felixfontein.acme.account_key_rollover role – Do account key rollover
Note
This role is part of the felixfontein.acme collection (version 0.9.0).
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it use: ansible-galaxy collection install felixfontein.acme
.
To use it in a playbook, specify: felixfontein.acme.account_key_rollover
.
Entry point main
– Do account key rollover
New in felixfontein.acme 0.1.0
Synopsis
This is a role which can use any CA supporting the ACME protocol, such as Let’s Encrypt, Buypass or ZeroSSL, to rekey ACME account keys.
This role will create a backup copy of the existing account key if requested to do so, re-create the account key, and then roll over the ACME account to the new key.
Parameters
Parameter |
Comments |
---|---|
The algorithm used for creating the account key. The default is Other choices are Choices:
|
|
Whether to create a backup of the old account key before rolling over. Choices:
|
|
The bit-size to use for RSA private keys. Should not be less than 2048. Also values above 4096 might not be supported by every ACME CA. Default: |
|
Use Mozilla sops to encrypt private key. Needs Choices:
|
|
Path to the private ACME account key. |
|
Instead of determining the account URI from the account key, assumes the given account URI. |
|
The ACME directory to use. Default is Default: |
|
The ACME directory’s version. Default: |
Attributes
Attribute |
Support |
Description |
---|---|---|
Support: full |
Can run in |
|
Support: none |
When run twice in a row outside check mode, with the same arguments, the second invocation indicates no change. This assumes that the system controlled/queried by the module has not changed in a relevant way. |
Examples
---
- name: Account key rollover
hosts: webservers
vars:
acme_certificate_acme_directory: https://acme-v02.api.letsencrypt.org/directory
acme_certificate_acme_version: 2
# While 4096 is on the paranoid side, note that for something as important
# as the account key a bit of paranoia does not hurt. (After all, the account
# key's size does not impact the speed of regular TLS handshakes.)
key_length: 4096
roles:
- role: felixfontein.acme.account_key_rollover
# We store the key encrypted with SOPS
acme_certificate_acme_account: 'keys/letsencrypt-account.key.sops'
acme_certificate_account_key_sops_encrypted: true