felixfontein.acme.acme_certificate role – Issue TLS/SSL certificates from an ACME CA
Note
This role is part of the felixfontein.acme collection (version 0.9.0).
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it use: ansible-galaxy collection install felixfontein.acme
.
To use it in a playbook, specify: felixfontein.acme.acme_certificate
.
Entry point main
– Issue TLS/SSL certificates from an ACME CA
New in felixfontein.acme 0.1.0
Synopsis
This is a role which can use any CA supporting the ACME protocol, such as Let’s Encrypt, Buypass or ZeroSSL, to issue TLS/SSL certificates for your server.
The main advantage of this approach over others is that almost no code is executed on your webserver: only when you use HTTP challenges, files need to be copied onto your webserver, and afterwards deleted from it. Everything else is executed on your local machine! In particular, the account key is never sent to another machine.
This role does not cover installing the certificates, you have to do that yourself in another role.
Parameters
Parameter |
Comments |
---|---|
Path to the private ACME account key. Either this or |
|
Content of the private ACME account key. Either this or |
|
Instead of determining the account URI from the account key, assumes the given account URI. |
|
The ACME directory to use. Default is Default: |
|
Your email address which shall be associated to the ACME account. |
|
The ACME directory’s version. Default: |
|
The algorithm used for creating private keys. The default is Other choices are Choices:
|
|
When using When |
|
When using When |
|
The challenge type to use. Should be Choices:
|
|
When using |
|
Whether Set to Choices:
|
|
Default timeout when waiting for DNS entries to propagate for This is passed to the The default depends on |
|
Determines which DNS provider is used for DNS challenges. Every DNS provider requires further configuration. The value Choices:
|
|
DNS servers to use to lookup the name servers of the domains. These are queried to ensure that the If not provided, the system’s standard resolver is used. This is passed to the |
|
Allows to substitute parts of the DNS entry domain names. This can be very useful if certificates are obtained for domain names that are CNAMEs, and the DNS provider for where the CNAME points need to be modified. The entries in this dictionary should be the names that are to be replaced, and the values the replacements. A single leading wildcard can be used to replace suffixes instead of the complete string, assuming the prefix has no further period ( For example, if the key is Note that if you want to obtain certificates with ACME with Default: |
|
The domain names you want to get a certificate for. Wildcards are only allowed as the first component, i.e. Also, when wildcards are used, not every challenge type is allowed. Let’s Encrypt only allows wildcard domains with the |
|
When using We recommend to use When |
|
When using When |
|
When using We recommend to use When |
|
Argument for Choices:
|
|
The mode to use for the challenge files. Default: |
|
The mode to use for the challenge folder. Default: |
|
The group the challenge files are owned by. Default: |
|
The user the challenge files are owned by. Default: |
|
When using Please note that INWX support depends on the collection Please note that the collection When |
|
When using Please note that INWX support depends on the collection When |
|
The IP addresses you want to get a certificate for. Note that this is not supported by every CA! At least one of |
|
The bit-size to use for RSA private keys. Should not be less than 2048. Also values above 4096 might not be supported by all TLS/SSL clients. Default: |
|
The basename for storing the keys and certificates. The default is the first domain specified, with |
|
Where old keys and certificates should be copied to. Used in case Default: |
|
Whether copies of old keys and certificates should be prepended by the current date and time. Choices:
|
|
If set to The copies will be stored in the directory specified by Choices:
|
|
Where the keys and certificates are stored. Default: |
|
Whether the ACME account should be created (if it doesn’t exist) and the contact data (email address) should be updated. Set to Choices:
|
|
When using Please note that NS1 support depends on the external module When |
|
Whether a certificate with the OCSP Must Staple extension is requested. Choices:
|
|
Which file mode to use for the private key file. Default value is Default: |
|
Whether to regenerate private keys. It is recommended to regularly create new private keys instead of re-using the existing ones forever. The easiest way to ensure this is to simply regenerate them when the certificates are regenerated. If you use public key pinning, make sure to set this to Choices:
|
|
Only obtain a new certificate if the certificate does not yet exist, or if the certificate’s expiry date is less than |
|
The root certificate for the ACME directory. Default value is Default: |
|
The root certificate to use for validating the ceritificate chain if If By default uses the same value as |
|
Must be in the format described for the Allows to select the certificate chain to be used; This can be used for example with Let’s Encrypt to select which root certificate to use. See the documentation for concrete examples how to choose between the Let’s Encrypt roots. |
|
Checks for the AuthorityKeyIdentifier extension. This is an identifier based on the private key of the issuer of the intermediate certificate. The identifier must be of the form |
|
Allows to specify parts of the issuer of a certificate in the chain must have to be selected. If An example value would be |
|
Allows to specify parts of the subject of a certificate in the chain must have to be selected. If An example value would be |
|
Checks for the SubjectKeyIdentifier extension. This is an identifier based on the private key of the intermediate certificate. The identifier must be of the form |
|
Determines which certificates in the chain will be tested.
Choices:
|
|
Location where Default: |
|
Whether the terms of services are accepted or not. Usually needs to be set explicitly to This is only used for ACME v2. Choices:
|
|
Use Mozilla sops to encrypt private key. Needs Choices:
|
|
Whether to check whether authentication credentials are provided as role arguments for the DNS modules. When disabled, you can also use module default groups or environment variables to provide these credentials. Choices:
|
|
Whether to try to validate the generated certificate chain or not. Will use Choices:
|
Attributes
Attribute |
Support |
Description |
---|---|---|
Support: none |
Can run in |
|
Support: none |
When run twice in a row outside check mode, with the same arguments, the second invocation indicates no change. This assumes that the system controlled/queried by the module has not changed in a relevant way. |
See Also
See also
- community.crypto.openssl_privatekey
You can create ACME account keys with this module.
- community.crypto.acme_account
You can manage ACME accounts with this module.