Set the root CA option into the main script.
This commit is contained in:
parent
27eaaa0e6d
commit
ae14f50a4f
|
@ -56,7 +56,7 @@ letsencrypt_acme_sh_ecc_key_lenght: ec-384
|
||||||
letsencrypt_acme_sh_rsa_key_lenght: 4096
|
letsencrypt_acme_sh_rsa_key_lenght: 4096
|
||||||
letsencrypt_acme_sh_ocsp_must_staple: False
|
letsencrypt_acme_sh_ocsp_must_staple: False
|
||||||
# Default: ISRG Root X1
|
# Default: ISRG Root X1
|
||||||
letsencrypt_acme_sh_specific_root_ca: "--preferred-chain 'ISRG Root X1'"
|
letsencrypt_acme_sh_specific_root_ca: '--preferred-chain "ISRG Root X1"'
|
||||||
letsencrypt_acme_email: sysadmin@example.com
|
letsencrypt_acme_email: sysadmin@example.com
|
||||||
letsencrypt_acme_sh_email: '{{ letsencrypt_acme_email }}'
|
letsencrypt_acme_sh_email: '{{ letsencrypt_acme_email }}'
|
||||||
letsencrypt_acme_standalone_port: 4402
|
letsencrypt_acme_standalone_port: 4402
|
||||||
|
|
|
@ -38,7 +38,12 @@
|
||||||
tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts' ]
|
tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts' ]
|
||||||
|
|
||||||
- name: Install a script that issues the certificates
|
- name: Install a script that issues the certificates
|
||||||
copy: src=acme-sh-request-cert dest=/usr/local/bin/acme-sh-request-cert owner=root group=acme mode=0750
|
template:
|
||||||
|
src: acme-sh-request-cert.sh.j2
|
||||||
|
dest: /usr/local/bin/acme-sh-request-cert
|
||||||
|
owner: root
|
||||||
|
group: acme
|
||||||
|
mode: 0750
|
||||||
tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts' ]
|
tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts' ]
|
||||||
|
|
||||||
- name: Install a script that installs the issued certificates
|
- name: Install a script that installs the issued certificates
|
||||||
|
@ -49,8 +54,13 @@
|
||||||
template: src=acme-services-hook.j2 dest=/usr/local/bin/acme-services-hook owner=root group=acme mode=0750
|
template: src=acme-services-hook.j2 dest=/usr/local/bin/acme-services-hook owner=root group=acme mode=0750
|
||||||
|
|
||||||
- name: Install the scripts that will be run as a cron job
|
- name: Install the scripts that will be run as a cron job
|
||||||
copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=acme mode=0750
|
template:
|
||||||
with_items:
|
src: '{{ item }}.sh.j2'
|
||||||
|
dest: '/usr/local/bin/{{ item }}'
|
||||||
|
owner: root
|
||||||
|
group: acme
|
||||||
|
mode: 0750
|
||||||
|
loop:
|
||||||
- acme-sh-cron-script
|
- acme-sh-cron-script
|
||||||
- acme-sh-cron-command
|
- acme-sh-cron-command
|
||||||
tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts' ]
|
tags: [ 'letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts' ]
|
||||||
|
|
|
@ -1,12 +1,14 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
if [ -f "/etc/default/acme_sh_request_env" ] ; then
|
if [ -f "/etc/default/acme_sh_request_env" ] ; then
|
||||||
|
# shellcheck disable=SC1091
|
||||||
. "/etc/default/acme_sh_request_env"
|
. "/etc/default/acme_sh_request_env"
|
||||||
else
|
else
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$ACME_SH_ENV_FILE" ] ; then
|
if [ -f "$ACME_SH_ENV_FILE" ] ; then
|
||||||
|
# shellcheck source=/dev/null
|
||||||
. "$ACME_SH_ENV_FILE"
|
. "$ACME_SH_ENV_FILE"
|
||||||
else
|
else
|
||||||
exit 1
|
exit 1
|
|
@ -30,7 +30,7 @@ if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] && [ "$ACME_SH_USE_DNS_
|
||||||
service apache2 stop >/dev/null 2>&1
|
service apache2 stop >/dev/null 2>&1
|
||||||
service httpd stop >/dev/null 2>&1
|
service httpd stop >/dev/null 2>&1
|
||||||
fi
|
fi
|
||||||
$ACME_SH_BIN $ACME_SH_FIRST_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1
|
$ACME_SH_BIN {{ letsencrypt_acme_sh_specific_root_ca }} $ACME_SH_FIRST_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1
|
||||||
RETVAL=$?
|
RETVAL=$?
|
||||||
if [ -x /bin/systemctl ] ; then
|
if [ -x /bin/systemctl ] ; then
|
||||||
/bin/systemctl restart nginx >/dev/null 2>&1
|
/bin/systemctl restart nginx >/dev/null 2>&1
|
||||||
|
@ -42,7 +42,7 @@ if [ ! -f "$ACME_SH_CONFIG_HOME/ok_certificate_issued" ] && [ "$ACME_SH_USE_DNS_
|
||||||
service httpd start >/dev/null 2>&1
|
service httpd start >/dev/null 2>&1
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
$ACME_SH_BIN $ACME_SH_ISSUE_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1
|
$ACME_SH_BIN {{ letsencrypt_acme_sh_specific_root_ca }} $ACME_SH_ISSUE_CERT_REQUEST > "$ACME_SH_ISSUE_LOG_FILE" 2>&1
|
||||||
RETVAL=$?
|
RETVAL=$?
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -30,7 +30,7 @@ ACME_SH_INSTALL_OPTS="$ACME_SH_INSTALL_OPTS --home {{ letsencrypt_acme_sh_user_h
|
||||||
#
|
#
|
||||||
# Certificate issue options
|
# Certificate issue options
|
||||||
#
|
#
|
||||||
ACME_SH_ISSUE_CERT_REQUEST_OPTIONS="--issue --server {{ letsencrypt_acme_sh_default_ca }} $ACME_SH_ROOT_CA -k {% if letsencrypt_acme_sh_use_ecc %}{{ letsencrypt_acme_sh_ecc_key_lenght }}{% else %}{{ letsencrypt_acme_sh_rsa_key_lenght }}{% endif %} --log {{ letsencrypt_acme_sh_base_data_dir }}/logs/acme.sh.log"
|
ACME_SH_ISSUE_CERT_REQUEST_OPTIONS="--issue --server {{ letsencrypt_acme_sh_default_ca }} -k {% if letsencrypt_acme_sh_use_ecc %}{{ letsencrypt_acme_sh_ecc_key_lenght }}{% else %}{{ letsencrypt_acme_sh_rsa_key_lenght }}{% endif %} --log {{ letsencrypt_acme_sh_base_data_dir }}/logs/acme.sh.log"
|
||||||
{% if letsencrypt_acme_sh_ocsp_must_staple %}
|
{% if letsencrypt_acme_sh_ocsp_must_staple %}
|
||||||
ACME_SH_ISSUE_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST_OPTIONS --ocsp"
|
ACME_SH_ISSUE_CERT_REQUEST="$ACME_SH_ISSUE_CERT_REQUEST_OPTIONS --ocsp"
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
Loading…
Reference in New Issue