ISTI-ansible-roles
/
ansible-role-letsencrypt-acme-sh-client
4
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Attempt to fix the default root CA.

This commit is contained in:
Andrea Dell'Amico 2021-09-28 13:28:32 +02:00
parent cc23336ea9
commit 1d248394cc
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
4 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main.yml
View File

@ -56,7 +56,7 @@ letsencrypt_acme_sh_ecc_key_lenght: ec-384
letsencrypt_acme_sh_rsa_key_lenght: 4096
letsencrypt_acme_sh_ocsp_must_staple: False
# Default: ISRG Root X1
letsencrypt_acme_sh_specific_root_ca: "--preferred-chain 'isrg'"
letsencrypt_acme_sh_specific_root_ca: "--preferred-chain 'ISRG Root X1'"
letsencrypt_acme_email: sysadmin@example.com
letsencrypt_acme_sh_email: '{{ letsencrypt_acme_email }}'
letsencrypt_acme_standalone_port: 4402

1
files/acme-sh-cron-command
View File

@ -14,7 +14,6 @@ else
exit 1
fi
$ACME_SH_BIN --upgrade -b chain
$ACME_SH_BIN --cron --home "$ACME_SH_BINDIR" --config-home "$ACME_SH_CONFIG_HOME" > "$ACME_SH_CRON_LOG_FILE" 2>&1
exit $?

1
files/acme-sh-request-cert
View File

@ -42,7 +42,6 @@ if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] && [ "$ACME_SH_USE_DNS_
service httpd start >/dev/null 2>&1
fi
else
$ACME_SH_BIN --upgrade -b chain
$ACME_SH_BIN $ACME_SH_ISSUE_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1
RETVAL=$?
fi

5
templates/acme_sh_request_env.j2
View File

@ -14,22 +14,23 @@ ACME_SH_GIT_DIST_DIR={{ letsencrypt_acme_git_dest_dir }}
ACME_LETSENCRYPT_HOOKS_DIR={{ letsencrypt_acme_services_scripts_dir }}
ACME_SH_HTTP_BIND_PORT={{ letsencrypt_acme_standalone_port }}
ACME_SH_USE_DNS_PROVIDER="{{ letsencrypt_acme_sh_use_dns_provider }}"
ACME_SH_INSTALL_CERTS={{ letsencrypt_acme_sh_explicitly_install_certs }}
#
# Install options
#
ACME_SH_INSTALL_OPTS="{{ letsencrypt_acme_sh_install_options }}"
{% if not letsencrypt_acme_sh_install_cron %}
ACME_SH_INSTALL_OPTS="$ACME_SH_INSTALL_OPTS --nocron"
{% endif %}
ACME_SH_ROOT_CA='{{ letsencrypt_acme_sh_specific_root_ca }}'
ACME_SH_INSTALL_OPTS="$ACME_SH_INSTALL_OPTS --home {{ letsencrypt_acme_sh_user_home }}/bin --config-home {{ letsencrypt_acme_sh_base_data_dir }}/data --certhome {{ letsencrypt_acme_sh_base_data_dir }}/certs --log {{ letsencrypt_acme_sh_base_data_dir }}/logs/acme.sh.log"
#
# Certificate issue options
#
ACME_SH_ISSUE_CERT_REQUEST_OPTIONS="--issue --server {{ letsencrypt_acme_sh_default_ca }} {{ letsencrypt_acme_sh_specific_root_ca }} -k {% if letsencrypt_acme_sh_use_ecc %}{{ letsencrypt_acme_sh_ecc_key_lenght }}{% else %}{{ letsencrypt_acme_sh_rsa_key_lenght }}{% endif %} --log {{ letsencrypt_acme_sh_base_data_dir }}/logs/acme.sh.log"
ACME_SH_ISSUE_CERT_REQUEST_OPTIONS='--issue --server {{ letsencrypt_acme_sh_default_ca }} $ACME_SH_ROOT_CA -k {% if letsencrypt_acme_sh_use_ecc %}{{ letsencrypt_acme_sh_ecc_key_lenght }}{% else %}{{ letsencrypt_acme_sh_rsa_key_lenght }}{% endif %} --log {{ letsencrypt_acme_sh_base_data_dir }}/logs/acme.sh.log'
{% if letsencrypt_acme_sh_ocsp_must_staple %}
ACME_SH_ISSUE_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST_OPTIONS --ocsp"
{% endif %}