[FEATURE] #38: Use dehydrated instead of acme-tiny

Author: andreaswolf

README.md

@@ -1,24 +1,24 @@
 # Let’s encrypt/acme-tiny role for Ansible
 
-Installs and configures [acme-tiny](https://github.com/diafygi/acme-tiny), a small Python-based client for
+Installs and configures [dehydrated](https://github.com/lukas2511/dehydrated), a small Shell-based client for
 [Let’s encrypt](https://letsencrypt.org).
 
-It automates the following tasks:
-
-  * creating an account key for Let’s encrypt
-  * creating private keys and Certificate Signature Requests (CSR) for hosts
-  * configuring a cron job that automatically renews the certificates after 60 days
+This role historically used acme-tiny, a Python-based implementation of the ACME protocol. As this client was too 
+limited in functionality, we switched over to dehydrated in april 2017.
 
 During each role run, the certificate renewal script is also executed (as with the cron job), to ensure you get new
 certificates as soon as you have configured them.
 
+**IMPORTANT:** This package is currently in the transition from acme-tiny to dehydrated. Use with caution and always 
+manually verify if everything worked ok!
+
 
 ## Requirements
 
 For every hostname you want to support, you need to have a webserver configured and add an alias that points to the 
-directory configured with `acme_tiny_challenges_directory`. For Apache, such an alias should look like this:
+directory configured with `dehydrated_challenges_directory`. For Apache, such an alias should look like this:
 
-    Alias "/.well-known/acme-challenge" "{{ acme_tiny_challenges_directory }}"
+    Alias "/.well-known/acme-challenge" "{{ dehydrated_challenges_directory }}"
 
 Hint: You can also put this into a global variable and then use this variable in the definition of every vHost.
 
@@ -42,9 +42,9 @@ When you use Letencrypt on multiple servers, it may be simpler to have only one
 
 You might want to adjust these variables that control where the software and data are located:
 
-  * `acme_tiny_software_directory`: The location to which acme-tiny is cloned
-  * `acme_tiny_data_directory`: The location where the account key and certificate signature requests (CSR) are placed
-  * `acme_tiny_challenges_directory`: The (web-reachable) directory that contains the temporary challenges used for 
+  * `dehydrated_software_directory`: The location to which dehydrated is cloned
+  * `dehydrated_base_directory`: The location where the configuration, account key(s) and the certificate list (domains.txt) are placed
+  * `dehydrated_challenges_directory`: The (web-reachable) directory that contains the temporary challenges used for 
     verifying your domain ownership
   * `letsencrypt_intermediate_cert_path`: the path to which the intermediate certificate of Let’s encrypt will be
     downloaded.

defaults/main.yml

@@ -1,11 +1,21 @@
 ---
 
-acme_tiny_repo: 'https://github.com/diafygi/acme-tiny.git'
-acme_tiny_commit: '7a5a2558c8d6e5ab2a59b9fec9633d9e63127971'
-
+# leaving these variables in to enable removal of the software
 acme_tiny_software_directory: '/usr/local/letsencrypt'
 acme_tiny_data_directory: '/var/lib/letsencrypt'
-acme_tiny_challenges_directory: '/var/www/letsencrypt'
+
+dehydrated_repo: 'https://github.com/lukas2511/dehydrated.git'
+dehydrated_commit: 'v0.4.0'
+
+dehydrated_base_directory: '/etc/dehydrated'
+dehydrated_certs_directory: '/etc/ssl/letsencrypt/certs'
+dehydrated_accounts_directory: '{{ dehydrated_base_directory }}/accounts'
+dehydrated_config_file: '/etc/dehydrated/config'
+dehydrated_domains_file: '{{ dehydrated_base_directory }}/domains.txt'
+dehydrated_software_directory: '/usr/local/dehydrated'
+dehydrated_challenges_directory: '/var/www/letsencrypt'
+
+dehydrated_ca: 'https://acme-v01.api.letsencrypt.org/directory'
 
 # Path to the local file containing the account key to copy to the server.
 # Secure this file using Git-crypt for example.
@@ -21,11 +31,7 @@ acme_tiny_challenges_directory: '/var/www/letsencrypt'
 #  KWXliiWjUORxDxI1c56Rw2VCIExnFjWJAdSLv6/XaQWo2T7U28bkKbAlCF9=
 #  -----END RSA PRIVATE KEY-----
 
-letsencrypt_account_key: '{{ acme_tiny_data_directory }}/account.key'
-
-letsencrypt_intermediate_cert_path: '/etc/ssl/certs/lets-encrypt-x3-cross-signed.pem'
-letsencrypt_intermediate_cert_url: 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem'
-letsencrypt_intermediate_cert_sha256sum: 'e446c5e9dbef9d09ac9f7027c034602492437a05ff6c40011d7235fca639c79a'
+letsencrypt_account_key: '{{ dehydrated_base_directory }}/private_key.pem'
 
 letsencrypt_key_dir: '/etc/ssl/letsencrypt/keys'
 letsencrypt_certs_dir: '/etc/ssl/letsencrypt/certs'
@@ -53,6 +59,6 @@ letsencrypt_min_renewal_age: 60
 # the days of a month the cronjob should be run. Make sure to run it rather often, three times per month is a pretty
 # good value. It does not harm to run it often, as it will only regenerate certificates that have passed a certain age
 # (60 days by default).
-letsencrypt_cronjob_daysofmonth: 1,11,21
+letsencrypt_cronjob_daysofmonth: "*"
 
 ...