Loading... Playbook: ```yaml --- - name: SSL证书更新 hosts: localhost # become: yes gather_facts: no vars: CF_Email: "" CF_Key: "" cert_backup_dir: "/usr/local/nginx/conf/ssl/cert/backup/{{ lookup('pipe', 'date +%Y%m%d%H') }}" acme_sh_path: "/root/.acme.sh/acme.sh" nginx_ssl_dir: "/usr/local/nginx/conf/ssl" tasks: - name: 初始化环境变量 shell: | export CF_Email="{{ CF_Email }}" export CF_Key="{{ CF_Key }}" - name: 备份旧证书 shell: | mkdir -p {{ cert_backup_dir }} cp -f {{ nginx_ssl_dir }}/cert/*.pem {{ cert_backup_dir }}/ ignore_errors: yes - name: 更新证书 shell: | {{ acme_sh_path }} --renew --dns dns_cf --server google \ -d {{ item.domain }} -d \*.{{ item.domain }} -d \*.internal.{{ item.domain }} \ {% if item.ecc %} --ecc --keylength ec-256 {% endif %} \ --force loop: - { domain: "qwerto.cc", ecc: true } - { domain: "qwerto.cc", ecc: false } - name: 安装证书 shell: | {{ acme_sh_path }} --install-cert -d {{ item.domain }} \ {% if item.ecc %} --ecc {% endif %} \ --key-file {{ nginx_ssl_dir }}/{{ item.cert_dir }}/key.{{ key_type }}.pem \ --fullchain-file {{ nginx_ssl_dir }}/{{ item.cert_dir }}/cert.{{ key_type }}.pem loop: - { domain: "qwerto.cc", cert_dir: "cert", ecc: true } - { domain: "qwerto.cc", cert_dir: "cert", ecc: false } vars: key_type: "{{ 'ecc' if item.ecc else 'rsa' }}" - name: 重启 Nginx 服务 service: name: nginx state: restarted - name: SSL证书分发 hosts: web become: yes gather_facts: no tasks: - name: 分发证书 copy: src: "{{ item }}" dest: /usr/local/nginx/conf/ssl/cert/ owner: root group: root mode: '0644' with_fileglob: - "/usr/local/nginx/conf/ssl/cert/*.pem" - name: Nginx 证书重载 hosts: nginx become: yes gather_facts: no tasks: - name: 重启 Nginx 服务 service: name: nginx state: restarted - name: Nginx (Docker) 证书重载 hosts: nginx-docker become: yes gather_facts: no tasks: - name: 重启 Nginx 容器 shell: docker-compose restart args: chdir: /home/docker/nginx ``` 最后修改:2024 年 10 月 22 日 © 允许规范转载 赞 如果觉得我的文章对你有用,请随意赞赏