This is an ansible role for getting digital certificates with "Let's Encrypt". It is highly influenced by this role: ganto.acme_tiny. Many thanks ganto!
The role is meant to be run for a system accessible from the web. It will make the request with "Let's Encrypt" from an existing csr (see acme-tiny-setup), solve the challenge on the server's well-known webfolder and then put the resulting certificates in the openssl configuration directory.
The two other roles zwischenloesung.acme-tiny-install and zwischenloesung.acme-tiny-setup are required. The latter might be run on yet another remote host as to generate the private key and the cert-request.
Why we do not use one of the existing roles?
- For the first reason read the section "Promise" below. We need something reliable.
- This role will be used by maestro and must follow the logic used there. (Of course, the role can be used without maestro..)
- The role does not connect to the web as root, but as an unpriviledged user
- The role does not expose the private key file to the unpriviledged acme user
- The cert-request might be done on a remote machine via zwischenloesung.acme-tiny-setup such that the private key is not even on the host requesting the certificate.
Development has moved to inofix.acme-*
Sure, this role may change in the future, but we will only expand features to not break backwards compatibility.
If radical changes should become necessary, a new role will be created, probably with an 'ng' or version suffix...
- Ansible >2.0
- On target host
- Generic UNIX with FHS
- Python2/3
- OpenSSL
- Sudo
- Running webserver with ^/.well-known/acme-challenge/ directory accessible (hardcoded in acme-tiny script..)
- The webserver must serve HTTP, even for consequent certificates (not just HTTPS; requirement of acme-tiny/let's-encrypt)
- Resolve all names in the cert to localhost or the local-IP
- app__acme__tiny__user - optional, default='acme'
- app__acme__tiny__group - optional, default='acme'
- app__acme__tiny__config_dir - optional, default='/etc/ssl/acme-tiny'
- app__acme__tiny__account_key - optional, auto
- app__acme__tiny__challenge_dir - optional, default='/var/www/acme-challenge'
- app__acme__tiny__domain - optional, default='example.com'
- app__acme__tiny__cert_name - optional, auto
- app__acme__tiny__cert_dir - optional, auto
- app__acme__tiny__key - optional, auto
- app__acme__tiny__request - optional, auto
- zwischenloesung.acme-tiny-install
- zwischenloesung.acme-tiny-setup
- hosts: servers
roles:
- zwischenloesung.acme-tiny
GPLv3
- Michael Lustenberger at inofix.ch