--- - name: Create ACME account directory ansible.builtin.file: group: root mode: '0700' owner: root path: /etc/ssl/private/ACME state: directory - name: Create ACME account key community.crypto.openssl_privatekey: cipher: auto curve: secp384r1 format: pkcs1 group: root mode: '0600' owner: root passphrase: "{{ acme_certificate_account_key_passphrase }}" path: /etc/ssl/private/ACME/account.key size: 384 state: present type: Ed25519 - name: Generate RSA private key community.crypto.openssl_privatekey: cipher: auto curve: secp384r1 format: pkcs1 group: root mode: '0600' owner: root passphrase: "{{ ssl_passphrase }}" path: "/etc/ssl/private/{{ acme_certificate_subject }}.key" size: 4096 state: present type: RSA - name: Generate CSR community.crypto.openssl_csr: common_name: "{{ acme_certificate_subject }}" country_name: "{{ acme_certificate_csr_country }}" digest: sha256 email_address: "{{ acme_certificate_csr_email }}" group: root locality_name: "{{ acme_certificate_csr_locality }}" mode: '0600' organization_name: "{{ acme_certificate_csr_organization }}" owner: root path: "/etc/ssl/private/{{ acme_certificate_subject }}.csr" privatekey_path: "/etc/ssl/private/{{ acme_certificate_subject }}.key" state: present state_or_province_name: "{{ acme_certificate_csr_state }}" use_common_name_for_san: true - name: Submit ACME certificate request community.crypto.acme_certificate: account_email: "{{ acme_certificate_account_email }}" account_key_passphrase: "{{ acme_certificate_account_key_passphrase }}" account_key_src: /etc/ssl/private/ACME/account.key acme_directory: "{{ acme_certificate_directory }}" acme_version: 2 chain_dest: "/etc/ssl/private/{{ acme_certificate_subject }}.chain" challenge: dns-01 csr: "/etc/ssl/private/{{ acme_certificate_subject }}.csr" dest: "/etc/ssl/private/{{ acme_certificate_subject }}.crt" modify_account: true select_crypto_backend: cryptography terms_agreed: true validate_certs: true register: challenge - name: Debug ACME certificate challenge ansible.builtin.debug: var: challenge - name: Proceed if challenge is changed when: - challenge is changed - acme_certificate_subject in challenge.challenge_data block: - name: Answer ACME certificate challenge community.general.nsupdate: key_algorithm: "{{ rfc2136_key_algorithm }}" key_name: "{{ rfc2136_key_name }}" key_secret: "{{ rfc2136_key_secret }}" port: 53 protocol: tcp record: "{{ challenge.challenge_data[acme_certificate_subject]['dns-01'].record }}" server: "{{ rfc2136_server_address }}" state: present ttl: 3600 type: TXT value: "{{ challenge.challenge_data[acme_certificate_subject]['dns-01'].resource_value }}" zone: "{{ acme_certificate_zone }}" - name: Retrieve ACME certificate community.crypto.acme_certificate: account_email: "{{ acme_certificate_account_email }}" account_key_passphrase: "{{ acme_certificate_account_key_passphrase }}" account_key_src: /etc/ssl/private/ACME/account.key acme_directory: "{{ acme_certificate_directory }}" acme_version: 2 chain_dest: "/etc/ssl/private/{{ acme_certificate_subject }}.chain" challenge: dns-01 csr: "/etc/ssl/private/{{ acme_certificate_subject }}.csr" data: "{{ challenge }}" dest: "/etc/ssl/private/{{ acme_certificate_subject }}.crt" modify_account: true select_crypto_backend: cryptography terms_agreed: true validate_certs: true - name: Cleanup ACME challenge community.general.nsupdate: key_algorithm: "{{ rfc2136_key_algorithm }}" key_name: "{{ rfc2136_key_name }}" key_secret: "{{ rfc2136_key_secret }}" port: 53 protocol: tcp record: "{{ challenge.challenge_data[acme_certificate_subject]['dns-01'].record }}" server: "{{ rfc2136_server_address }}" state: absent ttl: 3600 type: TXT value: "{{ challenge.challenge_data[acme_certificate_subject]['dns-01'].resource_value }}" zone: "{{ acme_certificate_zone }}"