community / community.crypto / 2.18.0 / module / acme_inspect Send direct requests to an ACME server Authors: Felix Fontein (@felixfontein)community.crypto.acme_inspect (2.18.0) — module
Install with ansible-galaxy collection install community.crypto:==2.18.0
collections: - name: community.crypto version: 2.18.0
Allows to send direct requests to an ACME server with the L(ACME protocol,https://tools.ietf.org/html/rfc8555), which is supported by CAs such as L(Let's Encrypt,https://letsencrypt.org/).
This module can be used to debug failed certificate request attempts, for example when M(community.crypto.acme_certificate) fails or encounters a problem which you wish to investigate.
The module can also be used to directly access features of an ACME servers which are not yet supported by the Ansible ACME modules.
- name: Get directory community.crypto.acme_inspect: acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory acme_version: 2 method: directory-only register: directory
- name: Create an account community.crypto.acme_inspect: acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory acme_version: 2 account_key_src: /etc/pki/cert/private/account.key url: "{{ directory.newAccount}}" method: post content: '{"termsOfServiceAgreed":true}' register: account_creation
# account_creation.headers.location contains the account URI # if creation was successful - name: Get account information community.crypto.acme_inspect: acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory acme_version: 2 account_key_src: /etc/pki/cert/private/account.key account_uri: "{{ account_creation.headers.location }}" url: "{{ account_creation.headers.location }}" method: get
- name: Update account contacts community.crypto.acme_inspect: acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory acme_version: 2 account_key_src: /etc/pki/cert/private/account.key account_uri: "{{ account_creation.headers.location }}" url: "{{ account_creation.headers.location }}" method: post content: '{{ account_info | to_json }}' vars: account_info: # For valid values, see # https://tools.ietf.org/html/rfc8555#section-7.3 contact: - mailto:me@example.com
- name: Create certificate order community.crypto.acme_certificate: acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory acme_version: 2 account_key_src: /etc/pki/cert/private/account.key account_uri: "{{ account_creation.headers.location }}" csr: /etc/pki/cert/csr/sample.com.csr fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt challenge: http-01 register: certificate_request
# Assume something went wrong. certificate_request.order_uri contains # the order URI. - name: Get order information community.crypto.acme_inspect: acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory acme_version: 2 account_key_src: /etc/pki/cert/private/account.key account_uri: "{{ account_creation.headers.location }}" url: "{{ certificate_request.order_uri }}" method: get register: order
- name: Get first authz for order community.crypto.acme_inspect: acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory acme_version: 2 account_key_src: /etc/pki/cert/private/account.key account_uri: "{{ account_creation.headers.location }}" url: "{{ order.output_json.authorizations[0] }}" method: get register: authz
- name: Get HTTP-01 challenge for authz community.crypto.acme_inspect: acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory acme_version: 2 account_key_src: /etc/pki/cert/private/account.key account_uri: "{{ account_creation.headers.location }}" url: "{{ authz.output_json.challenges | selectattr('type', 'equalto', 'http-01') }}" method: get register: http01challenge
- name: Activate HTTP-01 challenge manually community.crypto.acme_inspect: acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory acme_version: 2 account_key_src: /etc/pki/cert/private/account.key account_uri: "{{ account_creation.headers.location }}" url: "{{ http01challenge.url }}" method: post content: '{}'
url: description: - The URL to send the request to. - Must be specified if O(method) is not V(directory-only). type: str method: choices: - get - post - directory-only default: get description: - The method to use to access the given URL on the ACME server. - The value V(post) executes an authenticated POST request. The content must be specified in the O(content) option. - The value V(get) executes an authenticated POST-as-GET request for ACME v2, and a regular GET request for ACME v1. - The value V(directory-only) only retrieves the directory, without doing a request. type: str content: description: - An encoded JSON object which will be sent as the content if O(method) is V(post). - Required when O(method) is V(post), and not allowed otherwise. type: str account_uri: description: - If specified, assumes that the account URI is as given. If the account key does not match this account, or an account with this URI does not exist, the module fails. type: str acme_version: choices: - 1 - 2 description: - The ACME version of the endpoint. - Must be V(1) for the classic Let's Encrypt and Buypass ACME endpoints, or V(2) for standardized ACME v2 endpoints. - The value V(1) is deprecated since community.crypto 2.0.0 and will be removed from community.crypto 3.0.0. required: true type: int acme_directory: description: - The ACME directory to use. This is the entry point URL to access the ACME CA server API. - For safety reasons the default is set to the Let's Encrypt staging server (for the ACME v1 protocol). This will create technically correct, but untrusted certificates. - 'For Let''s Encrypt, all staging endpoints can be found here: U(https://letsencrypt.org/docs/staging-environment/). For Buypass, all endpoints can be found here: U(https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints)' - For B(Let's Encrypt), the production directory URL for ACME v2 is U(https://acme-v02.api.letsencrypt.org/directory). - For B(Buypass), the production directory URL for ACME v2 and v1 is U(https://api.buypass.com/acme/directory). - For B(ZeroSSL), the production directory URL for ACME v2 is U(https://acme.zerossl.com/v2/DV90). - For B(Sectigo), the production directory URL for ACME v2 is U(https://acme-qa.secure.trust-provider.com/v2/DV). - The notes for this module contain a list of ACME services this module has been tested against. required: true type: str validate_certs: default: true description: - Whether calls to the ACME directory will validate TLS certificates. - B(Warning:) Should B(only ever) be set to V(false) for testing purposes, for example when testing against a local Pebble server. type: bool account_key_src: aliases: - account_key description: - Path to a file containing the ACME account RSA or Elliptic Curve key. - 'Private keys can be created with the M(community.crypto.openssl_privatekey) or M(community.crypto.openssl_privatekey_pipe) modules. If the requisite (cryptography) is not available, keys can also be created directly with the C(openssl) command line tool: RSA keys can be created with C(openssl genrsa ...). Elliptic curve keys can be created with C(openssl ecparam -genkey ...). Any other tool creating private keys in PEM format can be used as well.' - Mutually exclusive with O(account_key_content). - Required if O(account_key_content) is not used. type: path request_timeout: default: 10 description: - The time Ansible should wait for a response from the ACME API. - This timeout is applied to all HTTP(S) requests (HEAD, GET, POST). type: int version_added: 2.3.0 version_added_collection: community.crypto fail_on_acme_error: default: true description: - If O(method) is V(post) or V(get), make the module fail in case an ACME error is returned. type: bool account_key_content: description: - Content of the ACME account RSA or Elliptic Curve key. - Mutually exclusive with O(account_key_src). - Required if O(account_key_src) is not used. - "B(Warning:) the content will be written into a temporary file, which will be deleted\ \ by Ansible when the module completes. Since this is an important private key \u2014\ \ it can be used to change the account key, or to revoke your certificates without\ \ knowing their private keys \u2014, this might not be acceptable." - In case C(cryptography) is used, the content is not written into a temporary file. It can still happen that it is written to disk by Ansible in the process of moving the module with its argument to the node where it is executed. type: str select_crypto_backend: choices: - auto - cryptography - openssl default: auto description: - Determines which crypto backend to use. - The default choice is V(auto), which tries to use C(cryptography) if available, and falls back to C(openssl). - If set to V(openssl), will try to use the C(openssl) binary. - If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library. type: str account_key_passphrase: description: - Phassphrase to use to decode the account key. - B(Note:) this is not supported by the C(openssl) backend, only by the C(cryptography) backend. type: str version_added: 1.6.0 version_added_collection: community.crypto
directory: description: The ACME directory's content returned: always sample: a85k3x9f91A4: https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417 keyChange: https://acme-v02.api.letsencrypt.org/acme/key-change meta: caaIdentities: - letsencrypt.org termsOfService: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf website: https://letsencrypt.org newAccount: https://acme-v02.api.letsencrypt.org/acme/new-acct newNonce: https://acme-v02.api.letsencrypt.org/acme/new-nonce newOrder: https://acme-v02.api.letsencrypt.org/acme/new-order revokeCert: https://acme-v02.api.letsencrypt.org/acme/revoke-cert type: dict headers: description: The request's HTTP headers (with lowercase keys) returned: always sample: boulder-requester: '12345' cache-control: max-age=0, no-cache, no-store connection: close content-length: '904' content-type: application/json cookies: {} cookies_string: '' date: Wed, 07 Nov 2018 12:34:56 GMT expires: Wed, 07 Nov 2018 12:44:56 GMT link: <https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel="terms-of-service" msg: OK (904 bytes) pragma: no-cache replay-nonce: 1234567890abcdefghijklmnopqrstuvwxyzABCDEFGH server: nginx status: 200 strict-transport-security: max-age=604800 url: https://acme-v02.api.letsencrypt.org/acme/acct/46161 x-frame-options: DENY type: dict output_json: description: The output parsed as JSON returned: if output can be parsed as JSON sample: - id: 12345 - key: - kty: RSA - '...' type: dict output_text: description: The raw text output returned: always sample: "{\n \"id\": 12345,\n \"key\": {\n \"kty\": \"RSA\",\n ..." type: str