ISTI-ansible-roles
/
ansible-role-letsencrypt-acme-sh-client
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Prefer ISRG root x1. Upgrade the chain.

This commit is contained in:
Andrea Dell'Amico 2021-09-28 12:36:31 +02:00
parent 8f19c8f944
commit 324c050814
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
4 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
defaults/main.yml
View File

@ -55,6 +55,7 @@ letsencrypt_acme_sh_use_ecc: False
letsencrypt_acme_sh_ecc_key_lenght: ec-384 letsencrypt_acme_sh_ecc_key_lenght: ec-384
letsencrypt_acme_sh_rsa_key_lenght: 4096 letsencrypt_acme_sh_rsa_key_lenght: 4096
letsencrypt_acme_sh_ocsp_must_staple: False letsencrypt_acme_sh_ocsp_must_staple: False
letsencrypt_acme_sh_specific_root_ca: '--preferred-chain "ISRG Root X1"'
letsencrypt_acme_email: sysadmin@example.com letsencrypt_acme_email: sysadmin@example.com
letsencrypt_acme_sh_email: '{{ letsencrypt_acme_email }}' letsencrypt_acme_sh_email: '{{ letsencrypt_acme_email }}'
letsencrypt_acme_standalone_port: 4402 letsencrypt_acme_standalone_port: 4402

3
files/acme-sh-cron-command
View File

@ -1,17 +1,20 @@
#!/bin/bash #!/bin/bash
if [ -f "/etc/default/acme_sh_request_env" ] ; then if [ -f "/etc/default/acme_sh_request_env" ] ; then
# shellcheck disable=SC1091
. "/etc/default/acme_sh_request_env" . "/etc/default/acme_sh_request_env"
else else
exit 1 exit 1
fi fi
if [ -f "$ACME_SH_ENV_FILE" ] ; then if [ -f "$ACME_SH_ENV_FILE" ] ; then
# shellcheck source=/dev/null
. "$ACME_SH_ENV_FILE" . "$ACME_SH_ENV_FILE"
else else
exit 1 exit 1
fi fi
$ACME_SH_BIN --upgrade -b chain
$ACME_SH_BIN --cron --home "$ACME_SH_BINDIR" --config-home "$ACME_SH_CONFIG_HOME" > "$ACME_SH_CRON_LOG_FILE" 2>&1 $ACME_SH_BIN --cron --home "$ACME_SH_BINDIR" --config-home "$ACME_SH_CONFIG_HOME" > "$ACME_SH_CRON_LOG_FILE" 2>&1
exit $? exit $?

3
files/acme-sh-request-cert
View File

@ -5,12 +5,14 @@ if [ $# -ne 1 ] ; then
fi fi
if [ -f "/etc/default/acme_sh_request_env" ] ; then if [ -f "/etc/default/acme_sh_request_env" ] ; then
# shellcheck disable=SC1091
. "/etc/default/acme_sh_request_env" . "/etc/default/acme_sh_request_env"
else else
exit 1 exit 1
fi fi
if [ -n "$ACME_SH_ENV_FILE" ] && [ -f "$ACME_SH_ENV_FILE" ] ; then if [ -n "$ACME_SH_ENV_FILE" ] && [ -f "$ACME_SH_ENV_FILE" ] ; then
# shellcheck source=/dev/null
. "$ACME_SH_ENV_FILE" . "$ACME_SH_ENV_FILE"
else else
exit 1 exit 1
@ -40,6 +42,7 @@ if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] && [ "$ACME_SH_USE_DNS_
service httpd start >/dev/null 2>&1 service httpd start >/dev/null 2>&1
fi fi
else else
$ACME_SH_BIN --upgrade -b chain
$ACME_SH_BIN $ACME_SH_ISSUE_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1 $ACME_SH_BIN $ACME_SH_ISSUE_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1
RETVAL=$? RETVAL=$?
fi fi

2
templates/acme_sh_request_env.j2
View File

@ -29,7 +29,7 @@ ACME_SH_INSTALL_OPTS="$ACME_SH_INSTALL_OPTS --home {{ letsencrypt_acme_sh_user_h
# #
# Certificate issue options # Certificate issue options
# #
ACME_SH_ISSUE_CERT_REQUEST_OPTIONS="--issue --server {{ letsencrypt_acme_sh_default_ca }} -k {% if letsencrypt_acme_sh_use_ecc %}{{ letsencrypt_acme_sh_ecc_key_lenght }}{% else %}{{ letsencrypt_acme_sh_rsa_key_lenght }}{% endif %} --log {{ letsencrypt_acme_sh_base_data_dir }}/logs/acme.sh.log" ACME_SH_ISSUE_CERT_REQUEST_OPTIONS="--issue --server {{ letsencrypt_acme_sh_default_ca }} {{ letsencrypt_acme_sh_specific_root_ca }} -k {% if letsencrypt_acme_sh_use_ecc %}{{ letsencrypt_acme_sh_ecc_key_lenght }}{% else %}{{ letsencrypt_acme_sh_rsa_key_lenght }}{% endif %} --log {{ letsencrypt_acme_sh_base_data_dir }}/logs/acme.sh.log"
{% if letsencrypt_acme_sh_ocsp_must_staple %} {% if letsencrypt_acme_sh_ocsp_must_staple %}
ACME_SH_ISSUE_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST_OPTIONS --ocsp" ACME_SH_ISSUE_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST_OPTIONS --ocsp"
{% endif %} {% endif %}