}.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}}" + type: A + overwrite: true + value: "{{ansible_host}}" + delegate_to: localhost diff --git a/provisioner/roles/aws_dns/tasks/main.yml b/provisioner/roles/aws_dns/tasks/main.yml index 88cca315b..a1091af80 100644 --- a/provisioner/roles/aws_dns/tasks/main.yml +++ b/provisioner/roles/aws_dns/tasks/main.yml @@ -17,8 +17,13 @@ when: - not teardown -- name: CREATE DNS ENTRIES FOR EACH TOWER NODE AND SSL CERT - include_tasks: create.yml +- name: create DNS entries for Ansible Tower and SSL cert + block: + - name: create DNS entries for each Ansible Tower node + include_tasks: create.yml + + - name: certbot for Ansible Tower + include_tasks: "tower.yml" when: - not teardown - check_cert.status != 200 diff --git a/provisioner/roles/aws_dns/tasks/tower.yml b/provisioner/roles/aws_dns/tasks/tower.yml index 338af58d2..35b698fba 100644 --- a/provisioner/roles/aws_dns/tasks/tower.yml +++ b/provisioner/roles/aws_dns/tasks/tower.yml @@ -8,9 +8,13 @@ tower_username: admin tower_password: "{{admin_password}}" -- name: INSTALL CERTBOT - yum: - name: certbot +# directions found here https://certbot.eff.org/lets-encrypt/centosrhel8-other +- name: Download and install certbot + get_url: + url: https://dl.eff.org/certbot-auto + dest: /usr/local/bin/certbot-auto + mode: '0755' + owner: "root" # https://docs.ansible.com/ansible-tower/latest/html/administration/init_script.html - name: TURN OFF TOWER @@ -18,39 +22,26 @@ # If this fails check out status of certbot: https://letsencrypt.status.io/ - name: ISSUE CERT - shell: certbot certonly --standalone -d {{username}}.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}} --email ansible-network@redhat.com --noninteractive --agree-tos + shell: /usr/local/bin/certbot-auto certonly --standalone -d {{username}}.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}} --email ansible-network@redhat.com --noninteractive --agree-tos register: issue_cert until: issue_cert is not failed retries: 5 - ignore_errors: true -- name: APPEND LETS ENCRYPT FAILED - set_fact: - dns_information: | - - The Lets Encrypt certbot failed, please check https://letsencrypt.status.io/ to make sure the service is running - run_once: true - delegate_to: localhost - delegate_facts: true - when: issue_cert is failed - -- name: If issue cert works install it on tower - block: - - name: MOVE SSL KEY - copy: - remote_src: true - src: "/etc/letsencrypt/live/{{username}}.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}}/privkey.pem" - dest: /etc/tower/tower.key - - - name: GRAB SPECIFIC SSL CERT - slurp: - src: "/etc/letsencrypt/live/{{username}}.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}}/cert.pem" - register: intermediate_cert - - - name: COMBINE SPECIFIC AND INTERMEDIATE CERT - template: - src: combined_cert.j2 - dest: /etc/tower/tower.cert - when: issue_cert is not failed +- name: MOVE SSL KEY + copy: + remote_src: true + src: "/etc/letsencrypt/live/{{username}}.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}}/privkey.pem" + dest: /etc/tower/tower.key + +- name: GRAB SPECIFIC SSL CERT + slurp: + src: "/etc/letsencrypt/live/{{username}}.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}}/cert.pem" + register: intermediate_cert + +- name: COMBINE SPECIFIC AND INTERMEDIATE CERT + template: + src: combined_cert.j2 + dest: /etc/tower/tower.cert - name: TURN ON TOWER shell: ansible-tower-service start diff --git a/provisioner/roles/code_server/tasks/codeserver.yml b/provisioner/roles/code_server/tasks/codeserver.yml index 221619e19..3f0b5421f 100644 --- a/provisioner/roles/code_server/tasks/codeserver.yml +++ b/provisioner/roles/code_server/tasks/codeserver.yml @@ -1,7 +1,11 @@ --- -- name: install cerbot - dnf: - name: certbot +# directions found here https://certbot.eff.org/lets-encrypt/centosrhel8-other +- name: Download and install certbot + get_url: + url: https://dl.eff.org/certbot-auto + dest: /usr/local/bin/certbot-auto + mode: '0755' + owner: "root" - name: turn off tower shell: ansible-tower-service stop @@ -91,7 +95,7 @@ enabled: true - name: issue cert - shell: certbot certonly --standalone -d {{username}}-code.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}} --email ansible-network@redhat.com --noninteractive --agree-tos + shell: /usr/local/bin/certbot-auto certonly --standalone -d {{username}}-code.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}} --email ansible-network@redhat.com --noninteractive --agree-tos register: issue_cert until: issue_cert is not failed retries: 5 diff --git a/provisioner/roles/code_server/tasks/main.yml b/provisioner/roles/code_server/tasks/main.yml index ef5502d9e..0da1fea18 100644 --- a/provisioner/roles/code_server/tasks/main.yml +++ b/provisioner/roles/code_server/tasks/main.yml @@ -37,14 +37,10 @@ until: install_tower is not failed retries: 5 - - name: appends - set_fact: - coder_information: | - - VS code integration has failed, please use direct SSH addresses - code_server: false - run_once: true - delegate_to: localhost - delegate_facts: true + - name: fail on purpose now to let user know code server failed + debug: + msg: "VS code integration has failed in provisioner/roles/code_server/tasks/main.yml" + failed_when: true when: - not teardown|bool - check_cert.cert is not defined From 3638d58f50b7ad368657015e34bf4d475a8ae2f1 Mon Sep 17 00:00:00 2001 From: ipvsean Date: Mon, 6 Apr 2020 19:36:20 -0400 Subject: [PATCH 2/4] certbox fix @cloin sucks --- provisioner/roles/aws_dns/tasks/main.yml | 8 ++- provisioner/roles/aws_dns/tasks/tower.yml | 57 +++++++++++-------- .../roles/code_server/tasks/codeserver.yml | 2 +- 3 files changed, 40 insertions(+), 27 deletions(-) diff --git a/provisioner/roles/aws_dns/tasks/main.yml b/provisioner/roles/aws_dns/tasks/main.yml index a1091af80..6af2f3443 100644 --- a/provisioner/roles/aws_dns/tasks/main.yml +++ b/provisioner/roles/aws_dns/tasks/main.yml @@ -23,7 +23,13 @@ include_tasks: create.yml - name: certbot for Ansible Tower - include_tasks: "tower.yml" + include_tasks: tower.yml + + - name: turn on tower + shell: ansible-tower-service start + register: install_tower + until: install_tower is not failed + retries: 5 when: - not teardown - check_cert.status != 200 diff --git a/provisioner/roles/aws_dns/tasks/tower.yml b/provisioner/roles/aws_dns/tasks/tower.yml index 35b698fba..d2c1e1a69 100644 --- a/provisioner/roles/aws_dns/tasks/tower.yml +++ b/provisioner/roles/aws_dns/tasks/tower.yml @@ -17,34 +17,41 @@ owner: "root" # https://docs.ansible.com/ansible-tower/latest/html/administration/init_script.html -- name: TURN OFF TOWER +- name: turn off Ansible Tower shell: ansible-tower-service stop -# If this fails check out status of certbot: https://letsencrypt.status.io/ -- name: ISSUE CERT - shell: /usr/local/bin/certbot-auto certonly --standalone -d {{username}}.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}} --email ansible-network@redhat.com --noninteractive --agree-tos - register: issue_cert - until: issue_cert is not failed - retries: 5 +- name: SSL cert block + block: + # If this fails check out status of certbot: https://letsencrypt.status.io/ + - name: ISSUE CERT + shell: /usr/local/bin/certbot-auto certonly --no-bootstrap --standalone -d {{username}}.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}} --email ansible-network@redhat.com --noninteractive --agree-tos + register: issue_cert + until: issue_cert is not failed + retries: 5 -- name: MOVE SSL KEY - copy: - remote_src: true - src: "/etc/letsencrypt/live/{{username}}.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}}/privkey.pem" - dest: /etc/tower/tower.key + - name: MOVE SSL KEY + copy: + remote_src: true + src: "/etc/letsencrypt/live/{{username}}.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}}/privkey.pem" + dest: /etc/tower/tower.key -- name: GRAB SPECIFIC SSL CERT - slurp: - src: "/etc/letsencrypt/live/{{username}}.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}}/cert.pem" - register: intermediate_cert + - name: GRAB SPECIFIC SSL CERT + slurp: + src: "/etc/letsencrypt/live/{{username}}.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}}/cert.pem" + register: intermediate_cert -- name: COMBINE SPECIFIC AND INTERMEDIATE CERT - template: - src: combined_cert.j2 - dest: /etc/tower/tower.cert + - name: COMBINE SPECIFIC AND INTERMEDIATE CERT + template: + src: combined_cert.j2 + dest: /etc/tower/tower.cert + rescue: + - name: turn on tower + shell: ansible-tower-service start + register: install_tower + until: install_tower is not failed + retries: 5 -- name: TURN ON TOWER - shell: ansible-tower-service start - register: install_tower - until: install_tower is not failed - retries: 5 + - name: fail on purpose + debug: + msg: "failing on purpose - SSL cert problem" + failed_when: true diff --git a/provisioner/roles/code_server/tasks/codeserver.yml b/provisioner/roles/code_server/tasks/codeserver.yml index 3f0b5421f..8477e1877 100644 --- a/provisioner/roles/code_server/tasks/codeserver.yml +++ b/provisioner/roles/code_server/tasks/codeserver.yml @@ -95,7 +95,7 @@ enabled: true - name: issue cert - shell: /usr/local/bin/certbot-auto certonly --standalone -d {{username}}-code.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}} --email ansible-network@redhat.com --noninteractive --agree-tos + shell: /usr/local/bin/certbot-auto certonly --no-bootstrap --standalone -d {{username}}-code.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}} --email ansible-network@redhat.com --noninteractive --agree-tos register: issue_cert until: issue_cert is not failed retries: 5 From 1fbc96f4d80d1052fde44ab5b54a53bd25d6ba3c Mon Sep 17 00:00:00 2001 From: ipvsean Date: Mon, 6 Apr 2020 22:27:19 -0400 Subject: [PATCH 3/4] Update certbot.yml fixing certbot for windows workshop, this should be all on @cloin --- provisioner/roles/gitlab-server/tasks/certbot.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/provisioner/roles/gitlab-server/tasks/certbot.yml b/provisioner/roles/gitlab-server/tasks/certbot.yml index 5d8986798..95176dd85 100644 --- a/provisioner/roles/gitlab-server/tasks/certbot.yml +++ b/provisioner/roles/gitlab-server/tasks/certbot.yml @@ -19,13 +19,16 @@ name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm" state: present - - name: GitLab post | install cerbot - dnf: - name: certbot - state: present + # directions found here https://certbot.eff.org/lets-encrypt/centosrhel8-other + - name: Download and install certbot + get_url: + url: https://dl.eff.org/certbot-auto + dest: /usr/local/bin/certbot-auto + mode: '0755' + owner: "root" - name: GitLab post | issue cert - shell: certbot certonly --standalone -d gitlab.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}} --email ansible-network@redhat.com --noninteractive --agree-tos + shell: /usr/local/bin/certbot-auto certonly --no-bootstrap --standalone -d gitlab.{{ec2_name_prefix|lower}}.{{workshop_dns_zone}} --email ansible-network@redhat.com --noninteractive --agree-tos register: issue_cert until: issue_cert is not failed retries: 5 From 41893d0adfb52a84bc7100adbb235a4d88678c6b Mon Sep 17 00:00:00 2001 From: ipvsean Date: Mon, 6 Apr 2020 23:16:19 -0400 Subject: [PATCH 4/4] Update certbot.yml for @cloin --- provisioner/roles/gitlab-server/tasks/certbot.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/provisioner/roles/gitlab-server/tasks/certbot.yml b/provisioner/roles/gitlab-server/tasks/certbot.yml index 95176dd85..b1fecef3b 100644 --- a/provisioner/roles/gitlab-server/tasks/certbot.yml +++ b/provisioner/roles/gitlab-server/tasks/certbot.yml @@ -19,6 +19,12 @@ name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm" state: present + - name: GitLab post | IInstall base packages + dnf: + name: + - python3-pip + - python3-devel + # directions found here https://certbot.eff.org/lets-encrypt/centosrhel8-other - name: Download and install certbot get_url: