Merge pull request #8 from michaelamattes/master

Add Azure dns provider challenge

Author: avalor1

examples/SAN_example.com.yml

@@ -27,3 +27,30 @@
     letsencrypt_s3_config_secret_key: !vault |
               $ANSIBLE_VAULT;1.1;AES256
               ...
+
+# Azure DNS
+- name: create the certificate for example.com
+  hosts: localhost
+  roles:
+    - letsencrypt
+  vars:
+    letsencrypt_create_private_keys: true
+    letsencrypt_do_http_challenge: false
+    letsencrypt_do_dns_challenge: true
+    letsencrypt_dns_provider: azure
+    letsencrypt_use_acme_live_directory: true
+    account_email: "ssl-admin@example.com"
+    azure_resource_group: "azure_resource_group"
+    convert_cert_to: pfx
+    domain:
+      certificate_name: "example.com"
+      common_name: "www.example.com"
+      zone: "example.com"
+      email_address: "ssl-admin@example.com"
+      subject_alt_name:
+        top_level:
+          - example.com
+          - domain1.example.com
+          - domain2.example.com
+        second_level:
+          - domain1.example.co.uk"

examples/wildcard.example.com.yml

@@ -1,3 +1,4 @@
+# AutoDNS
 - name: create the certificate for *.example.com
   hosts: localhost
   roles:
@@ -13,6 +14,7 @@
     letsencrypt_create_private_keys: true
     letsencrypt_do_http_challenge: false
     letsencrypt_do_dns_challenge: true
+    letsencrypt_dns_provider: autodns
     letsencrypt_use_acme_live_directory: false
     account_email: "ssl-admin@example.com"
     private_key_content: !vault |
@@ -22,3 +24,26 @@
     dns_password: !vault |
               $ANSIBLE_VAULT;1.1;AES256
               ...
+
+# Azure DNS
+- name: create the certificate for *.example.com
+  hosts: localhost
+  roles:
+    - letsencrypt
+  vars:
+    letsencrypt_create_private_keys: true
+    letsencrypt_do_http_challenge: false
+    letsencrypt_do_dns_challenge: true
+    letsencrypt_dns_provider: azure
+    letsencrypt_use_acme_live_directory: true
+    account_email: "ssl-admin@example.com"
+    azure_resource_group: "azure_resource_group"
+    convert_cert_to: pfx
+    domain:
+      email_address: "ssl-admin@example.com"
+      certificate_name: "wildcard.example.com"
+      common_name: "*.example.com"
+      zone: "example.com"
+      subject_alt_name:
+        top_level:
+          - "example.com"

roles/letsencrypt/README.md

@@ -47,7 +47,7 @@ rewrite (\.well-known/acme-challenge.*) https://letsencrypt-challenge-bucket.s3.
 ```
 
 ## dns-challenge
-Currently the role only supports the InternetX autodns API. Feel free to contribute with other DNS APIs.
+Currently the role supports the InternetX autodns API and the Azure DNS API. Feel free to contribute with other DNS APIs.
 
 ## Variables for DNS & HTTP challenge
 
@@ -57,13 +57,17 @@ Currently the role only supports the InternetX autodns API. Feel free to contrib
 | certificate_name                    | yes      |         | name of the resulting certificate. Most useful for wildcard certificates to not have files named '*.example.com' on the filesystem
 | common_name                         | yes      |         | domain for which the certificate will be created, non wildcards are also possible
 | zone                                | yes      |         | zone in which the dns records should be created
-| subject_alt_name                    | yes      |         | if you want to use wildcard-certificates use base name again as otherwise DNS txt record creation could fail
+| subject_alt_name                    | yes      |         | if you want to use
+wildcard-certificates use base name again as otherwise DNS txt record creation could fail
+| subject_alt_name: top_level:        | no       |         | list of top-level domains
+| subject_alt_name: second_level:     | no       |         | list of second_level domains
 | email_address                       | yes      |         | mail address which is used for the certificate (reminder mails are sent here)
 | **configuration options**           |          |         |
 | private_key_content                 | no       |         | content of the created private key for the certificate (allows reuse of keys)
 | letsencrypt_do_http_challenge       | yes      | false   | use http challenge
 | letsencrypt_do_dns_challenge        | yes      | false   | use dns challenge
 | letsencrypt_use_acme_live_directory | no       | false   | choose if production certificates should be created, the staging directory of LE will be used by default
+| azure_resource_group                | no       |         | Azure Resource Group for zone_name
 
 ## Variables for HTTP challenge
 
@@ -76,10 +80,11 @@ Currently the role only supports the InternetX autodns API. Feel free to contrib
 
 ## Variables for dns-challenge
 
-| Variable     | Required | Default   | Description
-|--------------|----------|-----------|------------
-| dns_user     | yes      |           | username to access the DNS api
-| dns_password | yes      |           | password to access the DNS api
+| Variable                 | Required | Default   | Description
+|--------------------------|----------|-----------|------------
+| dns_user                 | yes      |           | username to access the DNS api
+| dns_password             | yes      |           | password to access the DNS api
+| letsencrypt_dns_provider | no       |         | which DNS provider should be used: autodns, azure
 
 ## global role variables
 
@@ -89,14 +94,16 @@ Currently the role only supports the InternetX autodns API. Feel free to contrib
 | letsencrypt_conf_dir_user                | yes      | $USER                                | you can overwrite letsencrypt_conf_dir_user with a user who should be used when a group readable directory is used
 | letsencrypt_conf_dir_group               | yes      | $GROUP                               | you can overwrite letsencrypt_conf_dir_group with a group which consists of multiple users if ansible role is used in subteams
 | letsencrypt_prerequisites_packagemanager | yes      | yum                                  | set the packagemanager which is used of the ansible_host. Possible values are all supported package managers from ansible package module
-| acme_directory                           | yes      | acme-staging-v02.api.letsencrypt.org | acme directory which will be used for certificate challenge
+| acme_staging_directory                   | no       | acme-staging-v02.api.letsencrypt.org | acme directory which will be used for certificate challenge
+| acme_live_directory                      | no       | acme-v02.api.letsencrypt.org         | acme directory which will be used for certificate challenge
 | account_key_path                         | yes      | $letsencrypt_conf_dir                | path for account key of letsencrypt
 | csr_path                                 | yes      | $letsencrypt_conf_dir/certs          | path for csr which is created for challenge
 | cert_path                                | yes      | $letsencrypt_conf_dir/certs          | path for issued certificate
 | intermediate_path                        | yes      | $letsencrypt_conf_dir/certs          | path for intermediate chain
 | fullchain_path                           | yes      | $letsencrypt_conf_dir/certs          | path for full chain file (certificate + intermediate)
 | private_key_path                         | yes      | $letsencrypt_conf_dir/certs          | path for private key
 | remaining_days                           | yes      | 30                                   | min days remaining before certificate will be renewed
+| convert_cert_to                          | no       |                                      | format to convert the certificate to: `pfx`
 
 ### Usage
 

roles/letsencrypt/defaults/main.yml

@@ -18,10 +18,12 @@ letsencrypt_prerequisites_packagemanager: "yum"
 letsencrypt_s3_config_region: "eu-west-1"
 
 ### http challenge / dns challenge
-acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory"
+acme_staging_directory: "https://acme-staging-v02.api.letsencrypt.org/directory"
+acme_live_directory: "https://acme-v02.api.letsencrypt.org/directory"
 account_key_path: "{{ letsencrypt_conf_dir }}/letsencrypt_account.pem"
 csr_path: "{{ letsencrypt_cert_dir }}/{{ domain.certificate_name }}.csr"
 cert_path: "{{ letsencrypt_cert_dir }}/{{ domain.certificate_name }}.pem"
+pfx_cert_path: "{{ letsencrypt_cert_dir }}/{{ domain.certificate_name }}.pfx"
 intermediate_path: "{{ letsencrypt_cert_dir }}/{{ domain.certificate_name }}_intermediate.pem"
 fullchain_path: "{{ letsencrypt_cert_dir }}/{{ domain.certificate_name }}_fullchain.pem"
 private_key_path: "{{ letsencrypt_cert_dir }}/{{ domain.certificate_name }}.key"

roles/letsencrypt/tasks/convert_certificate.yml

@@ -0,0 +1,9 @@
+---
+- name: convert certificate to pfx format
+  openssl_pkcs12:
+    action: export
+    path: "{{ pfx_cert_path }}"
+    name: "{{ domain.certificate_name }}"
+    privatekey_path: "{{ private_key_path }}"
+    certificate_path: "{{ fullchain_path }}"
+  when: convert_cert_to == "pfx"

roles/letsencrypt/tasks/dns-challenge-autodns.yml

@@ -0,0 +1,128 @@
+---
+### include/role 3 - validate challenge
+- name: validate challenge only if it is created or changed
+  when: challenge is changed
+  block:
+    - name: Login to autodns
+      uri:
+        url: "https://api.autodns.com/v1/login"
+        method: POST
+        body_format: json
+        body:
+          { "context": "4",
+            "user": "{{ dns_user }}",
+            "password": "{{ dns_password }}"
+          }
+      register: login
+
+    - name: add a new TXT record to the common domain
+      uri:
+        url: "https://api.autodns.com/v1/zone/{{ domain.zone }}/a.ns14.net"
+        method: PATCH
+        body_format: json
+        body:
+          {
+            "origin": "{{ domain.zone }}",
+            "resourceRecordsAdd": [
+              {
+                "name": "_acme-challenge",
+                "ttl": 60,
+                "type": "TXT",
+                "value": "{{ challenge['challenge_data'][domain.common_name]['dns-01']['resource_value'] }}"
+              }
+            ]
+          }
+        headers:
+          Cookie: "{{ login.set_cookie }}"
+      when:
+        # only runs if the challenge is run the first time, because then there is challenge_data
+        - challenge['challenge_data'][domain.common_name] is defined
+
+    - name: add a new TXT record to the SAN domains
+      uri:
+        url: "https://api.autodns.com/v1/zone/{{ domain.zone }}/a.ns14.net"
+        method: PATCH
+        body_format: json
+        body:
+          {
+            "origin": "{{ item }}",
+            "resourceRecordsAdd": [
+              {
+                "name": "_acme-challenge.{{ item }}",
+                "ttl": 60,
+                "type": "TXT",
+                "value": "{{ challenge['challenge_data'][item]['dns-01']['resource_value'] }}"
+              }
+            ]
+          }
+        headers:
+          Cookie: "{{ login.set_cookie }}"
+      loop: "{{ domain.subject_alt_name }}"
+      when:
+        - domain.subject_alt_name is defined
+        # only runs if the challenge is run the first time, because then there is challenge_data
+        - challenge['challenge_data'][item] is defined
+
+    - name: Let the challenge be validated and retrieve the cert and intermediate certificate
+      acme_certificate:
+        account_key_src: "{{ account_key_path }}"
+        account_email: "{{ account_email }}"
+        csr: "{{ csr_path }}"
+        cert: "{{ cert_path }}"
+        fullchain: "{{ fullchain_path }}"
+        chain: "{{ intermediate_path }}"
+        challenge: dns-01
+        force: "{{ force_renewal | default(false) }}"
+        acme_directory: "{{ acme_directory }}"
+        acme_version: 2
+        terms_agreed: true
+        remaining_days: "{{ remaining_days }}"
+        data: "{{ challenge }}"
+
+    - name: remove created TXT record to keep DNS zone clean
+      uri:
+        url: "https://api.autodns.com/v1/zone/{{ domain.zone }}/a.ns14.net"
+        method: PATCH
+        body_format: json
+        body:
+          {
+            "origin": "{{ domain.zone }}",
+            "resourceRecordsRem": [
+              {
+                "name": "_acme-challenge",
+                "ttl": 60,
+                "type": "TXT",
+                "value": "{{ challenge['challenge_data'][domain.common_name]['dns-01']['resource_value'] }}"
+              }
+            ]
+          }
+        headers:
+          Cookie: "{{ login.set_cookie }}"
+      when:
+        # only runs if the challenge is run the first time, because then there is challenge_data
+        - challenge['challenge_data'][domain.common_name] is defined
+
+    - name: remove created SAN TXT records to keep DNS zone clean
+      uri:
+        url: "https://api.autodns.com/v1/zone/{{ domain.zone }}/a.ns14.net"
+        method: PATCH
+        body_format: json
+        body:
+          {
+            "origin": "{{ item }}",
+            "resourceRecordsRem": [
+              {
+                "name": "_acme-challenge.{{ item }}",
+                "ttl": 60,
+                "type": "TXT",
+                "value": "{{ challenge['challenge_data'][item]['dns-01']['resource_value'] }}"
+              }
+            ]
+          }
+        headers:
+          Cookie: "{{ login.set_cookie }}"
+      loop: "{{ domain.subject_alt_name }}"
+      when:
+        - domain.subject_alt_name is defined
+        # only runs if the challenge is run the first time, because then there is challenge_data
+        - challenge['challenge_data'][item] is defined

roles/letsencrypt/tasks/dns-challenge-azure.yml

@@ -0,0 +1,89 @@
+---
+- name: create TXT record in a new record set
+  azure_rm_dnsrecordset:
+    resource_group: "{{ azure_resource_group }}"
+    relative_name: "_acme-challenge"
+    zone_name: "{{ domain.zone }}"
+    record_mode: append
+    state: present
+    record_type: TXT
+    records:
+      - entry: "{{ challenge['challenge_data'][domain.common_name]['dns-01']['resource_value'] }}"
+
+# split top_level for zone_name and if subdomain is defined add subdomain to relative_name
+- name: add a new TXT record to the SAN top-level domains
+  azure_rm_dnsrecordset:
+    resource_group: "{{ azure_resource_group }}"
+    relative_name: "{{ '_acme-challenge' if item == item.split('.')[-2:] | join('.') else '_acme-challenge.' + item.split('.')[:-2] | join('.') }}"
+    zone_name: "{{ item.split('.')[-2:] | join('.') }}"
+    record_mode: append
+    state: present
+    record_type: TXT
+    records:
+    - entry: "{{ challenge['challenge_data'][item]['dns-01']['resource_value'] }}"
+  loop: "{{ domain.subject_alt_name.top_level }}"
+  when: domain.subject_alt_name.top_level is defined
+
+# split second_level for zone_name and if subdomain is defined add subdomain to relative_name
+- name: add a new TXT record to the SAN second-level domains
+  azure_rm_dnsrecordset:
+    resource_group: "{{ azure_resource_group }}"
+    relative_name: "{{ '_acme-challenge' if item == item.split('.')[-3:] | join('.') else '_acme-challenge.' + item.split('.')[:-3] | join('.') }}"
+    zone_name: "{{ item.split('.')[-3:] | join('.') }}"
+    record_mode: append
+    state: present
+    record_type: TXT
+    records:
+    - entry: "{{ challenge['challenge_data'][item]['dns-01']['resource_value'] }}"
+  loop: "{{ domain.subject_alt_name.second_level }}"
+  when: domain.subject_alt_name.second_level is defined
+
+- name: Let the challenge be validated and retrieve the cert and intermediate certificate
+  acme_certificate:
+    account_key_src: "{{ account_key_path }}"
+    account_email: "{{ account_email }}"
+    csr: "{{ csr_path }}"
+    cert: "{{ cert_path }}"
+    fullchain: "{{ fullchain_path }}"
+    chain: "{{ intermediate_path }}"
+    challenge: dns-01
+    force: "{{ force_renewal | default(false) }}"
+    acme_directory: "{{ acme_directory }}"
+    acme_version: 2
+    terms_agreed: true
+    remaining_days: "{{ remaining_days }}"
+    data: "{{ challenge }}"
+
+- name: remove created TXT record to keep DNS zone clean
+  azure_rm_dnsrecordset:
+    resource_group: "{{ azure_resource_group }}"
+    relative_name: "_acme-challenge"
+    zone_name: "{{ domain.zone }}"
+    state: absent
+    record_type: TXT
+    records:
+      - entry: "{{ challenge['challenge_data'][domain.common_name]['dns-01']['resource_value'] }}"
+
+- name: remove created SAN top-level TXT records to keep DNS zone clean
+  azure_rm_dnsrecordset:
+    resource_group: "{{ azure_resource_group }}"
+    relative_name: "{{ '_acme-challenge' if item == item.split('.')[-2:] | join('.') else '_acme-challenge.' + item.split('.')[:-2] | join('.') }}"
+    zone_name: "{{ item.split('.')[-2:] | join('.') }}"
+    state: absent
+    record_type: TXT
+    records:
+      - entry: "{{ challenge['challenge_data'][item]['dns-01']['resource_value'] }}"
+  loop: "{{ domain.subject_alt_name.top_level }}"
+  when: domain.subject_alt_name.top_level is defined
+
+- name: remove created SAN second-level TXT records to keep DNS zone clean
+  azure_rm_dnsrecordset:
+    resource_group: "{{ azure_resource_group }}"
+    relative_name: "{{ '_acme-challenge' if item == item.split('.')[-3:] | join('.') else '_acme-challenge.' + item.split('.')[:-3] | join('.') }}"
+    zone_name: "{{ item.split('.')[-3:] | join('.') }}"
+    state: absent
+    record_type: TXT
+    records:
+      - entry: "{{ challenge['challenge_data'][item]['dns-01']['resource_value'] }}"
+  loop: "{{ domain.subject_alt_name.second_level }}"
+  when: domain.subject_alt_name.second_level is defined