2019-02-14 08:10:51 +11:00
|
|
|
Request certificates from letsencrypt
|
|
|
|
|
|
|
|
The role requests certificates (or renews expiring certificates, which
|
|
|
|
is fundamentally the same thing) from letsencrypt for a host. This
|
|
|
|
requires the ``acme.sh`` tool and driver which should have been
|
|
|
|
installed by the ``letsencrypt-acme-sh-install`` role.
|
|
|
|
|
|
|
|
This role does not create the certificates. It will request the
|
|
|
|
certificates from letsencrypt and populate the authentication data
|
|
|
|
into the ``acme_txt_required`` variable. These values need to be
|
|
|
|
installed and activated on the DNS server by the
|
|
|
|
``letsencrypt-install-txt-record`` role; the
|
|
|
|
``letsencrypt-create-certs`` will then finish the certificate
|
|
|
|
provision process.
|
|
|
|
|
|
|
|
**Role Variables**
|
|
|
|
|
2019-04-10 07:31:26 +10:00
|
|
|
.. zuul:rolevar:: letsencrypt_use_staging
|
2019-02-14 08:10:51 +11:00
|
|
|
|
2019-04-10 07:31:26 +10:00
|
|
|
If set to True will use the letsencrypt staging environment, rather
|
|
|
|
than make production requests. Useful during initial provisioning
|
|
|
|
of hosts to avoid affecting production quotas.
|
2019-02-14 08:10:51 +11:00
|
|
|
|
|
|
|
.. zuul:rolevar:: letsencrypt_certs
|
|
|
|
|
|
|
|
A host wanting a certificate should define a dictionary variable
|
|
|
|
``letsencyrpt_certs``. Each key in this dictionary is a separate
|
|
|
|
certificate to create (i.e. a host can create multiple separate
|
|
|
|
certificates). Each key should have a list of hostnames valid for
|
|
|
|
that certificate. The certificate will be named for the *first*
|
|
|
|
entry.
|
|
|
|
|
|
|
|
For example:
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
letsencrypt_certs:
|
|
|
|
main:
|
|
|
|
- hostname01.opendev.org
|
|
|
|
- hostname.opendev.org
|
|
|
|
secondary:
|
|
|
|
- foo.opendev.org
|
|
|
|
|
|
|
|
will ultimately result in two certificates being provisioned on the
|
|
|
|
host in ``/etc/letsencrypt-certs/hostname01.opendev.org`` and
|
|
|
|
``/etc/letsencrypt-certs/foo.opendev.org``.
|
|
|
|
|
|
|
|
Note that each entry will require a ``CNAME`` pointing the ACME
|
|
|
|
challenge domain to the TXT record that will be created in the
|
|
|
|
signing domain. For example above, the following records would need
|
|
|
|
to be pre-created::
|
|
|
|
|
|
|
|
_acme-challenge.hostname01.opendev.org. IN CNAME acme.opendev.org.
|
|
|
|
_acme-challenge.hostname.opendev.org. IN CNAME acme.opendev.org.
|
|
|
|
_acme-challenge.foo.opendev.org. IN CNAME acme.opendev.org.
|