Request certificates from letsencrypt
The role requests certificates (or renews expiring certificates, which
is fundamentally the same thing) from letsencrypt for a host. This
requires the ``acme.sh`` tool and driver which should have been
installed by the ``letsencrypt-acme-sh-install`` role.
This role does not create the certificates. It will request the
certificates from letsencrypt and populate the authentication data
into the ``acme_txt_required`` variable. These values need to be
installed and activated on the DNS server by the
``letsencrypt-install-txt-record`` role; the
``letsencrypt-create-certs`` will then finish the certificate
provision process.
**Role Variables**
.. zuul:rolevar:: letsencrypt_self_generate_tokens
:default: False
When set to ``True``, self-generate fake DNS-01 TXT tokens rather
than acquiring them through the ACME process with letsencrypt.
This avoids leaving "half-open" challenges during gate testing,
where we have no way to publish the DNS TXT records letsencrypt
gives us to complete the certificate issue. This should be
``True`` if ``letsencrypt_self_sign_only`` is ``True`` (unless you
wish to specifically test the ``acme.sh`` operation).
.. zuul:rolevar:: letsencrypt_use_staging
If set to True will use the letsencrypt staging environment, rather
than make production requests. Useful during initial provisioning
of hosts to avoid affecting production quotas.
.. zuul:rolevar:: letsencrypt_certs
A host wanting a certificate should define a dictionary variable
``letsencyrpt_certs``. Each key in this dictionary is a separate
certificate to create (i.e. a host can create multiple separate
certificates). Each key should have a list of hostnames valid for
that certificate. The certificate will be named for the *first*
entry. Naming the cert for the service (rather than the hostname)
will simplify references to the file (for example in Apache
VirtualHost configs), so listing it first is preferred.
For example:
.. code-block:: yaml
letsencrypt_certs:
hostname-main-cert:
- hostname.opendev.org
- hostname01.opendev.org
hostname-secondary-cert:
- foo.opendev.org
will ultimately result in two certificates being provisioned on the
host in ``/etc/letsencrypt-certs/hostname.opendev.org`` and
``/etc/letsencrypt-certs/foo.opendev.org``.
Note the creation role ``letsencrypt-create-certs`` will call a
handler ``letsencrypt updated {{ key }}`` (for example,
``letsencrypt updated hostname-main-cert``) when that certificate
is created or updated. Because Ansible errors if a handler is
called with no listeners, you *must* define a listener for event.
``letsencrypt-create-certs`` has ``handlers/main.yaml`` where
handlers can be defined. Since handlers reside in a global
namespace, you should choose an appropriately unique name.
Note that each entry will require a ``CNAME`` pointing the ACME
challenge domain to the TXT record that will be created in the
signing domain. For example above, the following records would need
to be pre-created::
_acme-challenge.hostname01.opendev.org. IN CNAME acme.opendev.org.
_acme-challenge.hostname.opendev.org. IN CNAME acme.opendev.org.
_acme-challenge.foo.opendev.org. IN CNAME acme.opendev.org.
The hostname in the first entry for each certificate will be
registered with the ``letsencrypt-config-certcheck`` for periodic
freshness tests; from the example above, ``hostname01.opendev.org``
and ``foo.opendev.org`` would be checked. By default this will
check on port 443; if the certificate is actually active on another
port you can specify it after a colon;
e.g. ``foo.opendev.org:5000`` would indicate this host listens with
this certificate on port 5000.