129 lines
4.3 KiB
YAML
129 lines
4.3 KiB
YAML
|
---
|
||
|
|
||
|
- name: Create ACME account directory
|
||
|
ansible.builtin.file:
|
||
|
group: root
|
||
|
mode: '0700'
|
||
|
owner: root
|
||
|
path: /etc/ssl/private/ACME
|
||
|
state: directory
|
||
|
|
||
|
- name: Create ACME account key
|
||
|
community.crypto.openssl_privatekey:
|
||
|
cipher: auto
|
||
|
curve: secp384r1
|
||
|
format: pkcs1
|
||
|
group: root
|
||
|
mode: '0600'
|
||
|
owner: root
|
||
|
passphrase: "{{ acme_certificate_account_key_passphrase }}"
|
||
|
path: /etc/ssl/private/ACME/account.key
|
||
|
size: 384
|
||
|
state: present
|
||
|
type: Ed25519
|
||
|
|
||
|
- name: Generate RSA private key
|
||
|
community.crypto.openssl_privatekey:
|
||
|
cipher: auto
|
||
|
curve: secp384r1
|
||
|
format: pkcs1
|
||
|
group: root
|
||
|
mode: '0600'
|
||
|
owner: root
|
||
|
passphrase: "{{ ssl_passphrase }}"
|
||
|
path: "/etc/ssl/private/{{ acme_certificate_subject }}.key"
|
||
|
size: 4096
|
||
|
state: present
|
||
|
type: RSA
|
||
|
|
||
|
- name: Generate CSR
|
||
|
community.crypto.openssl_csr:
|
||
|
common_name: "{{ acme_certificate_subject }}"
|
||
|
country_name: "{{ acme_certificate_csr_country }}"
|
||
|
digest: sha256
|
||
|
email_address: "{{ acme_certificate_csr_email }}"
|
||
|
group: root
|
||
|
locality_name: "{{ acme_certificate_csr_locality }}"
|
||
|
mode: '0600'
|
||
|
organization_name: "{{ acme_certificate_csr_organization }}"
|
||
|
owner: root
|
||
|
path: "/etc/ssl/private/{{ acme_certificate_subject }}.csr"
|
||
|
privatekey_path: "/etc/ssl/private/{{ acme_certificate_subject }}.key"
|
||
|
state: present
|
||
|
state_or_province_name: "{{ acme_certificate_csr_state }}"
|
||
|
use_common_name_for_san: true
|
||
|
|
||
|
- name: Submit ACME certificate request
|
||
|
community.crypto.acme_certificate:
|
||
|
account_email: "{{ acme_certificate_account_email }}"
|
||
|
account_key_passphrase: "{{ acme_certificate_account_key_passphrase }}"
|
||
|
account_key_src: /etc/ssl/private/ACME/account.key
|
||
|
acme_directory: "{{ acme_certificate_directory }}"
|
||
|
acme_version: 2
|
||
|
chain_dest: "/etc/ssl/private/{{ acme_certificate_subject }}.chain"
|
||
|
challenge: dns-01
|
||
|
csr: "/etc/ssl/private/{{ acme_certificate_subject }}.csr"
|
||
|
dest: "/etc/ssl/private/{{ acme_certificate_subject }}.crt"
|
||
|
modify_account: true
|
||
|
select_crypto_backend: cryptography
|
||
|
terms_agreed: true
|
||
|
validate_certs: true
|
||
|
register: challenge
|
||
|
|
||
|
- name: Debug ACME certificate challenge
|
||
|
ansible.builtin.debug:
|
||
|
var: challenge
|
||
|
|
||
|
- name: Proceed if challenge is changed
|
||
|
when:
|
||
|
- challenge is changed
|
||
|
- acme_certificate_subject in challenge.challenge_data
|
||
|
block:
|
||
|
|
||
|
- name: Answer ACME certificate challenge
|
||
|
community.general.nsupdate:
|
||
|
key_algorithm: "{{ rfc2136_key_algorithm }}"
|
||
|
key_name: "{{ rfc2136_key_name }}"
|
||
|
key_secret: "{{ rfc2136_key_secret }}"
|
||
|
port: 53
|
||
|
protocol: tcp
|
||
|
record: "{{ challenge.challenge_data[acme_certificate_subject]['dns-01'].record }}"
|
||
|
server: "{{ rfc2136_server_address }}"
|
||
|
state: present
|
||
|
ttl: 3600
|
||
|
type: TXT
|
||
|
value: "{{ challenge.challenge_data[acme_certificate_subject]['dns-01'].resource_value }}"
|
||
|
zone: "{{ acme_certificate_zone }}"
|
||
|
|
||
|
- name: Retrieve ACME certificate
|
||
|
community.crypto.acme_certificate:
|
||
|
account_email: "{{ acme_certificate_account_email }}"
|
||
|
account_key_passphrase: "{{ acme_certificate_account_key_passphrase }}"
|
||
|
account_key_src: /etc/ssl/private/ACME/account.key
|
||
|
acme_directory: "{{ acme_certificate_directory }}"
|
||
|
acme_version: 2
|
||
|
chain_dest: "/etc/ssl/private/{{ acme_certificate_subject }}.chain"
|
||
|
challenge: dns-01
|
||
|
csr: "/etc/ssl/private/{{ acme_certificate_subject }}.csr"
|
||
|
data: "{{ challenge }}"
|
||
|
dest: "/etc/ssl/private/{{ acme_certificate_subject }}.crt"
|
||
|
modify_account: true
|
||
|
select_crypto_backend: cryptography
|
||
|
terms_agreed: true
|
||
|
validate_certs: true
|
||
|
|
||
|
- name: Cleanup ACME challenge
|
||
|
community.general.nsupdate:
|
||
|
key_algorithm: "{{ rfc2136_key_algorithm }}"
|
||
|
key_name: "{{ rfc2136_key_name }}"
|
||
|
key_secret: "{{ rfc2136_key_secret }}"
|
||
|
port: 53
|
||
|
protocol: tcp
|
||
|
record: "{{ challenge.challenge_data[acme_certificate_subject]['dns-01'].record }}"
|
||
|
server: "{{ rfc2136_server_address }}"
|
||
|
state: absent
|
||
|
ttl: 3600
|
||
|
type: TXT
|
||
|
value: "{{ challenge.challenge_data[acme_certificate_subject]['dns-01'].resource_value }}"
|
||
|
zone: "{{ acme_certificate_zone }}"
|