ansible / ansible.builtin / v2.9.0 / module / acme_challenge_cert_helper Prepare certificates required for ACME challenges such as C(tls-alpn-01) | "added in version" 2.7 of ansible.builtin" Authors: Felix Fontein (@felixfontein) preview | supported by communityansible.builtin.acme_challenge_cert_helper (v2.9.0) — module
pip
Install with pip install ansible==2.9.0
Prepares certificates for ACME challenges such as C(tls-alpn-01).
The raw data is provided by the M(acme_certificate) module, and needs to be converted to a certificate to be used for challenge validation. This module provides a simple way to generate the required certificates.
The C(tls-alpn-01) implementation is based on L(the draft-05 version of the specification,https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05).
- name: Create challenges for a given CRT for sample.com acme_certificate: account_key_src: /etc/pki/cert/private/account.key challenge: tls-alpn-01 csr: /etc/pki/cert/csr/sample.com.csr dest: /etc/httpd/ssl/sample.com.crt register: sample_com_challenge
- name: Create certificates for challenges acme_challenge_cert_helper: challenge: tls-alpn-01 challenge_data: "{{ item.value['tls-alpn-01'] }}" private_key_src: /etc/pki/cert/key/sample.com.key loop: "{{ sample_com_challenge.challenge_data | dictsort }}" register: sample_com_challenge_certs
- name: Install challenge certificates # We need to set up HTTPS such that for the domain, # regular_certificate is delivered for regular connections, # except if ALPN selects the "acme-tls/1"; then, the # challenge_certificate must be delivered. # This can for example be achieved with very new versions # of NGINX; search for ssl_preread and # ssl_preread_alpn_protocols for information on how to # route by ALPN protocol. ...: domain: "{{ item.domain }}" challenge_certificate: "{{ item.challenge_certificate }}" regular_certificate: "{{ item.regular_certificate }}" private_key: /etc/pki/cert/key/sample.com.key loop: "{{ sample_com_challenge_certs.results }}"
- name: Create certificate for a given CSR for sample.com acme_certificate: account_key_src: /etc/pki/cert/private/account.key challenge: tls-alpn-01 csr: /etc/pki/cert/csr/sample.com.csr dest: /etc/httpd/ssl/sample.com.crt data: "{{ sample_com_challenge }}"
challenge: choices: - tls-alpn-01 description: - The challenge type. required: true type: str challenge_data: description: - The C(challenge_data) entry provided by M(acme_certificate) for the challenge. required: true type: dict private_key_src: description: - Path to a file containing the private key file to use for this challenge certificate. - Mutually exclusive with C(private_key_content). type: path private_key_content: description: - Content of the private key to use for this challenge certificate. - Mutually exclusive with C(private_key_src). type: str
challenge_certificate: description: - The challenge certificate in PEM format. returned: always type: str domain: description: - The domain the challenge is for. The certificate should be provided if this is specified in the request's the C(Host) header. returned: always type: str identifier: description: - The identifier for the actual resource. Will be a domain name if the type is C(dns), or an IP address if the type is C(ip). returned: always type: str version_added: '2.8' version_added_collection: ansible.builtin identifier_type: description: - The identifier type for the actual resource identifier. Will be C(dns) or C(ip). returned: always type: str version_added: '2.8' version_added_collection: ansible.builtin regular_certificate: description: - A self-signed certificate for the challenge domain. - If no existing certificate exists, can be used to set-up https in the first place if that is needed for providing the challenge. returned: always type: str