acme-request
Acme Request
This is an ansible role for creating a certificate request, and just the request. For signing certificates, take a look at inofix.acme-tiny-sign.
This role is meant to be run on any host that needs certificates for itself or signs any for some other host.
If the host uses certificates, a private key and a CSR are created. For hosts that only do the signing for other hosts, the CSRs are deployed. (See inofix.acme-setup for an overview.)
The development of this role was started within zwischenloesung.acme-tiny-setup which was later split.
Why we do not use one of the existing roles?
- For the first reason read the section "Promise" below. We need something reliable.
- This role will be used by maestro and must follow the logic used there. (Of course, the role can be used without maestro..)
State
preSTABLE (Feature-Freeze/RC)
Promise
Sure, this role may change in the future, but we will only expand features to not break backwards compatibility.
If radical changes should become necessary, a new role will be created, probably with a version suffix...
Installation
ansible-galaxy install inofix.acme-request
Requirements
- Ansible >2.0
- Python2/3 on target host
- Generic UNIX with FHS
- Sudo
- Systemd (per default)
Role Variables
- app__acme__os__cert_group - optional, default='{{ default__acme__group }}'
- app__acme__user - optional, default='acme'
- app__acme__group - optional, default='acme'
- app__acme__home - optional, default='/var/lib/acme'
- app__acme__config_dir - optional, default='/etc/ssl/acme'
- app__acme__openssl_config - optional, default='/etc/ssl/openssl.cnf'
- app__acme__domain - optional, default=[ {domain='example.com'} ]
- app__acme__key_length - optional, default=4096
- fqdn - optional, default={{ ansible_fqdn | d(inventory_hostname ) }}
- workdir - optional, default='/tmp', used to store requests for remote signing
Dependencies
- inofix.acme-setup
Example Playbook
- hosts: servers
roles:
- inofix.acme-request
(See inofix.acme-setup)
License
GPLv3
Author Information
- Michael Lustenberger at inofix.ch
Prepare a csr for Let's Encrypt
ansible-galaxy install inofix/ansible-acme-request