New in version 2.2.
http-01 and dns-01 challenges.data.http-01 that means creating the necessary challenge file on the destination webserver. For dns-01 the necessary dns record has to be created. It is not the responsibility of this module to perform these steps.dest and fullchain_dest must be specified.letsencrypt before Ansible 2.6. The usage did not change.Aliases: letsencrypt
The below requirements are needed on the host that executes this module.
| Parameter | Choices/Defaults | Comments |
|---|---|---|
| account_email |
The email address associated with this account.
It will be used for certificate expiration warnings.
|
|
|
account_key_content
(added in 2.5) |
Content of the ACME account RSA or Elliptic Curve key.
Mutually exclusive with
account_key_src.Required if
account_key_src is not used.Warning: the content will be written into a temporary file, which will be deleted by Ansible when the module completes. Since this is an important private key — it can be used to change the account key, or to revoke your certificates without knowing their private keys —, this might not be acceptable.
|
|
| account_key_src |
Path to a file containing the ACME account RSA or Elliptic Curve key.
RSA keys can be created with
openssl rsa .... Elliptic curve keys can be created with openssl ecparam -genkey ....Mutually exclusive with
account_key_content.Required if
account_key_content is not used.aliases: account_key |
|
| acme_directory |
Default: "https://acme-staging.api.letsencrypt.org/directory"
|
The ACME directory to use. This is the entry point URL to access CA server API.
For safety reasons the default is set to the Let's Encrypt staging server (for the ACME v1 protocol). This will create technically correct, but untrusted certificates.
For Let's Encrypt, all staging endpoints can be found here: https://letsencrypt.org/docs/staging-environment/
For Let's Encrypt, the production directory URL for ACME v1 is https://acme-v01.api.letsencrypt.org/directory, and the production directory URL for ACME v2 is https://acme-v02.api.letsencrypt.org/directory.
Warning: So far, the module has only been tested against Let's Encrypt (staging and production) and against the Pebble testing server (https://github.com/letsencrypt/Pebble).
|
|
acme_version
(added in 2.5) |
|
The ACME version of the endpoint.
Must be 1 for the classic Let's Encrypt ACME endpoint, or 2 for the new standardized ACME v2 endpoint.
|
| agreement |
URI to a terms of service document you agree to when using the ACME v1 service at
acme_directory.Default is latest gathered from
acme_directory URL.This option will only be used when
acme_version is 1. |
|
|
chain_dest
(added in 2.5) |
If specified, the intermediate certificate will be written to this file.
aliases: chain |
|
| challenge |
|
The challenge to be performed.
|
|
csr
required |
File containing the CSR for the new certificate.
Can be created with
openssl req ....The CSR may contain multiple Subject Alternate Names, but each one will lead to an individual challenge that must be fulfilled for the CSR to be signed.
Note: the private key used to create the CSR must not be the the account key. This is a bad idea from a security point of view, and the CA should not accept the CSR. Let's Encrypt will return an error in this case.
aliases: src |
|
| data |
The data to validate ongoing challenges. This must be specified for the second run of the module only.
The value that must be used here will be provided by a previous use of this module. See the examples for more details.
Note: the
data option was marked as no_log up to Ansible 2.5. From Ansible 2.6 on, it is no longer marked this way as it causes error messages to be come unusable, and data does not contain any information which can be used without having access to the account key or which are not public anyway. |
|
|
deactivate_authzs
bool (added in 2.6) |
|
Deactivate authentication objects (authz) after issuing a certificate, or when issuing the certificate failed.
Authentication objects are bound to an account key and remain valid for a certain amount of time, and can be used to issue certificates without having to re-authenticate the domain. This can be a security concern.
|
| dest |
The destination file for the certificate.
Required if
fullchain_dest is not specified.aliases: cert |
|
|
force
bool (added in 2.6) |
|
Enforces the execution of the challenge and validation, even if an existing certificate is still valid.
This is especially helpful when having an updated CSR e.g. with additional domains for which a new certificate is desired.
|
|
fullchain_dest
(added in 2.5) |
The destination file for the full chain (i.e. certificate followed by chain of intermediate certificates).
Required if
dest is not specified.aliases: fullchain |
|
|
modify_account
bool (added in 2.6) |
|
Boolean indicating whether the module should create the account if necessary, and update its contact data.
Set to
no if you want to use acme_account to manage your account instead, and to avoid accidental creation of a new account using an old key if you changed the account key with acme_account.If set to
no, terms_agreed and account_email are ignored. |
| remaining_days |
Default: 10
|
The number of days the certificate must have left being valid. If
cert_days < remaining_days, then it will be renewed. If the certificate is not renewed, module return values will not include challenge_data. |
|
terms_agreed
bool (added in 2.5) |
|
Boolean indicating whether you agree to the terms of service document.
ACME servers can require this to be true.
This option will only be used when
acme_version is not 1. |
|
validate_certs
bool (added in 2.5) |
|
Whether calls to the ACME directory will validate TLS certificates.
Warning: Should only ever be set to
no for testing purposes, for example when testing against a local Pebble server. |
### Example with HTTP challenge ###
- name: Create a challenge for sample.com using a account key from a variable.
acme_certificate:
account_key_content: "{{ account_private_key }}"
csr: /etc/pki/cert/csr/sample.com.csr
dest: /etc/httpd/ssl/sample.com.crt
register: sample_com_challenge
# Alternative first step:
- name: Create a challenge for sample.com using a account key from hashi vault.
acme_certificate:
account_key_content: "{{ lookup('hashi_vault', 'secret=secret/account_private_key:value') }}"
csr: /etc/pki/cert/csr/sample.com.csr
fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
register: sample_com_challenge
# Alternative first step:
- name: Create a challenge for sample.com using a account key file.
acme_certificate:
account_key_src: /etc/pki/cert/private/account.key
csr: /etc/pki/cert/csr/sample.com.csr
dest: /etc/httpd/ssl/sample.com.crt
fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
register: sample_com_challenge
# perform the necessary steps to fulfill the challenge
# for example:
#
# - copy:
# dest: /var/www/html/{{ sample_com_challenge['challenge_data']['sample.com']['http-01']['resource'] }}
# content: "{{ sample_com_challenge['challenge_data']['sample.com']['http-01']['resource_value'] }}"
# when: sample_com_challenge is changed
- name: Let the challenge be validated and retrieve the cert and intermediate certificate
acme_certificate:
account_key_src: /etc/pki/cert/private/account.key
csr: /etc/pki/cert/csr/sample.com.csr
dest: /etc/httpd/ssl/sample.com.crt
fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
chain_dest: /etc/httpd/ssl/sample.com-intermediate.crt
data: "{{ sample_com_challenge }}"
### Example with DNS challenge against production ACME server ###
- name: Create a challenge for sample.com using a account key file.
acme_certificate:
account_key_src: /etc/pki/cert/private/account.key
account_email: [email protected]
src: /etc/pki/cert/csr/sample.com.csr
cert: /etc/httpd/ssl/sample.com.crt
challenge: dns-01
acme_directory: https://acme-v01.api.letsencrypt.org/directory
# Renew if the certificate is at least 30 days old
remaining_days: 60
register: sample_com_challenge
# perform the necessary steps to fulfill the challenge
# for example:
#
# - route53:
# zone: sample.com
# record: "{{ sample_com_challenge.challenge_data['sample.com']['dns-01'].record }}"
# type: TXT
# ttl: 60
# # Note: route53 requires TXT entries to be enclosed in quotes
# value: "{{ sample_com_challenge.challenge_data['sample.com']['dns-01'].resource_value }}"
# when: sample_com_challenge is changed
#
# Alternative way:
#
# - route53:
# zone: sample.com
# record: "{{ item.key }}"
# type: TXT
# ttl: 60
# # Note: item.value is a list of TXT entries, and route53
# # requires every entry to be enclosed in quotes
# value: "{{ item.value | map('regex_replace', '^(.*)$', '\'\\1\'' ) | list }}"
# with_dict: sample_com_challenge.challenge_data_dns
# when: sample_com_challenge is changed
- name: Let the challenge be validated and retrieve the cert and intermediate certificate
acme_certificate:
account_key_src: /etc/pki/cert/private/account.key
account_email: [email protected]
src: /etc/pki/cert/csr/sample.com.csr
cert: /etc/httpd/ssl/sample.com.crt
fullchain: /etc/httpd/ssl/sample.com-fullchain.crt
chain: /etc/httpd/ssl/sample.com-intermediate.crt
challenge: dns-01
acme_directory: https://acme-v01.api.letsencrypt.org/directory
remaining_days: 60
data: "{{ sample_com_challenge }}"
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description | |
|---|---|---|---|
|
account_uri
string
(added in 2.5) |
changed |
ACME account URI.
|
|
|
authorizations
complex
|
changed |
ACME authorization data.
|
|
|
authorization
dict
|
success |
ACME authorization object. See https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.1.4
|
|
|
cert_days
int
|
success |
the number of days the certificate remains valid.
|
|
|
challenge_data
complex
|
changed |
per domain / challenge type challenge data
|
|
|
resource
string
|
changed |
the challenge resource that must be created for validation
Sample:
.well-known/acme-challenge/evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA
|
|
|
resource_value
string
|
changed |
the value the resource has to produce for the validation
Sample:
IlirfxKKXA...17Dt3juxGJ-PCt92wr-oA
|
|
|
record
string
(added in 2.5) |
changed and challenge is dns-01 |
the full DNS record's name for the challenge
Sample:
_acme-challenge.example.com
|
|
|
challenge_data_dns
dict
(added in 2.5) |
changed |
list of TXT values per DNS record, in case challenge is
dns-01 |
|
|
finalization_uri
string
(added in 2.5) |
changed |
ACME finalization URI.
|
|
|
order_uri
string
(added in 2.5) |
changed |
ACME order URI.
|
|
This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.
This module is flagged as community which means that it is maintained by the Ansible Community. See Module Maintenance & Support for more info.
For a list of other modules that are also maintained by the Ansible Community, see here.
Hint
If you notice any issues in this documentation you can edit this document to improve it.