aef16ee195
* Collecting PEM -> DER conversions. * Using cryptography instead of OpenSSL binary in some situations. * Moving key-to-disk writing for key content to parse_account_key. * Rename parse_account_key -> parse_key. * Move OpenSSL specific code for key parsing and request signing into global functions. * Also using cryptography for key parsing and request signing. * Remove assert statements. * Fixing handling of key contents for cryptography code path. * Allow to disable the use of cryptography. * Updating documentation. * 1.5 seems to work as well (earlier versions don't have EC sign function). Making Python 2.x adjustments. * Changing option to select_crypto_backend. * Python 2.6 compatibility. * Trying to test both backends separately for acme_account. * Also testing both backends separately for acme_certificate and acme_certificate_revoke. * Adding changelog entry which informs about select_crypto_backend option in case autodetect fails. * Fixing YAML.
157 lines
7.4 KiB
YAML
157 lines
7.4 KiB
YAML
---
|
|
## PRIVATE KEY ################################################################################
|
|
- name: ({{ certgen_title }}) Create cert private key (RSA)
|
|
command: "openssl genrsa -out {{ output_dir }}/{{ certificate_name }}.key {{ rsa_bits if key_type == 'rsa' else 2048 }}"
|
|
when: "key_type == 'rsa'"
|
|
- name: ({{ certgen_title }}) Create cert private key (ECC 256)
|
|
command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key
|
|
when: "key_type == 'ec256'"
|
|
- name: ({{ certgen_title }}) Create cert private key (ECC 384)
|
|
command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key
|
|
when: "key_type == 'ec384'"
|
|
- name: ({{ certgen_title }}) Create cert private key (ECC 512)
|
|
command: openssl ecparam -name secp521r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key
|
|
when: "key_type == 'ec521'"
|
|
## CSR ########################################################################################
|
|
- name: ({{ certgen_title }}) Create cert CSR
|
|
openssl_csr:
|
|
path: "{{ output_dir }}/{{ certificate_name }}.csr"
|
|
privatekey_path: "{{ output_dir }}/{{ certificate_name }}.key"
|
|
subject_alt_name: "{{ subject_alt_name }}"
|
|
subject_alt_name_critical: "{{ subject_alt_name_critical }}"
|
|
## ACME STEP 1 ################################################################################
|
|
- name: ({{ certgen_title }}) Obtain cert, step 1
|
|
acme_certificate:
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
acme_version: 2
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
validate_certs: no
|
|
account_key: "{{ output_dir }}/{{ account_key }}.pem"
|
|
modify_account: "{{ modify_account }}"
|
|
csr: "{{ output_dir }}/{{ certificate_name }}.csr"
|
|
dest: "{{ output_dir }}/{{ certificate_name }}.pem"
|
|
fullchain_dest: "{{ output_dir }}/{{ certificate_name }}-fullchain.pem"
|
|
chain_dest: "{{ output_dir }}/{{ certificate_name }}-chain.pem"
|
|
challenge: "{{ challenge }}"
|
|
deactivate_authzs: "{{ deactivate_authzs }}"
|
|
force: "{{ force }}"
|
|
remaining_days: "{{ remaining_days }}"
|
|
terms_agreed: "{{ terms_agreed }}"
|
|
account_email: "{{ account_email }}"
|
|
register: challenge_data
|
|
when: account_key_content is not defined
|
|
- name: ({{ certgen_title }}) Obtain cert, step 1 (using account key data)
|
|
acme_certificate:
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
acme_version: 2
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
validate_certs: no
|
|
account_key_content: "{{ account_key_content }}"
|
|
modify_account: "{{ modify_account }}"
|
|
csr: "{{ output_dir }}/{{ certificate_name }}.csr"
|
|
dest: "{{ output_dir }}/{{ certificate_name }}.pem"
|
|
fullchain_dest: "{{ output_dir }}/{{ certificate_name }}-fullchain.pem"
|
|
chain_dest: "{{ output_dir }}/{{ certificate_name }}-chain.pem"
|
|
challenge: "{{ challenge }}"
|
|
deactivate_authzs: "{{ deactivate_authzs }}"
|
|
force: "{{ force }}"
|
|
remaining_days: "{{ remaining_days }}"
|
|
terms_agreed: "{{ terms_agreed }}"
|
|
account_email: "{{ account_email }}"
|
|
register: challenge_data_content
|
|
when: account_key_content is defined
|
|
- name: ({{ certgen_title }}) Copy challenge data (when using account key data)
|
|
set_fact:
|
|
challenge_data: "{{ challenge_data_content }}"
|
|
when: account_key_content is defined
|
|
- name: ({{ certgen_title }}) Print challenge data
|
|
debug:
|
|
var: challenge_data
|
|
- name: ({{ certgen_title }}) Create HTTP challenges
|
|
uri:
|
|
url: "http://{{ acme_host }}:5000/http/{{ item.key }}/{{ item.value['http-01'].resource[('.well-known/acme-challenge/'|length):] }}"
|
|
method: PUT
|
|
body_format: raw
|
|
body: "{{ item.value['http-01'].resource_value }}"
|
|
headers:
|
|
content-type: "application/octet-stream"
|
|
with_dict: "{{ challenge_data.challenge_data }}"
|
|
when: "challenge_data is changed and challenge == 'http-01'"
|
|
- name: ({{ certgen_title }}) Create DNS challenges
|
|
uri:
|
|
url: "http://{{ acme_host }}:5000/dns/{{ item.key }}"
|
|
method: PUT
|
|
body_format: json
|
|
body: "{{ item.value }}"
|
|
with_dict: "{{ challenge_data.challenge_data_dns }}"
|
|
when: "challenge_data is changed and challenge == 'dns-01'"
|
|
- name: ({{ certgen_title }}) Create TLS ALPN challenges
|
|
uri:
|
|
url: "http://{{ acme_host }}:5000/tls-alpn/{{ item.value['tls-alpn-01'].resource }}"
|
|
method: PUT
|
|
body_format: raw
|
|
body: "{{ item.value['tls-alpn-01'].resource_value }}"
|
|
headers:
|
|
content-type: "application/octet-stream"
|
|
with_dict: "{{ challenge_data.challenge_data }}"
|
|
when: "challenge_data is changed and challenge == 'tls-alpn-01'"
|
|
## ACME STEP 2 ################################################################################
|
|
- name: ({{ certgen_title }}) Obtain cert, step 2
|
|
acme_certificate:
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
acme_version: 2
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
validate_certs: no
|
|
account_key: "{{ output_dir }}/{{ account_key }}.pem"
|
|
modify_account: "{{ modify_account }}"
|
|
csr: "{{ output_dir }}/{{ certificate_name }}.csr"
|
|
dest: "{{ output_dir }}/{{ certificate_name }}.pem"
|
|
fullchain_dest: "{{ output_dir }}/{{ certificate_name }}-fullchain.pem"
|
|
chain_dest: "{{ output_dir }}/{{ certificate_name }}-chain.pem"
|
|
challenge: "{{ challenge }}"
|
|
deactivate_authzs: "{{ deactivate_authzs }}"
|
|
force: "{{ force }}"
|
|
remaining_days: "{{ remaining_days }}"
|
|
terms_agreed: "{{ terms_agreed }}"
|
|
account_email: "{{ account_email }}"
|
|
data: "{{ challenge_data }}"
|
|
when: challenge_data is changed and account_key_content is not defined
|
|
- name: ({{ certgen_title }}) Obtain cert, step 2 (using account key data)
|
|
acme_certificate:
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
acme_version: 2
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
validate_certs: no
|
|
account_key_content: "{{ account_key_content }}"
|
|
modify_account: "{{ modify_account }}"
|
|
csr: "{{ output_dir }}/{{ certificate_name }}.csr"
|
|
dest: "{{ output_dir }}/{{ certificate_name }}.pem"
|
|
fullchain_dest: "{{ output_dir }}/{{ certificate_name }}-fullchain.pem"
|
|
chain_dest: "{{ output_dir }}/{{ certificate_name }}-chain.pem"
|
|
challenge: "{{ challenge }}"
|
|
deactivate_authzs: "{{ deactivate_authzs }}"
|
|
force: "{{ force }}"
|
|
remaining_days: "{{ remaining_days }}"
|
|
terms_agreed: "{{ terms_agreed }}"
|
|
account_email: "{{ account_email }}"
|
|
data: "{{ challenge_data }}"
|
|
when: challenge_data is changed and account_key_content is defined
|
|
- name: ({{ certgen_title }}) Deleting HTTP challenges
|
|
uri:
|
|
url: "http://{{ acme_host }}:5000/http/{{ item.key }}/{{ item.value['http-01'].resource[('.well-known/acme-challenge/'|length):] }}"
|
|
method: DELETE
|
|
with_dict: "{{ challenge_data.challenge_data }}"
|
|
when: "challenge_data is changed and challenge == 'http-01'"
|
|
- name: ({{ certgen_title }}) Deleting DNS challenges
|
|
uri:
|
|
url: "http://{{ acme_host }}:5000/dns/{{ item.key }}"
|
|
method: DELETE
|
|
with_dict: "{{ challenge_data.challenge_data_dns }}"
|
|
when: "challenge_data is changed and challenge == 'dns-01'"
|
|
- name: ({{ certgen_title }}) Deleting TLS ALPN challenges
|
|
uri:
|
|
url: "http://{{ acme_host }}:5000/tls-alpn/{{ item.value['tls-alpn-01'].resource }}"
|
|
method: DELETE
|
|
with_dict: "{{ challenge_data.challenge_data }}"
|
|
when: "challenge_data is changed and challenge == 'tls-alpn-01'"
|
|
###############################################################################################
|