+ Select DNS provider by hand
+ A few questions answered in READMe when chaning some data
This commit is contained in:
parent
220e469e0a
commit
aeebe6c6e6
2 changed files with 11 additions and 4 deletions
13
README.md
13
README.md
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
## Purpose
|
||||
|
||||
This role install the [acme.sh](https://acme.sh) project on a Linux server and sets up domain(s) with DNS challenge with Cloudflare.
|
||||
This role install the [acme.sh](https://acme.sh) project on a Linux server and sets up domain(s) with DNS challenge. You can set DNS provider, however, DNS challenge type is the most preferred method than webserver challenges in automated environments.
|
||||
|
||||
## Variables
|
||||
|
||||
|
|
@ -10,6 +10,7 @@ All variables are in the defaults folder, however the most importants are:
|
|||
|
||||
All domains are in the list, so the list can contains multiple domain configs. In the example we set only one cert with wildcard domain.
|
||||
- Domains is a list in list format. You can set root domain and wildcard domain. However it is important that the first element used in the filenames, so avoid to use wildcard in the first position!
|
||||
> Note: When you make any change in the list and rerun the role, it dinamicaly changes it. So if you have a domain and a wildcard and two more wildcards it will be expanded. And reverse, if you remove extra wildcards they will be removed.
|
||||
- Hooks: Refer acme.sh help or documentation, these are runs in the different stages of issue and renew. Everytime scripts runs in the domain directory so you can use relative command to copy the cert as source.
|
||||
- acme_sh_issue_env_vars: Following the acme.sh documentation you need to optain three data (two API keys and a zone ID) from Cloudflare and need to set them here.
|
||||
- acme_sh_user_sudo_commands: Optional, list commands in this array that will be added to the sudoers file of user (so these commands are only allowed as root)
|
||||
|
|
@ -24,11 +25,17 @@ Most important of global variables are
|
|||
- acme_sh_email: The e-mail address at acme.sh installation
|
||||
- acme_sh_user_groups: Add acme user to groups. In this example add to docker so can manage containers and certs related to them.
|
||||
|
||||
### Example
|
||||
The example uses the Cloudflare provided DNS API to retrieve certs with DNS challenge. You can use many other providers. Refer to [documentation](https://github.com/acmesh-official/acme.sh/wiki/dnsapi).
|
||||
|
||||
> In this example the Cloudflare domain and account specific information are in plain text. However these are sensitive so might be a good idea to use Ansible Vault.
|
||||
|
||||
```
|
||||
acme_sh_domains:
|
||||
- domains:
|
||||
- "yourdomain.com" # it is the root domain
|
||||
- "*.yourdomain.com" # get wildcard
|
||||
dns_provider: "dns_cf"
|
||||
pre_hook:
|
||||
post_hook: |
|
||||
#!/bin/sh
|
||||
|
|
@ -50,9 +57,9 @@ acme_sh_email: ""
|
|||
|
||||
You can look for every variables in the defaults folder and can set up the user, additional groups (e.g. if you want to use this with Docker), paths. It is important that every cert got an own folder and all of files stored here.
|
||||
|
||||
Hooks are different shell scripts to make easier to manage or modify them later.
|
||||
Hooks are different shell scripts to make easier to manage or modify them later. The acme.sh by default stores the hooks in base64 format in the config, however it is hard to determine that it is changed and this workaround makes easier to modify or debug it.
|
||||
|
||||
It is a good practice to create new user with the role for acme.sh. You can add it to Docker group or give limited sudo privileges (see sudoers.d) so a possible attack can make harder to impact your server negative.
|
||||
It is a good practice to create new user with the role for acme.sh. You can add it to Docker group or give limited sudo privileges so a possible attack can make harder to impact your server negative.
|
||||
|
||||
## todo
|
||||
- Avoid resetting the default CA on every run
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@
|
|||
/bin/sh acme.sh
|
||||
--config-home {{ acme_sh_config_home | quote }}
|
||||
--issue
|
||||
--dns dns_cf
|
||||
--dns {{ item['dns_provider'] | default('dns_cf') }}
|
||||
-d {{ item['domains'] | join(' -d ') }}
|
||||
--pre-hook {{ acme_sh_cert_home }}/{{ item['domains'][0] }}_ecc/pre_hook.sh
|
||||
--post-hook {{ acme_sh_cert_home }}/{{ item['domains'][0] }}_ecc/post_hook.sh
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue