community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as tls-alpn-01
Note
This module is part of the community.crypto collection (version 2.18.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.crypto.acme_challenge_cert_helper.
Synopsis
Prepares certificates for ACME challenges such as
tls-alpn-01.The raw data is provided by the community.crypto.acme_certificate module, and needs to be converted to a certificate to be used for challenge validation. This module provides a simple way to generate the required certificates.
Requirements
The below requirements are needed on the host that executes this module.
cryptography >= 1.3
Parameters
Parameter |
Comments |
|---|---|
The challenge type. Choices:
|
|
The |
|
Content of the private key to use for this challenge certificate. Mutually exclusive with |
|
Phassphrase to use to decode the private key. |
|
Path to a file containing the private key file to use for this challenge certificate. Mutually exclusive with |
Attributes
Attribute |
Support |
Description |
|---|---|---|
Support: none This action does not modify state. |
Can run in |
|
Support: N/A This action does not modify state. |
Will return details on what has changed (or possibly needs changing in |
See Also
See also
- Automatic Certificate Management Environment (ACME)
The specification of the ACME protocol (RFC 8555).
- ACME TLS ALPN Challenge Extension
The specification of the
tls-alpn-01challenge (RFC 8737).
Examples
- name: Create challenges for a given CRT for sample.com
community.crypto.acme_certificate:
account_key_src: /etc/pki/cert/private/account.key
challenge: tls-alpn-01
csr: /etc/pki/cert/csr/sample.com.csr
dest: /etc/httpd/ssl/sample.com.crt
register: sample_com_challenge
- name: Create certificates for challenges
community.crypto.acme_challenge_cert_helper:
challenge: tls-alpn-01
challenge_data: "{{ item.value['tls-alpn-01'] }}"
private_key_src: /etc/pki/cert/key/sample.com.key
loop: "{{ sample_com_challenge.challenge_data | dictsort }}"
register: sample_com_challenge_certs
- name: Install challenge certificates
# We need to set up HTTPS such that for the domain,
# regular_certificate is delivered for regular connections,
# except if ALPN selects the "acme-tls/1"; then, the
# challenge_certificate must be delivered.
# This can for example be achieved with very new versions
# of NGINX; search for ssl_preread and
# ssl_preread_alpn_protocols for information on how to
# route by ALPN protocol.
...:
domain: "{{ item.domain }}"
challenge_certificate: "{{ item.challenge_certificate }}"
regular_certificate: "{{ item.regular_certificate }}"
private_key: /etc/pki/cert/key/sample.com.key
loop: "{{ sample_com_challenge_certs.results }}"
- name: Create certificate for a given CSR for sample.com
community.crypto.acme_certificate:
account_key_src: /etc/pki/cert/private/account.key
challenge: tls-alpn-01
csr: /etc/pki/cert/csr/sample.com.csr
dest: /etc/httpd/ssl/sample.com.crt
data: "{{ sample_com_challenge }}"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The challenge certificate in PEM format. Returned: always |
|
The domain the challenge is for. The certificate should be provided if this is specified in the request’s the Returned: always |
|
The identifier for the actual resource. Will be a domain name if Returned: always |
|
The identifier type for the actual resource identifier. Returned: always Can only return:
|
|
A self-signed certificate for the challenge domain. If no existing certificate exists, can be used to set-up https in the first place if that is needed for providing the challenge. Returned: always |