certs¶
Mode “acme”¶
dealing with letsencrypt
DNS challenge, operated from the controlled host that must be authority on the domain certified.
Mode “ownca”¶
You can supply a root CA certificate with its private key if none found, it will be generated.
An intermediate CA will be generated
The intermediate CA will be added to controlled hosts’ trust store
A leaf certificate will be generated for every host and made available for services to rely on.
Role defaults¶
Enable/disable applying this role.
glxclans_certs_enable: false
Mode of certificate management. Must be one of: [custom, acme]
glxclans_certs_mode: ~
glxclans_certs_hostname: "{{ ansible_hostname }}"
glxclans_certs_domain_name: "{{ glxclans_system_base_domain }}"
Local path where generated secrets are to be generated and read.
glxclans_certs_secrets_dir: >-
{{
glxclans_group_secrets_dir
| default(inventory_dir + '/group_vars/glxclans/secrets')
}}
glxclans_certs_host_altnames:
- "DNS:*.{{ glxclans_certs_domain_name }}"
- "DNS:{{ glxclans_certs_domain_name }}"
- "DNS:{{ glxclans_certs_hostname }}"
- "DNS:{{ __glxclans_certs_fqdn }}"
- "DNS:localhost"
- "IP:127.0.0.1"
Local path where each node private key should be generated.
glxclans_certs_host_private_key: "{{ glxclans_certs_secrets_dir }}/{{ __glxclans_certs_fqdn }}.key"
Local path where each node certificate should be generated.
glxclans_certs_host_cert: "{{ glxclans_certs_secrets_dir }}/{{ __glxclans_certs_fqdn }}.crt"
Local path where each node fullchain certificate should be generated.
glxclans_certs_host_fullchain_cert: "{{ glxclans_certs_secrets_dir }}/{{ __glxclans_certs_fqdn }}.fullchain.crt"
OwnCA root informations¶
If glxclans_certs_ownca_root_cert and glxclans_certs_ownca_root_private_key are existing files, the generation
will be skipped.
glxclans_certs_ownca_root_cert: >-
{{ glxclans_certs_secrets_dir }}/{{ __glxclans_certs_fqdn }}.ownca.root.crt
glxclans_certs_ownca_root_private_key: >-
{{ glxclans_certs_secrets_dir }}/{{ __glxclans_certs_fqdn }}.ownca.root.key
glxclans_certs_ownca_root_private_keypass: >-
{{ glxclans_certs_secrets_dir }}/{{ __glxclans_certs_fqdn }}.ownca.root.keypass
glxclans_certs_ownca_root_private_keypass_content: >-
{{ lookup('password', glxclans_certs_ownca_root_private_keypass + ' length=42') }}
Intermediate CA certificate¶
Will be generated and signed by the root CA certificate. Will be added to the target hosts trust store.
glxclans_certs_ownca_inter_cert: >-
{{ glxclans_certs_secrets_dir }}/{{ __glxclans_certs_fqdn }}.ownca.inter.crt
glxclans_certs_ownca_inter_private_key: >-
{{ glxclans_certs_secrets_dir }}/{{ __glxclans_certs_fqdn }}.ownca.inter.key
glxclans_certs_ownca_inter_private_keypass: >-
{{ glxclans_certs_secrets_dir }}/{{ __glxclans_certs_fqdn }}.ownca.inter.keypass
glxclans_certs_ownca_inter_private_keypass_content: >-
{{ lookup('password', glxclans_certs_ownca_inter_private_keypass + ' length=42') }}
ACME certificates requests¶
Must be a list of dict, each item following with these attributes:
- cn: "mx1.clans.galaxie.family" # Mandatory. Main FQDN to certify.
zone: "clans.galaxie.family" # Mandatory. Host's managed zones that will handle the DNS challenge.
alt: # Optional. If you want your cert to be multi-FQDN
- "DNS:mail.clans.galaxie.family"
- "DNS:mail.rtnp.org"
alt_multi_domain: # Optional. Set only if the 'alt' attribute contains multiple domains
# must dispatch the challenges amongst host's managed zones.
- record: "_acme-challenge.mail.clans.galaxie.family"
zone: "clans.galaxie.family"
- record: "_acme-challenge.mail.rtnp.org"
zone: "rtnp.org"
glxclans_certs_acme_requests: []
* The DNS authority server that will be nsupdated with records of the DNs challenge.
glxclans_certs_acme_nsupdate_host: “127.0.0.1” glxclans_certs_acme_nsupdate_tsig_key_name: ~ glxclans_certs_acme_nsupdate_tsig_key_secret: ~ glxclans_certs_acme_nsupdate_tsig_key_algorithm: ~