LetsEncrypt certificate issuance via podman/certbot container

roles/control_node/tasks/15_package_dependencies.yml

@@ -1,10 +1,4 @@
 ---
-- name: Install EPEL
-  dnf:
-    name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm"
-    state: present
-    disable_gpg_check: true
-
 - name: Install base packages
   dnf:
     name:
@@ -27,23 +21,3 @@
   until: dnf_check is not failed
   retries: 4
   delay: 5
-
-# Certbot dependancy / acme, needs later version of requests library than task above^^
-- name: install awxkit and requests >2.14
-  become: true
-  ansible.builtin.pip:
-    name:
-      - awxkit
-      - yamllint
-      - "requests==2.14.2"
-      - ansible-navigator
-      - ansible-lint
-    state: latest
-
-- name: install community collection
-  shell: "ansible-galaxy collection install {{ item }} --force-with-deps "
-  register: controlnode
-  loop:
-    - community.general
-  until: controlnode is not failed
-  retries: 5

roles/issue_cert/tasks/main.yml

@@ -4,22 +4,6 @@
     - name: controller start
       include_tasks: "service/controller_start.yml"
 
-    # directions found here https://certbot.eff.org/lets-encrypt/centosrhel8-other
-    - name: install certbot if not already installed
-      dnf:
-        name: certbot
-        state: present
-        disable_gpg_check: true
-    # solves error
-    # pkg_resources.DistributionNotFound: The 'requests>=2.14.2' distribution was not found and is required by acme
-    - name: Install requests python package
-      pip:
-        name: requests>=2.14.2
-
-    - name: Install requests python package
-      pip:
-        name: requests>=2.14.2
-
     - &tower-pinger-block
       block:
         - name: check Tower status
@@ -59,13 +43,38 @@
     - name: controller stop
       include_tasks: "service/controller_stop.yml"
 
+    - name: create letsencrypt subdirectories
+      file:
+        path: "{{ item }}"
+        state: directory
+        owner: root
+        group: root
+        mode: 0750
+      with_items:
+        - /etc/letsencrypt
+        - /var/lib/letsencrypt
+
     # If this fails check out status of certbot: https://letsencrypt.status.io/
     - name: try to issue SSL certificate
       block:
         - name: Issue SSL cert
-          shell: certbot certonly --no-bootstrap --standalone -d {{ dns_name }} --email [email protected] --noninteractive --agree-tos
-          register: issue_cert
-          until: issue_cert is not failed
+          shell: >
+            podman run -it --rm --name certbot \
+                -v "/etc/letsencrypt:/etc/letsencrypt:z" \
+                -v "/var/lib/letsencrypt:/var/lib/letsencrypt:z" \
+                -p 80:80 \
+                -p 443:443 \
+                docker.io/certbot/certbot:latest certonly \
+                --key-type rsa \
+                --rsa-key-size 4096 \
+                --no-bootstrap \
+                --standalone \
+                -d {{ dns_name }} \
+                --email [email protected] \
+                --noninteractive \
+                --agree-tos
+          register: issue_controller_cert
+          until: issue_controller_cert is not failed
           retries: 5
       rescue:
         - name: error with SSL cert
@@ -77,22 +86,50 @@
             dns_information:
               - "{{ dns_information }}"
               - "The Lets Encrypt certbot failed for the controller node, please check https://letsencrypt.status.io/ to make sure the service is running"
-
-    - name: Move SSL Key
-      copy:
-        remote_src: true
-        src: "/etc/letsencrypt/live/{{ dns_name }}/privkey.pem"
-        dest: /etc/tower/tower.key
-
-    - name: Retrieve Specific SSL Cert
+    - name: download LetsEncrypt R3 cert
+      get_url:
+        url: https://letsencrypt.org/certs/lets-encrypt-r3.pem
+        dest: "/etc/letsencrypt/live/{{ dns_name }}"
+        mode: 0644
+        checksum: sha256:177e1b8fc43b722b393f4200ff4d92e32deeffbb76fef5ee68d8f49c88cf9d32
+        group: root
+        owner: root
+    - name: download LetsEncrypt root X1 cert
+      get_url:
+        url: https://letsencrypt.org/certs/isrgrootx1.pem
+        dest: "/etc/letsencrypt/live/{{ dns_name }}"
+        mode: 0644
+        checksum: sha256:22b557a27055b33606b6559f37703928d3e4ad79f110b407d04986e1843543d1
+        group: root
+        owner: root
+    - name: retrieve LetsEncrypt R3 cert
       slurp:
-        src: "/etc/letsencrypt/live/{{ dns_name }}/cert.pem"
+        src: "/etc/letsencrypt/live/{{ dns_name }}/lets-encrypt-r3.pem"
       register: intermediate_cert
-
-    - name: Combine Specific and intermediate Cert
+    - name: retrieve LetsEncrypt root X1 cert
+      slurp:
+        src: "/etc/letsencrypt/live/{{ dns_name }}/isrgrootx1.pem"
+      register: root_cert
+    - name: combine R3 and root X1 certs to create LetsEncrypt CA bundle
       template:
-        src: combined_cert.j2
+        src: cert_bundle.j2
+        dest: "/etc/letsencrypt/live/{{ dns_name }}/letsencrypt-ca-bundle.pem"
+        group: root
+        owner: root
+    - name: Symlink LetsEncrypt CA bundle to /etc/tower/tower.cert
+      ansible.builtin.copy:
+        src: "/etc/letsencrypt/live/{{ dns_name }}/fullchain.pem"
         dest: /etc/tower/tower.cert
+        owner: root
+        group: awx
+        remote_src: true
+    - name: Symlink LetsEncrypt generated private key to /etc/tower/tower.key
+      ansible.builtin.copy:
+        src: "/etc/letsencrypt/live/{{ dns_name }}/privkey.pem"
+        dest: /etc/tower/tower.key
+        owner: root
+        group: awx
+        remote_src: true
   rescue:
     - name: no SSL cert for Automation Controller
       debug:
@@ -101,3 +138,4 @@
     # Turn on Ansible Controller if successful
     - name: controller restart
       include_tasks: "service/controller_start.yml"
+...

roles/issue_cert/templates/cert_bundle.j2

@@ -0,0 +1,2 @@
+{{root_cert.content|b64decode}}
+{{intermediate_cert.content|b64decode}}