letsencrypt-acme-tool: ocsp must staple option True by default.

This commit is contained in:
Andrea Dell'Amico 2017-10-20 15:55:17 +02:00
parent 71b54c7e05
commit 220af7bf9d
3 changed files with 21 additions and 3 deletions

View File

@ -25,10 +25,13 @@ letsencrypt_acme_services_scripts_dir: /usr/lib/acme/hooks
letsencrypt_tos_url: 'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf' letsencrypt_tos_url: 'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'
letsencrypt_acme_agree_tos: true letsencrypt_acme_agree_tos: true
letsencrypt_acme_rsa_key_size: 4096 letsencrypt_acme_rsa_key_size: 4096
letsencrypt_ocsp_must_staple: True
# rsa|ecdsa # rsa|ecdsa
letsencrypt_acme_key_type: ecdsa letsencrypt_acme_key_type: ecdsa
letsencrypt_acme_ecdsa_curve: nistp256 letsencrypt_acme_ecdsa_curve: nistp256
letsencrypt_acme_email: sysadmin@example.com letsencrypt_acme_email: sysadmin@example.com
letsencrypt_specify_key_id: False
letsencrypt_key_id: 'some random string'
# We 'listener' or 'proxy'. Use 'listener' if we need a certificate for a non web service or before the web service has been configured. # We 'listener' or 'proxy'. Use 'listener' if we need a certificate for a non web service or before the web service has been configured.
# Need to set cap_net_bind_service=+ep for the acmetool binary so that it is able to bind port 80 in that case. # Need to set cap_net_bind_service=+ep for the acmetool binary so that it is able to bind port 80 in that case.
letsencrypt_acme_authenticator: listener letsencrypt_acme_authenticator: listener

View File

@ -26,7 +26,7 @@
tags: letsencrypt tags: letsencrypt
- name: Create the letsencrypt acme user - name: Create the letsencrypt acme user
user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=no shell=/bin/bash user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=no shell=/usr/sbin/nologin system=yes
when: letsencrypt_acme_install when: letsencrypt_acme_install
tags: letsencrypt tags: letsencrypt
@ -85,7 +85,7 @@
capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=present capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=present
when: when:
- letsencrypt_acme_install - letsencrypt_acme_install
- "'{{ letsencrypt_acme_authenticator }}' == 'listener'" - letsencrypt_acme_authenticator == 'listener'
tags: letsencrypt tags: letsencrypt
- name: Remove the cap_net_bind_service capability to the acmetool binary if not needed - name: Remove the cap_net_bind_service capability to the acmetool binary if not needed
@ -110,6 +110,16 @@
template: src=acme-cert-request.sh.j2 dest=/usr/local/bin/acme-cert-request owner=root group=root mode=0755 template: src=acme-cert-request.sh.j2 dest=/usr/local/bin/acme-cert-request owner=root group=root mode=0755
when: letsencrypt_acme_install when: letsencrypt_acme_install
tags: letsencrypt tags: letsencrypt
- name: Set certificates as to be revoked
become: True
become_user: '{{ letsencrypt_acme_user }}'
file: dest={{ letsencrypt_acme_user_home }}certs/{{ item.cert_name }}/revoke
with_items: '{{ letsencrypt_certs_revoke_list }}'
when:
- letsencrypt_acme_install
- letsencrypt_certs_revoke_list is defined
tags: letsencrypt
- name: Install a daily cron job to renew the certificates when needed - name: Install a daily cron job to renew the certificates when needed
become: True become: True

View File

@ -5,6 +5,9 @@ satisfy:
{% endfor %} {% endfor %}
request: request:
{% if letsencrypt_ocsp_must_staple %}
ocsp-must-staple: true
{% endif %}
challenge: challenge:
http-ports: http-ports:
- {{ letsencrypt_acme_standalone_port }} - {{ letsencrypt_acme_standalone_port }}
@ -16,5 +19,7 @@ key:
{% else %} {% else %}
ecdsa-curve: {{ letsencrypt_acme_ecdsa_curve }} ecdsa-curve: {{ letsencrypt_acme_ecdsa_curve }}
{% endif %} {% endif %}
{% if letsencrypt_specify_key_id %}
id: {{ letsencrypt_key_id }}
{% endif %}