1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Extending documentation (#35077)

- Adding Let's Encrypt production ACME directory URL
- Marking examples as one big example with several alternatives for the first step
- Adding another example which uses aliases for options, and uses DNS-01 challenges
This commit is contained in:
Felix Fontein 2018-01-19 09:42:44 +01:00 committed by ansibot
parent 1a8bbcf146
commit 39a7e0a975

View file

@ -71,6 +71,8 @@ options:
CA server API." CA server API."
- "For safety reasons the default is set to the Let's Encrypt staging server. - "For safety reasons the default is set to the Let's Encrypt staging server.
This will create technically correct, but untrusted certificates." This will create technically correct, but untrusted certificates."
- "The production Let's Encrypt ACME directory URL, which produces properly
trusted certificates, is U(https://acme-v01.api.letsencrypt.org/directory)."
default: https://acme-staging.api.letsencrypt.org/directory default: https://acme-staging.api.letsencrypt.org/directory
agreement: agreement:
description: description:
@ -116,6 +118,8 @@ options:
''' '''
EXAMPLES = ''' EXAMPLES = '''
### Example with HTTP challenge ###
- name: Create a challenge for sample.com using a account key from a variable. - name: Create a challenge for sample.com using a account key from a variable.
letsencrypt: letsencrypt:
account_key_content: "{{ account_private_key }}" account_key_content: "{{ account_private_key }}"
@ -123,6 +127,7 @@ EXAMPLES = '''
dest: /etc/httpd/ssl/sample.com.crt dest: /etc/httpd/ssl/sample.com.crt
register: sample_com_challenge register: sample_com_challenge
# Alternative first step:
- name: Create a challenge for sample.com using a account key from hashi vault. - name: Create a challenge for sample.com using a account key from hashi vault.
letsencrypt: letsencrypt:
account_key_content: "{{ lookup('hashi_vault', 'secret=secret/account_private_key:value') }}" account_key_content: "{{ lookup('hashi_vault', 'secret=secret/account_private_key:value') }}"
@ -130,6 +135,7 @@ EXAMPLES = '''
dest: /etc/httpd/ssl/sample.com.crt dest: /etc/httpd/ssl/sample.com.crt
register: sample_com_challenge register: sample_com_challenge
# Alternative first step:
- name: Create a challenge for sample.com using a account key file. - name: Create a challenge for sample.com using a account key file.
letsencrypt: letsencrypt:
account_key_src: /etc/pki/cert/private/account.key account_key_src: /etc/pki/cert/private/account.key
@ -151,6 +157,41 @@ EXAMPLES = '''
csr: /etc/pki/cert/csr/sample.com.csr csr: /etc/pki/cert/csr/sample.com.csr
dest: /etc/httpd/ssl/sample.com.crt dest: /etc/httpd/ssl/sample.com.crt
data: "{{ sample_com_challenge }}" data: "{{ sample_com_challenge }}"
### Example with DNS challenge against production ACME server ###
- name: Create a challenge for sample.com using a account key file.
letsencrypt:
account_key_src: /etc/pki/cert/private/account.key
account_email: myself@sample.com
src: /etc/pki/cert/csr/sample.com.csr
cert: /etc/httpd/ssl/sample.com.crt
challenge: dns-01
acme_directory: https://acme-v01.api.letsencrypt.org/directory
# Renew if the certificate is at least 30 days old
remaining_days: 60
register: sample_com_challenge
# perform the necessary steps to fulfill the challenge
# for example:
#
# - route53:
# zone: sample.com
# record: "{{ item.value[challenge].resource }}.sample.com"
# type: TXT
# ttl: 60
# value: '"{{ item.value[challenge].resource_value }}"'
- name: Let the challenge be validated and retrieve the cert
letsencrypt:
account_key_src: /etc/pki/cert/private/account.key
account_email: myself@sample.com
src: /etc/pki/cert/csr/sample.com.csr
cert: /etc/httpd/ssl/sample.com.crt
challenge: dns-01
acme_directory: https://acme-v01.api.letsencrypt.org/directory
remaining_days: 60
data: "{{ sample_com_challenge }}"
''' '''
RETURN = ''' RETURN = '''