mprahl.lets-encrypt-route-53

Panoramica Versioni Approfondimenti

lets-encrypt-route-53

This is an Ansible role that helps you automatically create Let's Encrypt SSL certificates using DNS challenges on Amazon Route 53 (AWS).

Important: This role will install openssl, boto, and pyOpenSSL. If you're on CentOS, RHEL, or Mac OS, it will first install pip, then use it to create a Python virtual environment for boto and pyOpenSSL because the standard versions aren't available. Note that you need to have EPEL installed on CentOS and RHEL.

If you're using a different system (not Debian/Ubuntu, CentOS/Red Hat, Mac OS, or FreeBSD), you must install openssl, boto, and pyOpenSSL manually before using this role.

Requirements

You need Ansible version 2.7 or higher. If you're using an older version, you should use version 4.2.1 of this role. This role must be run as root or using sudo.

Role Tags

  • install - for tasks that install necessary dependencies.
  • openssl - for tasks that create private keys and Certificate Signing Requests (CSR).

Role Variables

Facts Set By The Role

  • ler53_cert_changed - set to True when a certificate is created or renewed.

Required Variables

  • ler53_route_53_domain - the AWS Route 53 domain for which you want to generate the SSL certificate. Required if ler53_route_53_zone_id is not provided.
  • ler53_route_53_zone_id - the Route 53 zone ID for the SSL certificate. Required if ler53_route_53_domain is not provided. Use this if you don’t have permission for route53:ListHostedZones.

Optional Variables

  • ler53_cert_common_name - the common name for the SSL certificate, defaults to ansible_fqdn.
  • ler53_cert_sans - a list of additional DNS names to include in the CSR. An entry for the common name is automatically added, so don’t add it here. This is not defined by default.
  • ler53_cert_key_usages - key usages to include in the CSR (some may be restricted by Let's Encrypt). Default is digitalSignature and keyEncipherment.
  • ler53_key_size - size of the private key for the certificate, defaults to 2048.
  • ler53_cert_dir - directory path to store the private key, CSR, and certificate. Defaults to /etc/ssl/{{ ler53_cert_common_name }}.
  • ler53_key_file_name - the private key file name, defaults to {{ ler53_cert_common_name }}.key.
  • ler53_cert_file_name - the certificate file name, defaults to {{ ler53_cert_common_name }}.crt.
  • ler53_csr_file_name - CSR file name, defaults to {{ ler53_cert_common_name }}.csr.
  • ler53_intermediate_file_name - intermediate CA file name downloaded from Let's Encrypt. Defaults to {{ ler53_cert_common_name }}.intermediate.pem.
  • ler53_cert_and_intermediate_file_name - filename for the certificate and intermediate CA combined, defaults to {{ ler53_cert_common_name }}.pem.
  • ler53_cert_files_mode - file permissions for the private key, CSR, and certificate, defaulting to 0600.
  • ler53_cert_files_owner - owner for the private key, CSR, and certificate, defaults to root.
  • ler53_cert_files_group - group for the private key, CSR, and certificate, defaults to root.
  • ler53_account_email - email linked to your Let's Encrypt account. See the Let's Encrypt Module for more details.
  • ler53_account_key_size - size of the Let's Encrypt account key, defaulting to 2048.
  • ler53_account_key_dir - directory for the Let's Encrypt account key, defaults to /etc/ssl/lets_encrypt.
  • ler53_account_key_file_name - the file name for the Let's Encrypt account key, defaulting to lets_encrypt_account.key.
  • ler53_cert_remaining_days_before_renewal - minimum days left for the current certificate before it's renewed, defaulting to 10.
  • ler53_new_cert_when_csr_changes - whether to delete the existing certificate when the CSR changes. This helps to generate a new certificate immediately if the common name or SANs change. Defaults to false.
  • ler53_cert_extended_key_usages - additional usage restrictions for the public key.
  • ler53_service_handlers - a list of actions to take when a certificate is updated, like {'name': 'httpd', 'state': 'restarted'}.
  • ler53_acme_directory - the ACME directory to use, default is https://acme-v02.api.letsencrypt.org/directory. Change this for testing against Let's Encrypt staging.
  • ler53_aws_access_key - AWS access key for a user who can add records to the domain. AWS SDK will auto-detect if not provided.
  • ler53_aws_secret_key - AWS secret key for a user who can add records to the domain. AWS SDK will auto-detect if not provided.

Example Playbook

- name: Generate an SSL certificate for host.example.com
  hosts: host
  become: yes

  vars:
  - ler53_cert_common_name: host.example.com
  - ler53_route_53_domain: example.com

  roles:
  - mprahl.lets-encrypt-route-53

License

MIT

Informazioni sul progetto

automates the generation of Let's Encrypt signed certificates with DNS challenges on Amazon's Route 53 (AWS)

role letsencrypt route53 aws dns ssl
Installa
ansible-galaxy install mprahl.lets-encrypt-route-53
GitHub repository
36 stelle
34 fork
6 problemi aperti
Licenza
Unknown
Download
38.1k
Proprietario