Deprecate certbot-auto

Certbot-auto is deprecated since 2020[1] and it is no longer available
under https://dl.eff.org/certbot-auto.
This change removes certbot-auto from haproxy_server role leaving
distro method as the only available option.

[1] https://community.letsencrypt.org/t/certbot-auto-deprecated-explanation-and-solutions/139821

Change-Id: Ibe0f13fc7308359d337fb382cb72998befb90d84

defaults/main.yml

@@ -199,23 +199,14 @@ haproxy_pki_install_certificates: "{{ _haproxy_pki_install_certificates }}"
 
 # activate letsencrypt option
 haproxy_ssl_letsencrypt_enable: false
-# choose the certbot install method, 'distro' for a package manager repo, or downloaded with the certbot-auto script 'certbot-auto'
-haproxy_ssl_letsencrypt_install_method: "certbot-auto"
-haproxy_ssl_letsencrypt_certbot_auto_binary: "{{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }}"
-haproxy_ssl_letsencrypt_certbot_binary: "{{ (haproxy_ssl_letsencrypt_install_method == 'certbot-auto') | ternary(haproxy_ssl_letsencrypt_certbot_auto_binary, 'certbot') }}"
+haproxy_ssl_letsencrypt_certbot_binary: 'certbot'
 haproxy_ssl_letsencrypt_certbot_backend_port: 8888
 haproxy_ssl_letsencrypt_pre_hook_timeout: 5
 haproxy_ssl_letsencrypt_certbot_bind_address: "{{ ansible_host }}"
 haproxy_ssl_letsencrypt_certbot_challenge: "http-01"
 haproxy_ssl_letsencrypt_email: "example@example.com"
-haproxy_ssl_letsencrypt_download_url: "https://dl.eff.org/certbot-auto"
-haproxy_ssl_letsencrypt_venv: "/opt/eff.org/certbot/venv"
 haproxy_ssl_letsencrypt_config_path: "/etc/letsencrypt/live"
-haproxy_ssl_letsencrypt_install_path: "/opt/letsencrypt"
 haproxy_ssl_letsencrypt_setup_extra_params: ""
-haproxy_ssl_letsencrypt_cron_minute: "0"
-haproxy_ssl_letsencrypt_cron_hour: "0"
-haproxy_ssl_letsencrypt_cron_weekday: "0"
 haproxy_ssl_letsencrypt_acl:
   letsencrypt-acl:
     rule: "path_beg /.well-known/acme-challenge/"

doc/source/configure-haproxy.rst

@@ -172,7 +172,6 @@ The following variables must be set for the haproxy hosts.
 .. code-block:: yaml
 
    haproxy_ssl_letsencrypt_enable: True
-   haproxy_ssl_letsencrypt_install_method: "distro"
    haproxy_ssl_letsencrypt_email: example@example.com
    haproxy_interval: 2000
 

releasenotes/notes/certbot-auto-5ccf2184fb554c90.yaml

@@ -0,0 +1,5 @@
+---
+deprecations:
+  - |
+    Certbot-auto is deprecated since 2020.
+    It was removed from haproxy_server role.

tasks/haproxy_ssl_letsencrypt.yml

@@ -11,55 +11,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Install certbot with certbot-auto
-  when: haproxy_ssl_letsencrypt_install_method == 'certbot-auto'
-  block:
-
-    - name: Ensure haproxy_ssl_letsencrypt_install_path exists
-      file:
-        path: "{{ haproxy_ssl_letsencrypt_install_path }}"
-        state: directory
-
-    - name: Download certbot-auto
-      get_url:
-        url: "{{ haproxy_ssl_letsencrypt_download_url }}"
-        dest: "{{ haproxy_ssl_letsencrypt_install_path }}"
-        mode: 0755
-      register: fetch_url
-      until: fetch_url is success
-      retries: 3
-      delay: 10
-
-    - name: Install certbot with certbot-auto script
-      shell: >
-        PIP_INDEX_URL="https://pypi.org/simple/"
-        {{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }}
-        --install-only
-      args:
-        creates: "{{ haproxy_ssl_letsencrypt_venv }}"
-
-    - name: Create letsencrypt_renew file
-      template:
-        src: letsencrypt_renew_certbot_auto.j2
-        dest: /usr/local/bin/letsencrypt_renew
-        mode: 0755
-        force: yes
-
-    - name: Renew Letsencrypt Cert Cron
-      cron:
-        name: "Renew Letsencrypt Cert"
-        minute: "{{ haproxy_ssl_letsencrypt_cron_minute }}"
-        hour: "{{ haproxy_ssl_letsencrypt_cron_hour }}"
-        weekday: "{{ haproxy_ssl_letsencrypt_cron_weekday }}"
-        job: "/usr/local/bin/letsencrypt_renew"
-        user: "root"
-        state: present
-
 - name: Install certbot from distro package
   package:
     name: "{{ haproxy_distro_certbot_packages }}"
     state: present
-  when: haproxy_ssl_letsencrypt_install_method == 'distro'
 
 - name: Create first time ssl cert with certbot
   throttle: 1
@@ -88,13 +43,13 @@
   args:
     creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}/fullchain.pem"
 
+# Certbot automatically installs its systemd timer responsible for renewals
 - name: Create certbot pre hook
   template:
     src: letsencrypt_pre_hook_certbot_distro.j2
     dest: /etc/letsencrypt/renewal-hooks/pre/haproxy-pre
     mode: 0755
   when:
-    - haproxy_ssl_letsencrypt_install_method == 'distro'
     - haproxy_ssl_letsencrypt_certbot_challenge == 'http-01'
 
 - name: Create certbot post renewal hook
@@ -102,7 +57,6 @@
     src: letsencrypt_renew_certbot_distro.j2
     dest: /etc/letsencrypt/renewal-hooks/post/haproxy-renew
     mode: 0755
-  when: haproxy_ssl_letsencrypt_install_method == 'distro'
 
 - name: Create new pem file for haproxy
   assemble:

templates/letsencrypt_renew_certbot_auto.j2

@@ -1,13 +0,0 @@
-#!/bin/bash
-# renew cert if required and copy to haproxy destination
-
-{{ haproxy_ssl_letsencrypt_venv }}/bin/certbot renew \
-    --standalone \
-    --pre-hook "systemctl stop haproxy" \
-
-{% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %}
-cat /etc/letsencrypt/live/{{ haproxy_ssl_letsencrypt_domains | first }}/{fullchain,privkey}.pem \
-    > {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip  ~ '.pem' }}
-{% endfor %}
-
-systemctl reload haproxy