acme_sh

Use acme.sh with a DNS API to create LetsEncrypt certificates using Ansible.

Requirements

This setup assumes that you are using nginx by default.

Variables

Here are some default settings you can change:

• acme_sh_autoupgrade: True

• acme_sh_server: letsencrypt

• acme_sh_notify: False

• acme_sh_logging: False

• acme_sh_keylength: 4096

• acme_sh_dns_sleep: 120

• acme_sh_certs_public_dir: /etc/nginx/certs

• acme_sh_certs_private_dir: /etc/nginx/private

• acme_sh_reload_cmd: /bin/systemctl reload nginx

Example Playbook

Here's an example that uses the AWS Route53 API. You can adjust it for any DNS API provider.

Basic Usage:

- hosts: servers
  roles:
    - role: thermistor.acme_sh
      acme_sh_subject_names:
        - example.com
        - www.example.com
      acme_sh_dns_provider: dns_aws
      acme_sh_env:
        AWS_ACCESS_KEY_ID: "{{ your_vault_aws_access_key_id }}"
        AWS_SECRET_ACCESS_KEY: "{{ your_vault_aws_secret_access_key }}"

With Logging Enabled:

- hosts: servers
  roles:
    - role: thermistor.acme_sh
      acme_sh_logging: True
      acme_sh_subject_names:
        - example.com
        - www.example.com
      acme_sh_dns_provider: dns_aws
      acme_sh_env:
        AWS_ACCESS_KEY_ID: "{{ your_vault_aws_access_key_id }}"
        AWS_SECRET_ACCESS_KEY: "{{ your_vault_aws_secret_access_key }}"

With Mailgun Notifications:

- hosts: servers
  roles:
    - role: thermistor.acme_sh
      acme_sh_notify: True
      acme_sh_notify_hooks:
        - mailgun
      acme_sh_subject_names:
        - example.com
        - www.example.com
      acme_sh_dns_provider: dns_aws
      acme_sh_env:
        AWS_ACCESS_KEY_ID: "{{ your_vault_aws_access_key_id }}"
        AWS_SECRET_ACCESS_KEY: "{{ your_vault_aws_secret_access_key }}"
        MAILGUN_API_KEY: "{{ your_vault_mailgun_api_key }}"
        MAILGUN_API_DOMAIN: "{{ your_vault_mailgun_domain }}"
        MAILGUN_FROM: "{{ your_vault_mailgun_from }}"
        MAILGUN_TO: "{{ your_vault_mailgun_to }}"

What Happens in the Background

When you create a certificate for example.com, this role copies the full chain certificate from /var/lib/acme/.acme.sh/example.com/fullchain.cer to /etc/nginx/certs/example.com.cer. This helps you install multiple certificates for different domains.

Troubleshooting

If there's a problem with certificates not being reinstalled, you can force the reinstall with the following command:

ansible-playbook -i inventory playbook.yml -e "acme_sh_force_install=True" --tags acme_sh_cert_install

License

MIT

Alternatives

We learned a lot from these similar projects:

• nickjj.acme_sh - supports multiple certificates
• verosk.acme-sh - just for installation