This role does the following:
- Ensure you have a private key for your acme account.
- Ensure you have a private key for your certificate.
- Ensure you have a certificate signing request.
- Then a challenge is requested from letsencrypt.
- http-01 challenge is implemented.
- The certficate from letsencrypt is requested.
- The challenge implementation is removed.
- The server configuration is updated with the ssl certificates.
Variables in vars/main.yml
name | default | description |
---|---|---|
domain_name | my.example.com | Your domain |
acme_baseurl | acme-staging-v02.api.letsencrypt.org | Production: acme-v02.api.letsencrypt.org Staging: acme-staging-v02.api.letsencrypt.org |
acme_directory | https://{{ acme_baseurl }}/directory | |
acme_email | [email protected] | Your acme account mail |
letsencrypt_dir | /etc/letsencrypt | Certificate and key root directory |
letsencrypt_account_key | "{{ letsencrypt_dir }}/accounts/{{ acme_baseurl }}.pem" | ACME account key |
letsencrypt_privkey | "{{ letsencrypt_dir }}/{{ domain_name }}/privkey.pem" | |
letsencrypt_chain | "{{ letsencrypt_dir }}/{{ domain_name }}/chain.pem" | |
letsencrypt_fullchain | "{{ letsencrypt_dir }}/{{ domain_name }}/fullchain.pem" | |
letsencrypt_cert | "{{ letsencrypt_dir }}/{{ domain_name }}/cert.pem" | |
letsencrypt_csr | "{{ letsencrypt_dir }}/csr/{{ domain_name }}.pem" | |
cert.common_name | "{{ domain_name }}" | |
cert.country | "CH" | Your country |
cert.email_address | "{{ acme_email }}" | |
cert.subject_alt_name | ['DNS:{{ domain_name }}'] | |
nginx_options_ssl | "{{ letsencrypt_dir }}/options-ssl-nginx.conf" | |
nginx_dhparams | "{{ letsencrypt_dir }}/ssl-dhparams.pem" |
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
- hosts: api
gather_facts: no
become: true
roles:
- letsencrypt