SSL certificates refactor

Author: swalkinshaw

.github/actions/setup-step-ca/action.yml

@@ -1,4 +1,4 @@
-letsencrypt_contact_emails:
+acme_ca_contact_emails:
   - [email protected]
 
 wordpress_sites:
@@ -14,7 +14,6 @@ wordpress_sites:
       enabled: false
     ssl:
       enabled: false
-      provider: letsencrypt
     cache:
       enabled: true
   example-https.com:
@@ -29,6 +28,5 @@ wordpress_sites:
       enabled: false
     ssl:
       enabled: true
-      provider: letsencrypt
     cache:
       enabled: false

.github/files/wordpress_sites.yml

@@ -31,7 +31,6 @@ jobs:
       - uses: actions/setup-python@v2
         with:
           python-version: '3.9'
-      - uses: ./.github/actions/setup-step-ca
       - uses: roots/setup-trellis-cli@v1
         with:
           ansible-vault-password: 'fake'
@@ -50,7 +49,7 @@ jobs:
       - run: trellis exec ansible-playbook --version
         working-directory: example.com/trellis
       - name: Provision
-        run: trellis provision --extra-vars "web_user=runner letsencrypt_ca=https://127.0.0.1:8443/acme/acme" production
+        run: trellis provision --extra-vars "web_user=runner acme_ca_force_local_server=true" production
         working-directory: example.com
       - name: Deploy non-https site
         run: trellis deploy --extra-vars "web_user=runner project_git_repo=https://github.com/roots/bedrock.git" production example.com

.github/workflows/integration.yml

@@ -16,6 +16,7 @@
     - { role: xdebug, tags: [php, xdebug] }
     - { role: memcached, tags: [memcached] }
     - { role: nginx, tags: [nginx] }
+    - { role: ssl_certificates, tags: [ssl_certificates, ssl], when: sites_using_ssl | count }
     - { role: logrotate, tags: [logrotate] }
     - { role: composer, tags: [composer] }
     - { role: wp-cli, tags: [wp-cli] }

dev.yml

@@ -10,7 +10,13 @@ wordpress_env_defaults:
   domain_current_site: "{{ site_hosts_canonical | first }}"
   wp_debug_log: "{{ www_root }}/{{ item.key }}/logs/debug.log"
 
+ssl_defaults:
+  acme:
+    challenge:
+      type: http-01
+
 site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), item.value.env | default({}), vault_wordpress_sites[item.key].env) }}"
+site_ssl: "{{ ssl_defaults | combine(item.value.ssl | default({}) ) }}"
 site_hosts_canonical: "{{ item.value.site_hosts | map(attribute='canonical') | list }}"
 site_hosts_redirects: "{{ item.value.site_hosts | selectattr('redirects', 'defined') | sum(attribute='redirects', start=[]) | list }}"
 site_hosts: "{{ site_hosts_canonical | union(site_hosts_redirects) }}"

group_vars/all/helpers.yml

@@ -1,4 +1,4 @@
-acme_tiny_challenges_directory: "{{ www_root }}/letsencrypt"
 env: development
+acme_ca_server: 'https://127.0.0.1:8443/acme/acme/directory'
 mysql_root_password: "{{ vault_mysql_root_password }}" # Define this variable in group_vars/development/vault.yml
 web_user: vagrant

group_vars/development/main.yml

@@ -14,6 +14,5 @@ wordpress_sites:
       enabled: false
     ssl:
       enabled: false
-      provider: self-signed
     cache:
       enabled: false

group_vars/development/wordpress_sites.yml

@@ -16,6 +16,5 @@ wordpress_sites:
       enabled: false
     ssl:
       enabled: false
-      provider: letsencrypt
     cache:
       enabled: false

group_vars/production/wordpress_sites.yml

@@ -16,6 +16,5 @@ wordpress_sites:
       enabled: false
     ssl:
       enabled: false
-      provider: letsencrypt
     cache:
       enabled: false