add dns acme challenge

defaults/main.yml

@@ -29,6 +29,21 @@ certbot_certs: []
 #     - example2.com
 # - domains:
 #     - example3.com
+# - name: example4.com
+#   dns_rfc2136_credentials: "local-keyname"
+#   domains:
+#     - "example4.com"
+#     - "example5.com"
+
+# certbot_dns_rfc2136_credentials:
+#   - name: "local-keyname"
+#     server: "192.0.2.1" # ip address only
+#     port: 53
+#     key_name: "keyname-in-dns-config"
+#     secret: "example_rfc2136_secret"
+#     algorithm: "HMAC-SHA256"
+
+certbot_dns_rfc2136_propagation_seconds: 60
 
 certbot_create_command: >-
   {{ certbot_script }} certonly --{{ certbot_create_method  }}
@@ -39,6 +54,10 @@ certbot_create_command: >-
   {{ '--expand' if certbot_expand else '' }}
   {{ '--webroot-path ' if certbot_create_method == 'webroot'  else '' }}
   {{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }}
+  {{ '--dns-rfc2136-propagation-seconds ' if certbot_create_method == 'dns-rfc2136'  else '' }}
+  {{ certbot_dns_rfc2136_propagation_seconds if certbot_create_method == 'dns-rfc2136'  else '' }}
+  {{ '--dns-rfc2136-credentials ' if certbot_create_method == 'dns-rfc2136'  else '' }}
+  {{ '/etc/letsencrypt/' + cert_item.dns_rfc2136_credentials + '.ini' if certbot_create_method == 'dns-rfc2136'  else '' }}
   {{ certbot_create_extra_args }}
   --cert-name {{ cert_item_name }}
   -d {{ cert_item.domains | join(',') }}

tasks/create-cert-dns-rfc2136.yml

@@ -0,0 +1,37 @@
+---
+- name: Determine certificate name
+  set_fact:
+    cert_item_name: "{{ cert_item.name | default(cert_item.domains | first | replace('*.', '')) }}"
+
+- name: Check if certificate already exists.
+  stat:
+    path: /etc/letsencrypt/live/{{ cert_item_name }}/cert.pem
+  register: letsencrypt_cert
+
+- name: Create dns_rfc2136_credentials files
+  template:
+    src: rfc2136_credentials.j2
+    dest: "/etc/letsencrypt/{{ item.name }}.ini"
+    mode: 0600
+  with_items: "{{ certbot_dns_rfc2136_credentials }}"
+
+- name: Check if domains have changed
+  block:
+    - name: Register certificate domains
+      shell: "{{ certbot_script }} certificates --cert-name {{ cert_item_name }} | grep Domains | cut -d':' -f2"
+      changed_when: false
+      register: letsencrypt_cert_domains_dirty
+
+    - name: Cleanup domain list
+      set_fact:
+        letsencrypt_cert_domains: "{{ letsencrypt_cert_domains_dirty.stdout | trim | split(' ') | map('trim') | select('!=', '') | list | sort }}"
+
+    - name: Determine if domains have changed
+      set_fact:
+        letsencrypt_cert_domains_changed: "{{ letsencrypt_cert_domains != (cert_item.domains | map('trim') | select('!=', '') | list | sort) }}"
+
+  when: letsencrypt_cert.stat.exists
+
+- name: Generate new certificate if one doesn't exist.
+  command: "{{ certbot_create_command }}"
+  when: not letsencrypt_cert.stat.exists

tasks/install-with-package.yml

@@ -1,9 +1,10 @@
 ---
 - name: Install Certbot.
   package:
-    name: "{{ certbot_package }}"
+    name: "{{ item }}"
     state: present
+  with_items: "{{ certbot_package }}"
 
 - name: Set Certbot script variable.
   set_fact:
-    certbot_script: "{{ certbot_package }}"
+    certbot_script: "{{ certbot_package[0] }}"

tasks/main.yml

@@ -29,5 +29,13 @@
   loop_control:
     loop_var: cert_item
 
+- include_tasks: create-cert-dns-rfc2136.yml
+  with_items: "{{ certbot_certs }}"
+  when:
+    - certbot_create_if_missing
+    - certbot_create_method == 'dns-rfc2136'
+  loop_control:
+    loop_var: cert_item
+
 - import_tasks: renew-cron.yml
   when: certbot_auto_renew

templates/rfc2136_credentials.j2

@@ -0,0 +1,5 @@
+dns_rfc2136_server = "{{ item.server }}"
+dns_rfc2136_port = "{{ item.port }}"
+dns_rfc2136_name = "{{ item.key_name }}"
+dns_rfc2136_secret = "{{ item.secret }}"
+dns_rfc2136_algorithm = "{{ item.algorithm }}"

vars/default.yml

@@ -1,2 +1,4 @@
 ---
-certbot_package: certbot
+certbot_package:
+  - certbot
+  - python3-certbot-dns-rfc2136