Documentation

letsencrypt - Create SSL certificates with Let’s Encrypt

New in version 2.2.

Synopsis

  • Create and renew SSL certificates with Let’s Encrypt. Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. For details see https://letsencrypt.org. The current implementation supports the http-01 and dns-01 challenges.
  • To use this module, it has to be executed twice. Either as two different tasks in the same run or during two runs. Note that the output of the first run needs to be recorded and passed to the second run as the module argument data.
  • Between these two tasks you have to fulfill the required steps for the chosen challenge by whatever means necessary. For http-01 that means creating the necessary challenge file on the destination webserver. For dns-01 the necessary dns record has to be created. It is not the responsibility of this module to perform these steps.
  • For details on how to fulfill these challenges, you might have to read through https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8. Also, consider the examples provided for this module.
  • Although the defaults are chosen so that the module can be used with the Let’s Encrypt CA, the module can be used with any service using the ACME v1 or v2 protocol.
  • At least one of dest and fullchain_dest must be specified.

Requirements

The below requirements are needed on the host that executes this module.

  • python >= 2.6
  • openssl

Parameters

Parameter
Choices/Defaults
Comments
account_email
The email address associated with this account.
It will be used for certificate expiration warnings.
account_key_content
(added in 2.5)
Content of the Let's Encrypt account RSA or Elliptic Curve key.
Mutually exclusive with account_key_src.
Required if account_key_src is not used.
Warning: the content will be written into a temporary file, which will be deleted by Ansible when the module completes. Since this is an important private key — it can be used to change the account key, or to revoke your certificates without knowing their private keys —, this might not be acceptable.
account_key_src
Path to a file containing the Let's Encrypt account RSA or Elliptic Curve key.
RSA keys can be created with openssl rsa .... Elliptic curve keys can be created with openssl ecparam -genkey ....
Mutually exclusive with account_key_content.
Required if account_key_content is not used.

aliases: account_key
acme_directory
Default:
https://acme-staging.api.letsencrypt.org/directory
The ACME directory to use. This is the entry point URL to access CA server API.
For safety reasons the default is set to the Let's Encrypt staging server. This will create technically correct, but untrusted certificates.
You can find URLs of staging endpoints here: https://letsencrypt.org/docs/staging-environment/
The production Let's Encrypt ACME v1 directory URL, which produces properly trusted certificates, is https://acme-v01.api.letsencrypt.org/directory.
The production Let's Encrypt ACME v2 directory URL, which produces properly trusted certificates, including wildcard certificates, is https://acme-v02.api.letsencrypt.org/directory.
acme_version
(added in 2.5)
    Choices:
  • yes ←
  • 2
Default:
yes
The ACME version of the endpoint.
Must be 1 for the classic Let's Encrypt ACME endpoint, or 2 for the new ACME v2 endpoint.
Warning: ACME v2 support is currently experimental, as the Let's Encrypt production ACME v2 endpoint is still under development. The code is tested against the latest staging endpoint as well as the Pebble testing server, but there could be bugs which will only appear with a newer version of these or with the production ACME v2 endpoint.
agreement
URI to a terms of service document you agree to when using the ACME v1 service at acme_directory.
Default is latest gathered from acme_directory URL.
This option will only be used when acme_version is 1.
chain_dest
(added in 2.5)
If specified, the intermediate certificate will be written to this file.

aliases: chain
challenge
    Choices:
  • http-01 ←
  • dns-01
The challenge to be performed.
csr
required
File containing the CSR for the new certificate.
Can be created with openssl req ....
The CSR may contain multiple Subject Alternate Names, but each one will lead to an individual challenge that must be fulfilled for the CSR to be signed.
Note: the private key used to create the CSR must not be the the account key. This is a bad idea from a security point of view, and Let's Encrypt will not accept the CSR.

aliases: src
data
The data to validate ongoing challenges. This must be specified for the second run of the module only.
The value that must be used here will be provided by a previous use of this module. See the examples for more details.
Note: the data option was marked as no_log up to Ansible 2.5. From Ansible 2.6 on, it is no longer marked this way as it causes error messages to be come unusable, and data does not contain any information which can be used without having access to the account key or which are not public anyway.
deactivate_authzs
(added in 2.6)
    Choices:
  • no ←
  • yes
Deactivate authentication objects (authz) after issuing a certificate, or when issuing the certificate failed.
Authentication objects are bound to an account key and remain valid for a certain amount of time, and can be used to issue certificates without having to re-authenticate the domain. This can be a security concern.
dest
The destination file for the certificate.
Required if fullchain_dest is not specified.

aliases: cert
force
(added in 2.6)
    Choices:
  • no ←
  • yes
Enforces the execution of the challenge and validation, even if an existing certificate is still valid.
This is especially helpful when having an updated CSR e.g. with additional domains for which a new certificate is desired.
fullchain_dest
(added in 2.5)
The destination file for the full chain (i.e. certificate followed by chain of intermediate certificates).
Required if dest is not specified.

aliases: fullchain
remaining_days
Default:
10
The number of days the certificate must have left being valid. If cert_days < remaining_days, then it will be renewed. If the certificate is not renewed, module return values will not include challenge_data.
terms_agreed
(added in 2.5)
    Choices:
  • no ←
  • yes
Boolean indicating whether you agree to the terms of service document.
ACME servers can require this to be true.
This option will only be used when acme_version is not 1.
validate_certs
(added in 2.5)
    Choices:
  • no
  • yes ←
Whether calls to the ACME directory will validate TLS certificates.
Warning: Should only ever be set to false for testing purposes, for example when testing against a local Pebble server.

Examples

### Example with HTTP challenge ###

- name: Create a challenge for sample.com using a account key from a variable.
  letsencrypt:
    account_key_content: "{{ account_private_key }}"
    csr: /etc/pki/cert/csr/sample.com.csr
    dest: /etc/httpd/ssl/sample.com.crt
  register: sample_com_challenge

# Alternative first step:
- name: Create a challenge for sample.com using a account key from hashi vault.
  letsencrypt:
    account_key_content: "{{ lookup('hashi_vault', 'secret=secret/account_private_key:value') }}"
    csr: /etc/pki/cert/csr/sample.com.csr
    fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
  register: sample_com_challenge

# Alternative first step:
- name: Create a challenge for sample.com using a account key file.
  letsencrypt:
    account_key_src: /etc/pki/cert/private/account.key
    csr: /etc/pki/cert/csr/sample.com.csr
    dest: /etc/httpd/ssl/sample.com.crt
    fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
  register: sample_com_challenge

# perform the necessary steps to fulfill the challenge
# for example:
#
# - copy:
#     dest: /var/www/html/{{ sample_com_challenge['challenge_data']['sample.com']['http-01']['resource'] }}
#     content: "{{ sample_com_challenge['challenge_data']['sample.com']['http-01']['resource_value'] }}"
#     when: sample_com_challenge is changed

- name: Let the challenge be validated and retrieve the cert and intermediate certificate
  letsencrypt:
    account_key_src: /etc/pki/cert/private/account.key
    csr: /etc/pki/cert/csr/sample.com.csr
    dest: /etc/httpd/ssl/sample.com.crt
    fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
    chain_dest: /etc/httpd/ssl/sample.com-intermediate.crt
    data: "{{ sample_com_challenge }}"

### Example with DNS challenge against production ACME server ###

- name: Create a challenge for sample.com using a account key file.
  letsencrypt:
    account_key_src: /etc/pki/cert/private/account.key
    account_email: myself@sample.com
    src: /etc/pki/cert/csr/sample.com.csr
    cert: /etc/httpd/ssl/sample.com.crt
    challenge: dns-01
    acme_directory: https://acme-v01.api.letsencrypt.org/directory
    # Renew if the certificate is at least 30 days old
    remaining_days: 60
  register: sample_com_challenge

# perform the necessary steps to fulfill the challenge
# for example:
#
# - route53:
#     zone: sample.com
#     record: "{{ sample_com_challenge.challenge_data['sample.com']['dns-01'].record }}"
#     type: TXT
#     ttl: 60
#     # Note: route53 requires TXT entries to be enclosed in quotes
#     value: "{{ sample_com_challenge.challenge_data['sample.com']['dns-01'].resource_value }}"
#     when: sample_com_challenge is changed
#
# Alternative way:
#
# - route53:
#     zone: sample.com
#     record: "{{ item.key }}"
#     type: TXT
#     ttl: 60
#     # Note: item.value is a list of TXT entries, and route53
#     # requires every entry to be enclosed in quotes
#     value: "{{ item.value | map('regex_replace', '^(.*)$', ''\1'' ) | list }}"
#     with_dict: sample_com_challenge.challenge_data_dns
#     when: sample_com_challenge is changed

- name: Let the challenge be validated and retrieve the cert and intermediate certificate
  letsencrypt:
    account_key_src: /etc/pki/cert/private/account.key
    account_email: myself@sample.com
    src: /etc/pki/cert/csr/sample.com.csr
    cert: /etc/httpd/ssl/sample.com.crt
    fullchain: /etc/httpd/ssl/sample.com-fullchain.crt
    chain: /etc/httpd/ssl/sample.com-intermediate.crt
    challenge: dns-01
    acme_directory: https://acme-v01.api.letsencrypt.org/directory
    remaining_days: 60
    data: "{{ sample_com_challenge }}"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key
Returned
Description
account_uri
string
changed
ACME account URI.

authorizations
complex
changed
ACME authorization data.

 
authorization
dict
success
ACME authorization object. See https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-7.1.4

cert_days
int
success
the number of days the certificate remains valid.

challenge_data
complex
changed
per domain / challenge type challenge data

 
resource
string
changed
the challenge resource that must be created for validation

Sample:
.well-known/acme-challenge/evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA
 
resource_value
string
changed
the value the resource has to produce for the validation

Sample:
IlirfxKKXA...17Dt3juxGJ-PCt92wr-oA
 
record
string
changed and challenge is dns-01
the full DNS record's name for the challenge

Sample:
_acme-challenge.example.com
challenge_data_dns
dict
changed
list of TXT values per DNS record, in case challenge is dns-01

finalization_uri
string
changed
ACME finalization URI.

order_uri
string
changed
ACME order URI.



Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

Author

  • Michael Gruener (@mgruener)

Hint

If you notice any issues in this documentation you can edit this document to improve it.