Allow updating existing certs

[Matt-Yorkley]

Hey guys, I just had to update an existing certificate on one of our servers to fix a bug, and realised it wasn't possible with the certbot role. We've had to do this a couple of times, and manually recreate the certificates on servers via the commandline.

I've added a new option here to allow recreating existing certificates when they need to be updated, for example when a new subdomain is added. I also noticed nginx had to be reloaded when changing an existing certificate, so I've added a handler for that.

The new optional task can be run using --extra-vars "certbot_force_update=true".

What do you think?

Relevant docs here: https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates

[raneq]

Hi @Matt-Yorkley , thanks for this! We will take it next week. Personally I haven't hacked on this repo yet, so another mate will come.

cheers!

[delphaber]

@Matt-Yorkley is there a typo here? ngninx instead of nginx. Right?

[raneq]

Suggested change

	notify: reload ngninx
	notify: reload nginx

by @delphaber

[raneq]

@Matt-Yorkley , when you fix the nginx typo I'll test this and merge it if everything ok. It's been too long for this feature, sorry I was out.

[Matt-Yorkley]

Fixed. It's not really urgent, but we do have some certificates on a couple of servers that need to be updated.

[raneq]

The test is failing due to certbot deprecating Ubuntu Trusty (14.04). Are you using this role in any machines running this distro?? We could try to get the .deb if necessary, but I think we should simply state that we don't support trusty anymore.
certbot/certbot#7183

[Matt-Yorkley]

No, we're on 16 and upgrading to 18 later in the year. Deprecating 14 sounds like a good idea 👍

[raneq]

I'm gonna test this tomorrow (Tue 10) for some multi-domain odoo instance we are setting up, and if it works as expected, I'm gonna merge it too! Saying in advance just in case you had some changes stashed without publishing, @Matt-Yorkley

[raneq]

Hi @Matt-Yorkley , I tried your branch in a situation where it fitted perfectly, and it didn't work at the first run. I'm gonna investigate this and see if I can fix it. It says: ... --cert-name 'odoo.example.org' : not found

I think that the certificate changed the name, I'm gonna check it.

TASK [coopdevs.certbot_nginx : Add certbot repository] **************************************
ok: [odoo.example.org]

TASK [coopdevs.certbot_nginx : Install certbot] *********************************************
ok: [odoo.example.org]

TASK [coopdevs.certbot_nginx : Install certbot-nginx plugin] ********************************
ok: [odoo.example.org]

TASK [coopdevs.certbot_nginx : Check if certificate already exists] *************************
ok: [odoo.example.org]

TASK [coopdevs.certbot_nginx : Generate new certificate if one doesn't exist] ***************
skipping: [odoo.example.org]

TASK [coopdevs.certbot_nginx : Force generation of a new certificate] ***********************
fatal: [odoo.example.org]: FAILED! => {
  "changed": true,
  "cmd": "\"certbot certonly --force-renewal --nginx --email 'info@coopdevs.org' --agree-tos
          -d 'group1.example.org,group2.example.org,odoo.example.org'  --cert-name 'odoo.example.org'  \"\n",
  "delta": "0:00:00.007316",
  "end": "2019-09-11 13:59:22.716142",
  "msg": "non-zero return code",
  "rc": 127,
  "start": "2019-09-11 13:59:22.708826",
  "stderr": "/bin/sh: 1: certbot certonly --force-renewal --nginx --email 'info@coopdevs.org'
              --agree-tos -d 'group1.example.org,group2.example.org,odoo.example.org'
              --cert-name 'odoo.example.org'  : not found",
  "stderr_lines": ["/bin/sh: 1: certbot certonly --force-renewal --nginx --email 'info@coopdevs.org'
                    --agree-tos -d 'group1.example.org,group2.example.org,odoo.example.org'
                    --cert-name 'odoo.example.org'  : not found"],
  "stdout": "",
  "stdout_lines": []
}

[raneq]

Ok, so it's not a problem with the certbot logic, it looks like a problem with sh not finding the binary to certbot. This not found message I can reproduce it like this:

# sdfsadfa
sh: 3: sdfsadfa: not found
# echo $?
127

It returns the same error code as the one with certbot.

EDIT: I launched the exact same command manually from a bash and then sh shell, and it works well.

[raneq]

I got it: unnecessary quotes. See:

# "ls -l"
sh: 11: ls -l: not found
# echo $?
127

At [https://yaml-multiline.info/] I found all cases I needed to cover about quoting in yaml.

[raneq]

Suggested change

	- name: Generate new certificate if one doesn't exist
	- name: "Generate new certificate if one doesn't exist"

Quote the name so that vim and possibly other syntax highlighters don't mess with unpaired single quote.

[raneq]

How do you see it @Matt-Yorkley ?

[Matt-Yorkley]

Se ve bien 👍

[Matt-Yorkley]

Ah, I just ran this today, and I got the not found error you mentioned. I didn't see that when I was testing it initially... :/

[raneq]

Ah, I just ran this today, and I got the not found error you mentioned. I didn't see that when I was testing it initially... :/

@Matt-Yorkley, did you use an old version? Or the merged one still has this issue?

[Matt-Yorkley]

I'm pretty sure it was the merged version...

[raneq]

hmmm can you debug it a bit further, then? For me the fixed worked :S I can test it again too if needed

[Matt-Yorkley]

I just used this to update a certificate on a production server with -e "certbot_force_update=true" and it worked like a charm.

Thanks! ❤️ ❤️