Ansible Role acme_sh
This role installs acme.sh and enables issuing certificates with Let’s Encrypt. Issued certificates are copied from /etc/acme.sh
to the appropriate subfolders of /etc/pki/
.
After running this role, configure Apache HTTPd as follows:
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/www.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.key
SSLCertificateChainFile /etc/pki/tls/certs/www.example.com-chain.crt
Runs on
RHEL 8 (and compatible)
Mandatory Requirements
Install
openssl
. This can be done using the linuxfabrik.lfops.openssl role.Install
tar
. This can be done using the linuxfabrik.lfops.tar role.Have a configured webserver.
If you use the acme.sh Playbook, this is automatically done for you.
Mandatory Role Variables
Variable |
Description |
---|---|
|
Email address for the Let’s encrypt account. This address will receive expiry emails. |
|
List of certificates that should be issued. Subkeys:
|
Example:
# mandatory
acme_sh__account_email: 'info@example.com'
acme_sh__certificates:
- name: 'other.example.com'
- name: 'test.example.com'
reload_cmd: '/usr/local/sbin/custom_reload_script'
Optional Role Variables
Variable |
Description |
Default Value |
---|---|---|
|
The host which the issued certificates should be deployed to. |
unset |
|
The deployment hook which should be used to deploy the certificates to the deploy host. |
|
|
The reload command which should be executed after the certificates were deployed to the deploy host. |
|
|
The remote user account which should be used to deploy the certificates to the deploy host. |
|
|
Key length in bits of the certificates to issue. |
|
|
Enables or disables the weekly acme.sh timer, analogous to |
|
Example:
# optional
acme_sh__deploy_to_host: 'proxy02.example.com'
acme_sh__deploy_to_host_hook: 'ssh'
acme_sh__deploy_to_host_reload_cmd: 'systemctl reload nginx'
acme_sh__deploy_to_host_user: 'root'
acme_sh__key_length: 4096
acme_sh__timer_enabled: true
Troubleshooting
Replace an issued certificate:
# on the remote host:
acme.sh --remove --domain www.example.com
rm -rf /etc/acme.sh/certs/www.example.com/
# on the control node:
ansible-playbook --inventory $INV linuxfabrik.lfops.acme_sh