forked from ISTI-ansible-roles/ansible-roles
letsencrypt-acme-tool: ocsp must staple option True by default.
This commit is contained in:
parent
71b54c7e05
commit
220af7bf9d
|
@ -25,10 +25,13 @@ letsencrypt_acme_services_scripts_dir: /usr/lib/acme/hooks
|
||||||
letsencrypt_tos_url: 'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'
|
letsencrypt_tos_url: 'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'
|
||||||
letsencrypt_acme_agree_tos: true
|
letsencrypt_acme_agree_tos: true
|
||||||
letsencrypt_acme_rsa_key_size: 4096
|
letsencrypt_acme_rsa_key_size: 4096
|
||||||
|
letsencrypt_ocsp_must_staple: True
|
||||||
# rsa|ecdsa
|
# rsa|ecdsa
|
||||||
letsencrypt_acme_key_type: ecdsa
|
letsencrypt_acme_key_type: ecdsa
|
||||||
letsencrypt_acme_ecdsa_curve: nistp256
|
letsencrypt_acme_ecdsa_curve: nistp256
|
||||||
letsencrypt_acme_email: sysadmin@example.com
|
letsencrypt_acme_email: sysadmin@example.com
|
||||||
|
letsencrypt_specify_key_id: False
|
||||||
|
letsencrypt_key_id: 'some random string'
|
||||||
# We 'listener' or 'proxy'. Use 'listener' if we need a certificate for a non web service or before the web service has been configured.
|
# We 'listener' or 'proxy'. Use 'listener' if we need a certificate for a non web service or before the web service has been configured.
|
||||||
# Need to set cap_net_bind_service=+ep for the acmetool binary so that it is able to bind port 80 in that case.
|
# Need to set cap_net_bind_service=+ep for the acmetool binary so that it is able to bind port 80 in that case.
|
||||||
letsencrypt_acme_authenticator: listener
|
letsencrypt_acme_authenticator: listener
|
||||||
|
|
|
@ -26,7 +26,7 @@
|
||||||
tags: letsencrypt
|
tags: letsencrypt
|
||||||
|
|
||||||
- name: Create the letsencrypt acme user
|
- name: Create the letsencrypt acme user
|
||||||
user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=no shell=/bin/bash
|
user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=no shell=/usr/sbin/nologin system=yes
|
||||||
when: letsencrypt_acme_install
|
when: letsencrypt_acme_install
|
||||||
tags: letsencrypt
|
tags: letsencrypt
|
||||||
|
|
||||||
|
@ -85,7 +85,7 @@
|
||||||
capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=present
|
capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=present
|
||||||
when:
|
when:
|
||||||
- letsencrypt_acme_install
|
- letsencrypt_acme_install
|
||||||
- "'{{ letsencrypt_acme_authenticator }}' == 'listener'"
|
- letsencrypt_acme_authenticator == 'listener'
|
||||||
tags: letsencrypt
|
tags: letsencrypt
|
||||||
|
|
||||||
- name: Remove the cap_net_bind_service capability to the acmetool binary if not needed
|
- name: Remove the cap_net_bind_service capability to the acmetool binary if not needed
|
||||||
|
@ -110,6 +110,16 @@
|
||||||
template: src=acme-cert-request.sh.j2 dest=/usr/local/bin/acme-cert-request owner=root group=root mode=0755
|
template: src=acme-cert-request.sh.j2 dest=/usr/local/bin/acme-cert-request owner=root group=root mode=0755
|
||||||
when: letsencrypt_acme_install
|
when: letsencrypt_acme_install
|
||||||
tags: letsencrypt
|
tags: letsencrypt
|
||||||
|
|
||||||
|
- name: Set certificates as to be revoked
|
||||||
|
become: True
|
||||||
|
become_user: '{{ letsencrypt_acme_user }}'
|
||||||
|
file: dest={{ letsencrypt_acme_user_home }}certs/{{ item.cert_name }}/revoke
|
||||||
|
with_items: '{{ letsencrypt_certs_revoke_list }}'
|
||||||
|
when:
|
||||||
|
- letsencrypt_acme_install
|
||||||
|
- letsencrypt_certs_revoke_list is defined
|
||||||
|
tags: letsencrypt
|
||||||
|
|
||||||
- name: Install a daily cron job to renew the certificates when needed
|
- name: Install a daily cron job to renew the certificates when needed
|
||||||
become: True
|
become: True
|
||||||
|
|
|
@ -5,6 +5,9 @@ satisfy:
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
request:
|
request:
|
||||||
|
{% if letsencrypt_ocsp_must_staple %}
|
||||||
|
ocsp-must-staple: true
|
||||||
|
{% endif %}
|
||||||
challenge:
|
challenge:
|
||||||
http-ports:
|
http-ports:
|
||||||
- {{ letsencrypt_acme_standalone_port }}
|
- {{ letsencrypt_acme_standalone_port }}
|
||||||
|
@ -16,5 +19,7 @@ key:
|
||||||
{% else %}
|
{% else %}
|
||||||
ecdsa-curve: {{ letsencrypt_acme_ecdsa_curve }}
|
ecdsa-curve: {{ letsencrypt_acme_ecdsa_curve }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if letsencrypt_specify_key_id %}
|
||||||
|
id: {{ letsencrypt_key_id }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue