From 220af7bf9d30272508f43bd32938b80fb94beaa3 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 20 Oct 2017 15:55:17 +0200 Subject: [PATCH] letsencrypt-acme-tool: ocsp must staple option True by default. --- letsencrypt-acmetool-client/defaults/main.yml | 3 +++ letsencrypt-acmetool-client/tasks/main.yml | 14 ++++++++++++-- .../templates/cert-requirements.j2 | 7 ++++++- 3 files changed, 21 insertions(+), 3 deletions(-) diff --git a/letsencrypt-acmetool-client/defaults/main.yml b/letsencrypt-acmetool-client/defaults/main.yml index 1ddbc325..14951eb8 100644 --- a/letsencrypt-acmetool-client/defaults/main.yml +++ b/letsencrypt-acmetool-client/defaults/main.yml @@ -25,10 +25,13 @@ letsencrypt_acme_services_scripts_dir: /usr/lib/acme/hooks letsencrypt_tos_url: 'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf' letsencrypt_acme_agree_tos: true letsencrypt_acme_rsa_key_size: 4096 +letsencrypt_ocsp_must_staple: True # rsa|ecdsa letsencrypt_acme_key_type: ecdsa letsencrypt_acme_ecdsa_curve: nistp256 letsencrypt_acme_email: sysadmin@example.com +letsencrypt_specify_key_id: False +letsencrypt_key_id: 'some random string' # We 'listener' or 'proxy'. Use 'listener' if we need a certificate for a non web service or before the web service has been configured. # Need to set cap_net_bind_service=+ep for the acmetool binary so that it is able to bind port 80 in that case. letsencrypt_acme_authenticator: listener diff --git a/letsencrypt-acmetool-client/tasks/main.yml b/letsencrypt-acmetool-client/tasks/main.yml index f629569b..ec55cf99 100644 --- a/letsencrypt-acmetool-client/tasks/main.yml +++ b/letsencrypt-acmetool-client/tasks/main.yml @@ -26,7 +26,7 @@ tags: letsencrypt - name: Create the letsencrypt acme user - user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=no shell=/bin/bash + user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=no shell=/usr/sbin/nologin system=yes when: letsencrypt_acme_install tags: letsencrypt @@ -85,7 +85,7 @@ capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=present when: - letsencrypt_acme_install - - "'{{ letsencrypt_acme_authenticator }}' == 'listener'" + - letsencrypt_acme_authenticator == 'listener' tags: letsencrypt - name: Remove the cap_net_bind_service capability to the acmetool binary if not needed @@ -110,6 +110,16 @@ template: src=acme-cert-request.sh.j2 dest=/usr/local/bin/acme-cert-request owner=root group=root mode=0755 when: letsencrypt_acme_install tags: letsencrypt + +- name: Set certificates as to be revoked + become: True + become_user: '{{ letsencrypt_acme_user }}' + file: dest={{ letsencrypt_acme_user_home }}certs/{{ item.cert_name }}/revoke + with_items: '{{ letsencrypt_certs_revoke_list }}' + when: + - letsencrypt_acme_install + - letsencrypt_certs_revoke_list is defined + tags: letsencrypt - name: Install a daily cron job to renew the certificates when needed become: True diff --git a/letsencrypt-acmetool-client/templates/cert-requirements.j2 b/letsencrypt-acmetool-client/templates/cert-requirements.j2 index 61a88528..7c01b058 100644 --- a/letsencrypt-acmetool-client/templates/cert-requirements.j2 +++ b/letsencrypt-acmetool-client/templates/cert-requirements.j2 @@ -5,6 +5,9 @@ satisfy: {% endfor %} request: +{% if letsencrypt_ocsp_must_staple %} + ocsp-must-staple: true +{% endif %} challenge: http-ports: - {{ letsencrypt_acme_standalone_port }} @@ -16,5 +19,7 @@ key: {% else %} ecdsa-curve: {{ letsencrypt_acme_ecdsa_curve }} {% endif %} - +{% if letsencrypt_specify_key_id %} + id: {{ letsencrypt_key_id }} +{% endif %}