felixfontein.acme.revoke_old_certificates role – Revoke old certificates

Note

This role is part of the felixfontein.acme collection (version 0.9.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it use: ansible-galaxy collection install felixfontein.acme.

To use it in a playbook, specify: felixfontein.acme.revoke_old_certificates.

Entry point main – Revoke old certificates

New in felixfontein.acme 0.1.0

Synopsis

• This is a role which can use any CA supporting the ACME protocol, such as Let’s Encrypt, Buypass or ZeroSSL, to revoke issued TLS/SSL certificates for your server.

• This role assumes that the felixfontein.acme.acme_certificate role has been used with acme_certificate_keys_old_store=true. The role then copies the old certificate into keys/old/ (or the path configured by acme_certificate_keys_old_path) before renewal. This role iterates over all certificates (respectively their private keys) in this directory and revokes them all with the given reason.

• This role supports both plaintext private keys and sops-encrypted private keys (see acme_certificate_use_sops_for_key option of the felixfontein.acme.acme_certificate role.

• Make sure that you first replace all usages of the old certificates by the new ones before revokation!

Parameters

Parameter	Comments
acme_certificate_acme_account string	Path to the private ACME account key. Either this or acme_certificate_acme_account_content must always be specified.
acme_certificate_acme_account_content string	Content of the private ACME account key. Either this or acme_certificate_acme_account must always be specified.
acme_certificate_acme_account_uri string	Instead of determining the account URI from the account key, assumes the given account URI.
acme_certificate_acme_directory string	The ACME directory to use. Default is https://acme-v02.api.letsencrypt.org/directory, which is the current production ACME v2 endpoint of Let’s Encrypt. Default: "https://acme-v02.api.letsencrypt.org/directory"
acme_certificate_acme_version integer	The ACME directory’s version. Default: 2
acme_certificate_keys_old_path string	The directory where old keys and certificates were copied to by the felixfontein.acme.acme_certificate role. Default: "keys/old/"
acme_certificate_revoke_reason integer	Which reason to use for revocation. The default value is 4 (superseeded, i.e. you issued a new certificate for the same set of domains, this is an old one). Another sensible value is 5 (cessation of operation, i.e. you don’t want to use this set of domain names in a certificate anymore). See the revoke_reason parameter of the community.crypto.acme_certificate_revoke module for a full list of reasons. Default: 4
acme_certificate_revoke_with_acme_account boolean	If set to true, will not use the private key of the certificate to revoke, but the account key. This is needed for ACME providers which do not support revocation by private certificate key, like BuyPass. Choices: false ← (default) true

Attributes

Attribute	Support	Description
check_mode	Support: full	Can run in check_mode and return changed status prediction without modifying target.
idempotent	Support: full	When run twice in a row outside check mode, with the same arguments, the second invocation indicates no change. This assumes that the system controlled/queried by the module has not changed in a relevant way.

Examples

---
- name: Revoking old certificates
  hosts: webservers
  vars:
    acme_certificate_acme_directory: https://acme-v02.api.letsencrypt.org/directory
    acme_certificate_acme_version: 2
    acme_certificate_keys_old_path: "keys/old/letsencrypt/"
  roles:
    - role: felixfontein.acme.revoke_old_certificates
      acme_certificate_revoke_reason: 4  # superseeded

Authors

• Felix Fontein (@felixfontein)

Collection links

• Issue Tracker
• Repository (Sources)