An opinionated role using ansible letsencrypt module and crypto modules to allow for easy account registration, certificate generation and certificate signing against a server implementing ACME.
This implementation also provides automation for DNS challenges against cloud provider hosted DNS zones. This support currently extends to the following providers (more to be added).
- Azure
This role has been tested to work against the Let's Encrypt v2 server.
Note that this role has been developed for convenience in a majority simple use case. And is not intended to be a catch-all role for certificate automation.
The letsencrypt module provided by ansible does not support certificate revocation. Once this is implemented or an alternative module used for ACME support, this will me made available in this role.
No additional requirements are enforced other than an an Ansbile version greater than 2.5. Development was done on Ansible 2.5+.
If any of private key, signing request or account key is not provided, the role will attempt to use the Ansible crypto modules. This expects the execution environment to support OpenSSL and have any requirements related to it met.
A list of available configuration variables can be found in the defaults/main.yml file. Only a limited subset of the variables need to specified, unless further control is required.
When generating keys for either account registration or certificates, the following optional configuration variables are available for use.
acme_private_key_cipher
In order to allow increased flexibility when generating signing requests, the following optional variables are available for use.
acme_csr_subject_alt_nameacme_csr_organization_nameacme_csr_organization_unit_name
No Dependencies required other than Ansible itself. However, depending on the cloud provider you are using, you will have to ensure all the dependencies required for it has been met and any configuration requirements done.
For provider specific dependencies, refer to the Ansible provided guides.
---
- name: prepare certificate for foo.bar.example.com
hosts: 127.0.0.1
connection: local
tasks:
- include_role:
name: devnullcake.acme-certificate
vars:
acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
acme_output_path: /tmp
acme_csr_common_name: "foo.bar.example.com"
acme_csr_subject_alt_name: "DNS:*.baz.example.com"
dns_zone: example.com
dns_cloud_provider: azure
dns_cloud_provider_config:
azure:
resource_group: organisation
acme_account_email: [email protected]
There are no automated tests defined for this role at the moment. Molecule tests will be added at a later date. Current tox execution validates source using ansible-lint.
This project has tox configured to run against a clean environment. This can simply be run using tox.
toxApache License 2.0