Try SpotterPrepare certificates required for ACME challenges such as C(tls-alpn-01)
Authors: Felix Fontein (@felixfontein)
Install with ansible-galaxy collection install community.crypto:==2.18.0
collections:
- name: community.crypto
version: 2.18.0Prepares certificates for ACME challenges such as C(tls-alpn-01).
The raw data is provided by the M(community.crypto.acme_certificate) module, and needs to be converted to a certificate to be used for challenge validation. This module provides a simple way to generate the required certificates.
- name: Create challenges for a given CRT for sample.com
community.crypto.acme_certificate:
account_key_src: /etc/pki/cert/private/account.key
challenge: tls-alpn-01
csr: /etc/pki/cert/csr/sample.com.csr
dest: /etc/httpd/ssl/sample.com.crt
register: sample_com_challenge
- name: Create certificates for challenges
community.crypto.acme_challenge_cert_helper:
challenge: tls-alpn-01
challenge_data: "{{ item.value['tls-alpn-01'] }}"
private_key_src: /etc/pki/cert/key/sample.com.key
loop: "{{ sample_com_challenge.challenge_data | dictsort }}"
register: sample_com_challenge_certs
- name: Install challenge certificates
# We need to set up HTTPS such that for the domain,
# regular_certificate is delivered for regular connections,
# except if ALPN selects the "acme-tls/1"; then, the
# challenge_certificate must be delivered.
# This can for example be achieved with very new versions
# of NGINX; search for ssl_preread and
# ssl_preread_alpn_protocols for information on how to
# route by ALPN protocol.
...:
domain: "{{ item.domain }}"
challenge_certificate: "{{ item.challenge_certificate }}"
regular_certificate: "{{ item.regular_certificate }}"
private_key: /etc/pki/cert/key/sample.com.key
loop: "{{ sample_com_challenge_certs.results }}"
- name: Create certificate for a given CSR for sample.com
community.crypto.acme_certificate:
account_key_src: /etc/pki/cert/private/account.key
challenge: tls-alpn-01
csr: /etc/pki/cert/csr/sample.com.csr
dest: /etc/httpd/ssl/sample.com.crt
data: "{{ sample_com_challenge }}"
challenge:
choices:
- tls-alpn-01
description:
- The challenge type.
required: true
type: str
challenge_data:
description:
- The RV(community.crypto.acme_certificate#module:challenge_data) entry provided by
M(community.crypto.acme_certificate) for the challenge.
required: true
type: dict
private_key_src:
description:
- Path to a file containing the private key file to use for this challenge certificate.
- Mutually exclusive with O(private_key_content).
type: path
private_key_content:
description:
- Content of the private key to use for this challenge certificate.
- Mutually exclusive with O(private_key_src).
type: str
private_key_passphrase:
description:
- Phassphrase to use to decode the private key.
type: str
version_added: 1.6.0
version_added_collection: community.crypto
challenge_certificate:
description:
- The challenge certificate in PEM format.
returned: always
type: str
domain:
description:
- The domain the challenge is for. The certificate should be provided if this is
specified in the request's the C(Host) header.
returned: always
type: str
identifier:
description:
- The identifier for the actual resource. Will be a domain name if RV(identifier_type=dns),
or an IP address if RV(identifier_type=ip).
returned: always
type: str
identifier_type:
choices:
- dns
- ip
description:
- The identifier type for the actual resource identifier.
returned: always
type: str
regular_certificate:
description:
- A self-signed certificate for the challenge domain.
- If no existing certificate exists, can be used to set-up https in the first place
if that is needed for providing the challenge.
returned: always
type: str