| commit | author | age | ||
| caefa6 | 1 | Role Name |
| WK | 2 | ========= |
| 3 | ||
| 4 | host-lets-encrypt-certs-certs | |
| 5 | ||
| 6 | Requirements | |
| 7 | ------------ | |
| 8 | ||
| 9 | EPEL needs to be installed on the target host that this role is run on. | |
| 10 | ||
| 11 | Request Let's Encrypt Certificates for a host. Supports wildcard certificates if Cloud DNS credentials are provided. | |
| 12 | ||
| 13 | Currently only AWS is supported for wildcard certificates. AWS credentials have to be in $HOME/.aws/credentials on the host that this role is run on. | |
| 14 | ||
| 15 | If static certificates are requested this role needs to run on the host for which certificates are being requested. If wildcard certificates are not involved then the role *must* be run on the host that is requesting the certificates. And that host *must* respond to the DNS address the certificates are requested for. There can not be a web server running on the host that will serve the domain. Otherwise the request will fail. | |
| 16 | ||
| 17 | If Wildcard certificates are involved the role can run on any host because validation of the domain will happen via Cloud Credentials to the Cloud Provider's DNS entry for which wildcard certificates are being requested. | |
| 18 | ||
| 19 | ||
| 20 | Role Variables | |
| 21 | -------------- | |
| 22 | ||
| 23 | |Variable Name|Required|Default Value|Description | |
| 24 | |------------ |----------- |-----------|----------- | |
| 25 | |*_certbot_domain*|Yes|"" |Domain name for which to request a certificate. _Limitation_: Curently only *one* domain name can be requested. | |
| 26 | |*_certbot_wildcard_domain*|No|""|Wildcard domain name for which to request a certificate | |
| 27 | |*_certbot_dns_provider*|No|route53|DNS Provider for use with wildcard certificates. | |
| 28 | |*_certbot_le_email*|Yes|rhpds-admins@redhat.com|E-mail address to register with Let's Encrypt | |
| 29 | |*_certbot_additional_args*|No |"" |Additional arguments for Certbot | |
| 30 | |*_certbot_remote_dir*|Yes| "/root"| The directory on the remote host in which to store Certbot files | |
| 31 | |*_certbot_install_dir*|Yes| "/root/certificates"| The directory on the remote host in which to install the requested certificates into | |
| 32 | |*_certbot_cache_archive_file*|Yes| "/tmp/certbot.tar.gz"| Local (to the host ansible is running on) cache of certificates. Prevents re-requesting certificates for later runs of the playbook when the domains haven't changed. certbot.tar.gz will contain the entire `{{_cerbot_remote_dir}}/certbot` directory so that it can be restored for future runs on new machines with the same domain names. | |
| 33 | |*_certbot_production*|Yes|False|Use the Production Let's Encrypt Server. Leave to False for testing runs to prevent issues with the Let's Encrypt rate limits | |
| 34 | |*_certbot_renew_automatically*|Yes|False|Install a cron job to automatically renew Certificates. Checks once a day. | |
| 35 | |*_certbot_force_issue*|Yes|False|Force the creation of new certificates even if there are certificates already on the host or certificates in the local cache | |
| 36 | ||
| 37 | ||
| 38 | Dependencies | |
| 39 | ------------ | |
| 40 | ||
| 41 | None | |
| 42 | ||
| 43 | Example Playbook | |
| 44 | ---------------- | |
| 45 | ||
| 46 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: | |
| 47 | ||
| 48 | ``` | |
| 49 | - name: Request Let's Encrypt Static Certificates | |
| 50 | hosts: server | |
| 51 | gather_facts: False | |
| 52 | tasks: | |
| 53 | - name: Call Role | |
| 54 | include_role: | |
| 55 | name: ../../roles/host-lets-encrypt-certs | |
| 56 | vars: | |
| 57 | - _certbot_domain: "master.example.opentlc.com" | |
| 58 | - _certbot_production: False | |
| 59 | - _certbot_remote_dir: "/root" | |
| 60 | - _certbot_cache_cert_file: "/tmp/server.cert" | |
| 61 | - _certbot_cache_key_file: "/tmp/server.key" | |
| 62 | - _certbot_cache_ca_file: "/tmp/server_ca.cer" | |
| 63 | - _certbot_cache_fullchain_file: "/tmp/fullchain.cer" | |
| 64 | - _certbot_cache_archive_file: "/tmp/acme.tar.gz" | |
| 65 | - _certbot_renew_automatically: False | |
| 66 | - _certbot_force_issue: False | |
| 67 | ||
| 68 | - name: Request Let's Encrypt Wildcard Certificates | |
| 69 | hosts: quay | |
| 70 | gather_facts: False | |
| 71 | tasks: | |
| 72 | - name: Call Role | |
| 73 | include_role: | |
| 74 | name: ../ansible/roles/host-lets-encrypt-certs | |
| 75 | vars: | |
| 76 | - _certbot_wildcard_domain: "*.apps.example.opentlc.com" | |
| 77 | - _certbot_production: False | |
| 78 | - _certbot_remote_dir: "/root" | |
| 79 | - _certbot_cache_cert_file: "/tmp/server.cert" | |
| 80 | - _certbot_cache_key_file: "/tmp/server.key" | |
| 81 | - _certbot_cache_ca_file: "/tmp/server_ca.cer" | |
| 82 | - _certbot_cache_fullchain_file: "/tmp/fullchain.cer" | |
| 83 | - _certbot_cache_archive_file: "/tmp/certbot.tar.gz" | |
| 84 | - _certbot_renew_automatically: False | |
| 85 | - _certbot_force_issue: False | |
| 86 | ||
| 87 | - name: Request Both Let's Encrypt Static and Wildcard Certificates | |
| 88 | hosts: quay | |
| 89 | gather_facts: False | |
| 90 | tasks: | |
| 91 | - name: Call Role | |
| 92 | include_role: | |
| 93 | name: ../ansible/roles/host-lets-encrypt-certs | |
| 94 | vars: | |
| 95 | - _certbot_domain: "master.example.opentlc.com" | |
| 96 | - _certbot_wildcard_domain: "*.apps.example.opentlc.com" | |
| 97 | - _certbot_production: False | |
| 98 | - _certbot_remote_dir: "/root" | |
| 99 | - _certbot_cache_cert_file: "/tmp/server.cert" | |
| 100 | - _certbot_cache_key_file: "/tmp/server.key" | |
| 101 | - _certbot_cache_ca_file: "/tmp/server_ca.cer" | |
| 102 | - _certbot_cache_fullchain_file: "/tmp/fullchain.cer" | |
| 103 | - _certbot_cache_archive_file: "/tmp/certbot.tar.gz" | |
| 104 | - _certbot_renew_automatically: False | |
| 105 | - _certbot_force_issue: False | |
| 106 | ``` | |
