Normalize SSL providers

[tangrufus]

Normalize SSL providers manual and self-signed

• Putting Nginx SSL configs in {{ nginx_path }}/includes.d/{{ item.key }}/ssl

• Putting certificates in {{ nginx_ssl_path }}/manual-certificates or {{ nginx_ssl_path }}/self-signed-certificates

Add Certbot

This is actually a failed attempt to replace letsencrypt with Certbot. I can't get multiple-servers implemented using Certbot. Help wanted!

See: #893

[tangrufus]

Besides, Certbot doesn't:

• detect new hostnames like Enable Let's Encrypt to detect updated site_hosts #630
• support --staging yet

[swalkinshaw]

There's also two built-in Ansible modules which we could look into:

• http://docs.ansible.com/ansible/latest/openssl_certificate_module.html
• http://docs.ansible.com/ansible/latest/letsencrypt_module.html

[tangrufus]

The openssl_certificate_module requires ansiable 2.4. Is #895 going to be merged soon?

The letsencrypt_module requires us to change Nginx back and forth for acme challenge. Certbot handles it for us. I think Certbot simplifies everything.

[swalkinshaw]

If openssl_certificate actually helps/is simpler then we have no problem requiring 2.4 asap.

Our current LE implementation is a little convoluted so I'm open to any solution which simplifies it. Although I do think we have some more unique requirements with it.

[tangrufus]

openssl_certificate looks nice. Updated self-signed-certificate to use it.

Removed Certbot because:

• it doesn't play well with pyOpenSSL which required foropenssl_certificate , see: AttibuteError: 'module' object has no attribute 'rand' has occured at acme/acme/crypto_util.py with >=pyOpenSSL-17.2.0 certbot/certbot#5111
• it can't be used with letsencrypt role on the same server

Rebased upon d96a58f. Actual changes here: ansible-2.4...TangRufus:ssl-providers

[swalkinshaw]

@tangrufus can this get a rebase?

[tangrufus]

Rebased. Note that I modified server.yml and dev.yml because ssl providers need to be tagged. Otherwise, wordpress-setup deletes their nginx config files.

[swalkinshaw]

Tested and working great 👍

Only thing I ran into due to our current tags is if you want to enable SSL after, and only use a wordpress or wordpress-setup tag, Nginx will fail because dhparams weren't initially generated.

So if we want a common tag which would run all Nginx related tasks/roles, we might want to introduce a new one, or just apply wordpress-setup to nginx as well?

[tangrufus]

I vote for applying wordpress-setup to nginx because this also helps when adding or removing sites, i.e.: Create Nginx available sites & Enable or disable Nginx sites tasks