forked from ISTI-ansible-roles/ansible-roles
letsencrypt-acme-tool: ocsp must staple option True by default.
This commit is contained in:
Andrea Dell'Amico
parent
71b54c7e05
commit
220af7bf9d
|
|
@ -25,10 +25,13 @@ letsencrypt_acme_services_scripts_dir: /usr/lib/acme/hooks
|
|||
letsencrypt_tos_url: 'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'
|
||||
letsencrypt_acme_agree_tos: true
|
||||
letsencrypt_acme_rsa_key_size: 4096
|
||||
letsencrypt_ocsp_must_staple: True
|
||||
# rsa|ecdsa
|
||||
letsencrypt_acme_key_type: ecdsa
|
||||
letsencrypt_acme_ecdsa_curve: nistp256
|
||||
letsencrypt_acme_email: sysadmin@example.com
|
||||
letsencrypt_specify_key_id: False
|
||||
letsencrypt_key_id: 'some random string'
|
||||
# We 'listener' or 'proxy'. Use 'listener' if we need a certificate for a non web service or before the web service has been configured.
|
||||
# Need to set cap_net_bind_service=+ep for the acmetool binary so that it is able to bind port 80 in that case.
|
||||
letsencrypt_acme_authenticator: listener
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@
|
|||
tags: letsencrypt
|
||||
|
||||
- name: Create the letsencrypt acme user
|
||||
user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=no shell=/bin/bash
|
||||
user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=no shell=/usr/sbin/nologin system=yes
|
||||
when: letsencrypt_acme_install
|
||||
tags: letsencrypt
|
||||
|
||||
|
|
@ -85,7 +85,7 @@
|
|||
capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=present
|
||||
when:
|
||||
- letsencrypt_acme_install
|
||||
- "'{{ letsencrypt_acme_authenticator }}' == 'listener'"
|
||||
- letsencrypt_acme_authenticator == 'listener'
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Remove the cap_net_bind_service capability to the acmetool binary if not needed
|
||||
|
|
@ -110,6 +110,16 @@
|
|||
template: src=acme-cert-request.sh.j2 dest=/usr/local/bin/acme-cert-request owner=root group=root mode=0755
|
||||
when: letsencrypt_acme_install
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Set certificates as to be revoked
|
||||
become: True
|
||||
become_user: '{{ letsencrypt_acme_user }}'
|
||||
file: dest={{ letsencrypt_acme_user_home }}certs/{{ item.cert_name }}/revoke
|
||||
with_items: '{{ letsencrypt_certs_revoke_list }}'
|
||||
when:
|
||||
- letsencrypt_acme_install
|
||||
- letsencrypt_certs_revoke_list is defined
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Install a daily cron job to renew the certificates when needed
|
||||
become: True
|
||||
|
|
|
|||
|
|
@ -5,6 +5,9 @@ satisfy:
|
|||
{% endfor %}
|
||||
|
||||
request:
|
||||
{% if letsencrypt_ocsp_must_staple %}
|
||||
ocsp-must-staple: true
|
||||
{% endif %}
|
||||
challenge:
|
||||
http-ports:
|
||||
- {{ letsencrypt_acme_standalone_port }}
|
||||
|
|
@ -16,5 +19,7 @@ key:
|
|||
{% else %}
|
||||
ecdsa-curve: {{ letsencrypt_acme_ecdsa_curve }}
|
||||
{% endif %}
|
||||
|
||||
{% if letsencrypt_specify_key_id %}
|
||||
id: {{ letsencrypt_key_id }}
|
||||
{% endif %}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue