6088c788f1
Minor updates from review comments for I1f66da614751a29cc565b37cdc9ff34d70fdfd3f Change-Id: Ie011f768345ca3d8fdcc0b833f5645a635983d64
Request certificates from letsencrypt
The role requests certificates (or renews expiring certificates,
which is fundamentally the same thing) from letsencrypt for a host. This
requires the acme.sh tool and driver which should have been
installed by the letsencrypt-acme-sh-install role.
This role does not create the certificates. It will request the
certificates from letsencrypt and populate the authentication data into
the acme_txt_required variable. These values need to be
installed and activated on the DNS server by the
letsencrypt-install-txt-record role; the
letsencrypt-create-certs will then finish the certificate
provision process.
Role Variables
Uses staging, rather than prodcution requests to letsencrypt
A host wanting a certificate should define a dictionary variable
letsencyrpt_certs. Each key in this dictionary is a separate certificate to create (i.e. a host can create multiple separate certificates). Each key should have a list of hostnames valid for that certificate. The certificate will be named for the first entry.For example:
letsencrypt_certs: main: - hostname01.opendev.org - hostname.opendev.org secondary: - foo.opendev.orgwill ultimately result in two certificates being provisioned on the host in
/etc/letsencrypt-certs/hostname01.opendev.organd/etc/letsencrypt-certs/foo.opendev.org.Note that each entry will require a
CNAMEpointing the ACME challenge domain to the TXT record that will be created in the signing domain. For example above, the following records would need to be pre-created:_acme-challenge.hostname01.opendev.org. IN CNAME acme.opendev.org. _acme-challenge.hostname.opendev.org. IN CNAME acme.opendev.org. _acme-challenge.foo.opendev.org. IN CNAME acme.opendev.org.