├── tests ├── .keep └── integration │ └── targets │ └── acme_letsencrypt │ ├── runme.sh │ ├── dns-challenge-missing-acme-domain.yml │ ├── dns-challenge-hetzner.yml │ ├── dns-challenge-domain-offensive.yml │ ├── dns-challenge-pebble.yml │ ├── dns-challenge-include-role.yml │ ├── http-challenge-local.yml │ └── find-challenge-filter-plugin.yml ├── roles └── acme │ ├── README.md │ ├── tasks │ ├── challenge-unknown.yml │ ├── convert_certificate.yml │ ├── main.yml │ ├── download_cert.yml │ ├── create-challenge.yml │ ├── create-keys.yml │ ├── preconditions.yml │ ├── challenge │ │ ├── dns-01 │ │ │ ├── pebble.yml │ │ │ ├── openstack.yml │ │ │ ├── domain-offensive.yml │ │ │ ├── hetzner.yml │ │ │ ├── autodns.yml │ │ │ ├── nsupdate.yml │ │ │ └── azure.yml │ │ └── http-01 │ │ │ ├── local.yml │ │ │ ├── s3.yml │ │ │ └── azbs.yml │ └── create-csr.yml │ ├── meta │ └── main.yml │ └── defaults │ └── main.yml ├── CODEOWNERS ├── meta └── runtime.yml ├── renovate.json ├── .gitattributes ├── CODE_OF_CONDUCT.md ├── .github ├── version-drafter.yml └── workflows │ ├── codespell.yml │ ├── release.yml │ ├── galaxy.yml │ └── main.yml ├── .config └── ansible-lint.yml ├── .yamllint ├── docs ├── dns-challenge │ ├── hetzner.md │ ├── openstack.md │ ├── pebble.md │ ├── autodns.md │ ├── domain-offensive.md │ ├── azure.md │ └── nsupdate.md ├── http-challenge │ ├── local.md │ ├── s3.md │ └── azbs.md └── role-acme.md ├── CONTRIBUTING.md ├── galaxy.yml ├── README.md ├── plugins └── filter │ └── find_challenges.py ├── LICENSE └── CHANGELOG.md /tests/.keep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /roles/acme/README.md: -------------------------------------------------------------------------------- 1 | ../../docs/role-acme.md -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @telekom-mms/ansible-maintainers 2 | -------------------------------------------------------------------------------- /meta/runtime.yml: -------------------------------------------------------------------------------- 1 | --- 2 | requires_ansible: ">=2.9.10" 3 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "extends": [ 3 | "github>telekom-mms/.github:renovate-preset.json5" 4 | ] 5 | } 6 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.sh text eol=lf 2 | *.py text eol=lf 3 | *.md text eol=lf 4 | *.yml text eol=lf 5 | *.yaml text eol=lf 6 | *.txt text eol=lf 7 | -------------------------------------------------------------------------------- /roles/acme/tasks/challenge-unknown.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Fail because of unknown challenge provider 3 | ansible.builtin.fail: 4 | msg: unknown challenge provider 5 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Community Code of Conduct 2 | 3 | Please see the official [Ansible Community Code of Conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html). 4 | -------------------------------------------------------------------------------- /.github/version-drafter.yml: -------------------------------------------------------------------------------- 1 | major-labels: ['semver:major', 'major', 'breaking', 'backwards-incompatible'] 2 | minor-labels: ['semver:minor', 'minor', 'enhancement'] 3 | patch-labels: ['semver:patch', 'patch', 'bug'] 4 | -------------------------------------------------------------------------------- /.config/ansible-lint.yml: -------------------------------------------------------------------------------- 1 | --- 2 | exclude_paths: 3 | - .cache/ # implicit unless exclude_paths is defined in config 4 | - .ansible/ # somehow someone decided that the cache directory should be renamed 5 | - .github/ 6 | skip_list: 7 | - meta-runtime[unsupported-version] 8 | -------------------------------------------------------------------------------- /.github/workflows/codespell.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Codespell - Spellcheck 3 | 4 | on: # yamllint disable-line rule:truthy 5 | push: 6 | branches: [main] 7 | pull_request: 8 | branches: [main] 9 | 10 | jobs: 11 | codespell: 12 | uses: "telekom-mms/.github/.github/workflows/codespell.yml@main" 13 | -------------------------------------------------------------------------------- /tests/integration/targets/acme_letsencrypt/runme.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eux 4 | 5 | ansible-playbook find-challenge-filter-plugin.yml 6 | 7 | ansible-playbook http-challenge-local.yml 8 | 9 | ansible-playbook dns-challenge-pebble.yml 10 | ansible-playbook dns-challenge-include-role.yml 11 | ansible-playbook dns-challenge-missing-acme-domain.yml 12 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | --- 2 | extends: default 3 | ignore: | 4 | galaxy.yml 5 | 6 | rules: 7 | line-length: disable 8 | comments: 9 | min-spaces-from-content: 1 10 | comments-indentation: disable 11 | braces: 12 | min-spaces-inside: 0 13 | max-spaces-inside: 1 14 | brackets: 15 | min-spaces-inside: 0 16 | max-spaces-inside: 1 17 | colons: 18 | max-spaces-before: -1 19 | max-spaces-after: 1 20 | -------------------------------------------------------------------------------- /roles/acme/tasks/convert_certificate.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Convert certificate to pfx format 3 | community.crypto.openssl_pkcs12: 4 | action: export 5 | path: "{{ acme_pfx_cert_path }}" 6 | name: "{{ acme_domain.certificate_name }}" 7 | privatekey_path: "{{ acme_private_key_path }}" 8 | certificate_path: "{{ acme_fullchain_path }}" 9 | other_certificates: "{{ acme_intermediate_path }}" 10 | when: acme_convert_cert_to == "pfx" 11 | -------------------------------------------------------------------------------- /tests/integration/targets/acme_letsencrypt/dns-challenge-missing-acme-domain.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Test role if acme_domain is not set 3 | hosts: localhost 4 | roles: 5 | - telekom_mms.acme.acme 6 | vars: 7 | acme_challenge_provider: pebble 8 | acme_use_live_directory: false 9 | acme_account_email: ssl-admin@example.com 10 | acme_staging_directory: https://localhost:14000/dir 11 | acme_validate_certs: false 12 | ignore_errors: true 13 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: New release 3 | 4 | on: 5 | workflow_dispatch: 6 | push: 7 | branches: 8 | - main 9 | 10 | jobs: 11 | release: 12 | # docs: https://github.com/telekom-mms/.github#release 13 | if: github.repository != '$TEMPLATE_REPOSITORY' 14 | uses: telekom-mms/.github/.github/workflows/release.yml@main 15 | secrets: 16 | GH_BRANCH_PROTECTION_APP_TOKEN: ${{ secrets.GH_BRANCH_PROTECTION_APP_TOKEN }} 17 | -------------------------------------------------------------------------------- /roles/acme/meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | collections: 3 | - telekom_mms.acme 4 | galaxy_info: 5 | role_name: acme 6 | author: telekom_mms 7 | description: Issue certificates via the ACME protocol via dns- or http-challenge. By default the API of Let's Encrypts gets used. 8 | license: GPLv3 9 | min_ansible_version: "2.9" 10 | galaxy_tags: 11 | - acme 12 | - certificates 13 | - letsencrypt 14 | - security 15 | - ssl 16 | platforms: 17 | - name: GenericLinux 18 | versions: 19 | - all 20 | -------------------------------------------------------------------------------- /.github/workflows/galaxy.yml: -------------------------------------------------------------------------------- 1 | name: Publish collection to Ansible Galaxy 2 | 3 | on: 4 | release: 5 | types: 6 | # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#release 7 | - released 8 | 9 | jobs: 10 | deploy: 11 | # docs: https://github.com/telekom-mms/.github#publish-collection-to-ansible-galaxy 12 | uses: telekom-mms/.github/.github/workflows/ansible-galaxy-publish.yml@main 13 | secrets: 14 | GALAXY_API_KEY: ${{ secrets.GALAXY_API_KEY }} 15 | GH_BRANCH_PROTECTION_APP_TOKEN: ${{ secrets.GH_BRANCH_PROTECTION_APP_TOKEN }} 16 | -------------------------------------------------------------------------------- /roles/acme/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Preconditions 3 | ansible.builtin.include_tasks: 4 | file: preconditions.yml 5 | 6 | - name: Download Certificate from https 7 | ansible.builtin.include_tasks: 8 | file: download_cert.yml 9 | when: 10 | - acme_download_cert 11 | 12 | - name: Run key generation 13 | ansible.builtin.include_tasks: 14 | file: create-keys.yml 15 | 16 | - name: Create csr 17 | ansible.builtin.include_tasks: 18 | file: create-csr.yml 19 | 20 | - name: Create challenge 21 | ansible.builtin.include_tasks: 22 | file: create-challenge.yml 23 | 24 | - name: Do challenge with provider {{ acme_challenge_provider }} 25 | ansible.builtin.include_tasks: 26 | file: "{{ acme_provider_path }}" 27 | 28 | - name: Convert certificate 29 | ansible.builtin.include_tasks: 30 | file: convert_certificate.yml 31 | when: 32 | - acme_convert_cert_to is defined 33 | -------------------------------------------------------------------------------- /roles/acme/tasks/download_cert.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Fetch current certificate from https server 3 | community.crypto.get_certificate: 4 | host: "{{ acme_cert_download_host | default(acme_domain.subject_alt_name[0]) }}" 5 | port: "{{ acme_cert_download_port | default('443') }}" 6 | server_name: "{{ acme_cert_san_name | default(acme_domain.subject_alt_name[0]) }}" 7 | get_certificate_chain: true 8 | register: acme_certificate 9 | retries: 10 10 | delay: 30 11 | until: acme_certificate is not failed 12 | 13 | - name: Write fetched certificate to file 14 | ansible.builtin.copy: 15 | content: "{{ acme_certificate.cert }}" 16 | dest: "{{ acme_cert_path }}" 17 | mode: "0644" 18 | 19 | - name: Write fetched certificate chain to file 20 | ansible.builtin.copy: 21 | content: "{{ acme_certificate.verified_chain[:-1] | join('\n') }}" 22 | dest: "{{ acme_fullchain_path }}" 23 | mode: "0644" 24 | -------------------------------------------------------------------------------- /docs/dns-challenge/hetzner.md: -------------------------------------------------------------------------------- 1 | # Variables for hetzner dns-challenge 2 | 3 | | Variable | Required | Default | Description 4 | |-------------------------|----------|---------|------------ 5 | | acme_hetzner_auth_token | yes | | Access token for hetzner DNS API 6 | 7 | ## Usage 8 | 9 | ```yaml 10 | - name: create the certificate for *.example.com 11 | hosts: localhost 12 | collections: 13 | - telekom_mms.acme 14 | roles: 15 | - acme 16 | vars: 17 | acme_challenge_provider: hetzner 18 | acme_use_live_directory: true 19 | acme_account_email: "ssl-admin@example.com" 20 | acme_hetzner_auth_token: !vault | 21 | $ANSIBLE_VAULT;1.1;AES256 22 | ... 23 | acme_domain: 24 | email_address: "ssl-admin@example.com" 25 | certificate_name: "wildcard.example.com" 26 | zone: "example.com" 27 | subject_alt_name: 28 | - "*.example.com" 29 | ``` 30 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | We accept all kinds of contributions, whether they are bug fixes, pull requests or documentation updates! 2 | 3 | If you want to develop new content for this collection or improve what is already here, the easiest way to work on the collection is to clone it into one of the configured [`COLLECTIONS_PATH`](https://docs.ansible.com/ansible/latest/reference_appendices/config.html#collections-paths), and work on it there. 4 | 5 | For example, if you are working in the `~/dev` directory: 6 | 7 | ``` 8 | cd ~/dev 9 | git clone https://github.com/telekom-mms/ansible-collection-acme collections/ansible_collections/telekom_mms/acme 10 | export COLLECTIONS_PATH=$(pwd)/collections:$COLLECTIONS_PATH 11 | ``` 12 | 13 | You can find more information in the [developer guide for collections](https://docs.ansible.com/ansible/devel/dev_guide/developing_collections.html#contributing-to-collections), and in the [Ansible Community Guide](https://docs.ansible.com/ansible/latest/community/index.html). 14 | -------------------------------------------------------------------------------- /galaxy.yml: -------------------------------------------------------------------------------- 1 | --- 2 | namespace: telekom_mms 3 | name: acme 4 | version: 4.3.2 5 | readme: README.md 6 | authors: 7 | - Sebastian Gumprich 8 | - Andreas Hering 9 | description: >- 10 | This collection contains a role for issuing ssl certificates via the ACME protocol. By default Let's Encrypt certificates are issued but it is also possible to use other certificate authorities which implement the ACME protocol. 11 | license: 12 | - GPL-2.0-or-later 13 | license_file: "" 14 | tags: 15 | - acme 16 | - certificates 17 | - letsencrypt 18 | - security 19 | - ssl 20 | dependencies: 21 | community.crypto: ">=1.0.0" 22 | openstack.cloud: ">=1.2.1" 23 | amazon.aws: ">=5.0.0" 24 | azure.azcollection: ">=1.14.0" 25 | community.general: ">10.3.0" 26 | repository: https://github.com/telekom-mms/ansible-collection-acme 27 | documentation: https://github.com/telekom-mms/ansible-collection-acme 28 | homepage: https://github.com/telekom-mms/ansible-collection-acme 29 | issues: https://github.com/telekom-mms/ansible-collection-acme/issues 30 | build_ignore: 31 | - .ansible-lint 32 | - .gitattributes 33 | - .github 34 | - .yamllint 35 | - tests 36 | -------------------------------------------------------------------------------- /tests/integration/targets/acme_letsencrypt/dns-challenge-hetzner.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create a test certificate for hetzner 3 | hosts: localhost 4 | roles: 5 | - telekom_mms.acme.acme 6 | vars: 7 | acme_challenge_provider: hetzner 8 | acme_use_live_directory: false 9 | acme_account_email: ssl-admin@example.de 10 | acme_force_renewal: true 11 | acme_domain: 12 | email_address: ssl-admin@example.de 13 | certificate_name: "{{ hetzner_domain_name }}.{{ hetzner_zone }}" 14 | zone: "{{ hetzner_zone }}" 15 | subject_alt_name: 16 | - "{{ hetzner_domain_name }}.{{ hetzner_zone }}" 17 | post_tasks: 18 | - name: Validate certs 19 | community.crypto.x509_certificate_info: 20 | path: "{{ acme_cert_path }}" 21 | register: result 22 | 23 | - name: Print the certificate 24 | ansible.builtin.debug: 25 | msg: "{{ result }}" 26 | 27 | - name: Check if the certificate has correct data 28 | ansible.builtin.assert: 29 | that: 30 | - result.subject.commonName == "{{ acme_domain.certificate_name }}" 31 | - "'DNS:{{ acme_domain.certificate_name }}' in result.subject_alt_name" 32 | - "'(STAGING) Artificial Apricot R3' in result.issuer.commonName" 33 | -------------------------------------------------------------------------------- /tests/integration/targets/acme_letsencrypt/dns-challenge-domain-offensive.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create a test certificate for domain-offensive 3 | hosts: localhost 4 | roles: 5 | - telekom_mms.acme.acme 6 | vars: 7 | acme_challenge_provider: domain-offensive 8 | acme_use_live_directory: false 9 | acme_account_email: ssl-admin@example.de 10 | acme_force_renewal: true 11 | acme_domain: 12 | email_address: ssl-admin@example.de 13 | certificate_name: "{{ domain_offensive_zone }}" 14 | zone: "{{ domain_offensive_zone }}" 15 | subject_alt_name: 16 | - "{{ domain_offensive_domain_name }}" 17 | post_tasks: 18 | - name: Validate certs 19 | community.crypto.x509_certificate_info: 20 | path: "{{ acme_cert_path }}" 21 | register: result 22 | 23 | - name: Print the certificate 24 | ansible.builtin.debug: 25 | msg: "{{ result }}" 26 | 27 | - name: Check if the certificate has correct data 28 | ansible.builtin.assert: 29 | that: 30 | - result.subject.commonName == "{{ acme_domain.certificate_name }}" 31 | - "'DNS:{{ acme_domain.certificate_name }}' in result.subject_alt_name" 32 | - "'(STAGING) Artificial Apricot R3' in result.issuer.commonName" 33 | -------------------------------------------------------------------------------- /roles/acme/tasks/create-challenge.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create-challenge block 3 | vars: 4 | # e.g. acme_provider_path is "challenge/http-01/s3.yml" > dirname is "challenge/http-01" > basename is "http-01" 5 | challenge_type: "{{ acme_provider_path | dirname | basename }}" 6 | block: 7 | - name: Create a challenge using a account key file for {{ acme_domain.certificate_name }} 8 | community.crypto.acme_certificate: 9 | account_key_src: "{{ acme_account_key_path }}" 10 | account_email: "{{ acme_account_email }}" 11 | csr: "{{ acme_csr_path }}" 12 | cert: "{{ acme_cert_path }}" 13 | challenge: "{{ challenge_type }}" 14 | force: "{{ acme_force_renewal | default(false) }}" 15 | acme_directory: "{{ acme_directory }}" 16 | acme_version: 2 17 | terms_agreed: true 18 | remaining_days: "{{ acme_remaining_days }}" 19 | validate_certs: "{{ acme_validate_certs | default(true) }}" 20 | register: acme_challenge 21 | 22 | - name: Handle challenge data # noqa no-handler 23 | ansible.builtin.set_fact: 24 | acme_challenge_data: "{{ acme_challenge | telekom_mms.acme.find_challenges(challenge_type, acme_domain.subject_alt_name) }}" 25 | when: 'acme_challenge is changed' 26 | -------------------------------------------------------------------------------- /docs/http-challenge/local.md: -------------------------------------------------------------------------------- 1 | # Variables for local http-challenge 2 | 3 | | Variable | Required | Default | Description 4 | |---------------------------------------|----------|---------------|------------ 5 | | acme_local_validation_path | no | /var/www/html | Path where the validation-/ hashfiles get created 6 | | acme_local_validation_path_file_owner | no | | User who owns the validation-/ hash- files and path 7 | | acme_local_validation_path_file_group | no | | Group who owns the validation-/ hash- files and path 8 | 9 | ## Validation 10 | 11 | Make sure that the validation-/ hashfile(s) is/are reachable by your configured vhost(s). 12 | 13 | ## Usage 14 | 15 | ```yaml 16 | - name: create the certificate for example.com 17 | hosts: localhost 18 | collections: 19 | - telekom_mms.acme 20 | roles: 21 | - acme 22 | vars: 23 | acme_domain: 24 | certificate_name: "example.com" 25 | zone: "example.com" 26 | email_address: "ssl-admin@example.com" 27 | subject_alt_name: 28 | - example.com 29 | - domain1.example.com 30 | - domain2.example.com 31 | acme_challenge_provider: "local" 32 | acme_use_live_directory: false 33 | acme_account_email: "ssl-admin@example.com" 34 | ``` 35 | -------------------------------------------------------------------------------- /tests/integration/targets/acme_letsencrypt/dns-challenge-pebble.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create the certificate for example.de with dns-challenge provider "pebble" 3 | hosts: localhost 4 | roles: 5 | - telekom_mms.acme.acme 6 | vars: 7 | acme_domain: 8 | certificate_name: dns-pebble.example.de 9 | zone: example.de 10 | email_address: ssl-admin@example.de 11 | subject_alt_name: 12 | - example.de 13 | acme_challenge_provider: pebble 14 | acme_use_live_directory: false 15 | acme_account_email: ssl-admin@example.de 16 | acme_staging_directory: https://localhost:14000/dir 17 | acme_validate_certs: false 18 | post_tasks: 19 | - name: Validate certs 20 | community.crypto.x509_certificate_info: 21 | path: "{{ acme_cert_path }}" 22 | register: result 23 | 24 | - name: Print the certificate 25 | ansible.builtin.debug: 26 | msg: "{{ result }}" 27 | 28 | - name: Check if the certificate is correct 29 | ansible.builtin.assert: 30 | that: 31 | - "'DNS:example.de' in result.subject_alt_name" 32 | - "'Pebble Intermediate CA' in result.issuer.commonName" 33 | 34 | - name: Remove account identifier, to avoid cache problems in CI 35 | ansible.builtin.file: 36 | path: "{{ acme_account_key_path }}" 37 | state: absent 38 | -------------------------------------------------------------------------------- /docs/dns-challenge/openstack.md: -------------------------------------------------------------------------------- 1 | # Variables for openstack dns-challenge 2 | 3 | | Variable | Required | Default | Description 4 | |-----------------------------|----------|---------|------------ 5 | | acme_openstack_user_domain | yes | | user domain name like OTC-EU-DE-00000000001000000000 6 | | acme_openstack_auth_url | yes | | authentication api-url 7 | | acme_openstack_project_name | yes | | project name 8 | 9 | ## Usage 10 | 11 | ### wildcard certificate 12 | 13 | ```yaml 14 | - name: create the certificate for *.example.com 15 | hosts: localhost 16 | collections: 17 | - telekom_mms.acme 18 | roles: 19 | - acme 20 | vars: 21 | acme_challenge_provider: openstack 22 | acme_use_live_directory: false 23 | acme_openstack_user_domain: "OTC-EU-DE-00000000001000000000" 24 | acme_openstack_auth_url: "https://iam.eu-de.otc.t-systems.com:443/v3" 25 | acme_openstack_project_name: "eu-de" 26 | acme_domain: 27 | certificate_name: "wildcard.example.com" 28 | zone: "example.com" 29 | email_address: "ssl-admin@example.com" 30 | subject_alt_name: 31 | - "*.example.com" 32 | acme_account_email: "ssl-admin@example.com" 33 | acme_dns_user: "example_dns" 34 | acme_dns_password: !vault | 35 | $ANSIBLE_VAULT;1.1;AES256 36 | ... 37 | ``` 38 | -------------------------------------------------------------------------------- /roles/acme/tasks/create-keys.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create key to be used for acme account 3 | community.crypto.openssl_privatekey: 4 | path: "{{ acme_account_key_path }}" 5 | size: "{{ acme_account_key_size }}" 6 | type: "{{ acme_account_key_type }}" 7 | curve: "{{ acme_account_key_curve }}" 8 | when: 9 | - acme_account_key_content is not defined 10 | no_log: true 11 | 12 | - name: Create account key file from acme_account_key_content-variable # noqa template-instead-of-copy 13 | ansible.builtin.copy: 14 | dest: "{{ acme_account_key_path }}" 15 | content: "{{ acme_account_key_content }}" 16 | mode: "0400" 17 | when: 18 | - acme_account_key_content is defined 19 | no_log: true 20 | 21 | - name: Create key to be used for certificate 22 | community.crypto.openssl_privatekey: 23 | path: "{{ acme_private_key_path }}" 24 | size: "{{ acme_private_key_size }}" 25 | type: "{{ acme_private_key_type }}" 26 | curve: "{{ acme_private_key_curve }}" 27 | when: 28 | - acme_private_key_content is not defined 29 | no_log: true 30 | 31 | - name: Create private key file from acme_private_key_content-variable # noqa template-instead-of-copy 32 | ansible.builtin.copy: 33 | dest: "{{ acme_private_key_path }}" 34 | content: "{{ acme_private_key_content }}" 35 | mode: "0400" 36 | when: 37 | - acme_private_key_content is defined 38 | no_log: true 39 | -------------------------------------------------------------------------------- /roles/acme/tasks/preconditions.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Check if a challenge provider is set 3 | ansible.builtin.assert: 4 | that: 5 | - acme_challenge_provider is defined 6 | - acme_challenge_provider != "" 7 | fail_msg: You need to set acme_challenge_provider with a provider. See documentation for a list of possible providers. 8 | 9 | - name: Check if a acme_domain is set 10 | ansible.builtin.assert: 11 | that: 12 | - acme_domain is defined 13 | - acme_domain != {} 14 | fail_msg: You need to set acme_domain. See documentation for a list of possibilities. 15 | 16 | - name: Set fact for acme_directory depending on what is set in acme_use_live_directory 17 | ansible.builtin.set_fact: 18 | acme_directory: "{{ acme_use_live_directory | ternary(acme_live_directory, acme_staging_directory) }}" 19 | 20 | - name: Create directories for acme certificates 21 | delegate_to: "{{ inventory_hostname }}" 22 | ansible.builtin.file: 23 | path: "{{ item }}" 24 | state: directory 25 | mode: "0750" 26 | loop: 27 | - "{{ acme_conf_dir }}" 28 | - "{{ acme_cert_dir }}" 29 | 30 | - name: Select provider {{ acme_challenge_provider }} 31 | ansible.builtin.set_fact: 32 | acme_provider_path: "{{ item }}" 33 | with_first_found: 34 | - challenge/dns-01/{{ acme_challenge_provider }}.yml 35 | - challenge/http-01/{{ acme_challenge_provider }}.yml 36 | - challenge-unknown.yml 37 | -------------------------------------------------------------------------------- /docs/dns-challenge/pebble.md: -------------------------------------------------------------------------------- 1 | # Variables for pebble dns-challenge 2 | 3 | This provider gets used in our integration tests for the DNS challenge. 4 | **This provider should not be used in other environments than for testing! 5 | The certificates are not trusted**. 6 | 7 | We start a Pebble and challtestsrv to validate a certificate for testing the role. 8 | This is also done for the provider of the local http-challenge. 9 | 10 | ## Usage 11 | 12 | ```yaml 13 | - name: create the certificate for example.com with dns-challenge provider "pebble" 14 | hosts: localhost 15 | collections: 16 | - telekom_mms.acme 17 | roles: 18 | - acme 19 | vars: 20 | acme_domain: 21 | certificate_name: "dns-pebble.example.com" 22 | zone: "example.com" 23 | email_address: "ssl-admin@example.com" 24 | subject_alt_name: 25 | - "example.com" 26 | acme_challenge_provider: "pebble" 27 | acme_use_live_directory: false 28 | acme_account_email: "ssl-admin@example.com" 29 | acme_staging_directory: "https://localhost:14000/dir" 30 | acme_validate_certs: false 31 | post_tasks: 32 | - name: validate certs 33 | community.crypto.x509_certificate_info: 34 | path: "{{ acme_cert_path }}" 35 | register: result 36 | 37 | - debug: 38 | msg: "{{ result }}" 39 | 40 | - assert: 41 | that: 42 | - result.subject.commonName == "example.com" 43 | - "'DNS:example.com' in result.subject_alt_name" 44 | - "'Pebble Intermediate CA' in result.issuer.commonName" 45 | ``` 46 | -------------------------------------------------------------------------------- /docs/dns-challenge/autodns.md: -------------------------------------------------------------------------------- 1 | # Variables for AutoDNS dns-challenge 2 | 3 | None 4 | 5 | ## Usage 6 | 7 | ### wildcard certificate 8 | 9 | ```yaml 10 | - name: create the certificate for *.example.com 11 | hosts: localhost 12 | collections: 13 | - telekom_mms.acme 14 | roles: 15 | - acme 16 | vars: 17 | acme_domain: 18 | certificate_name: "wildcard.example.com" 19 | zone: "example.com" 20 | email_address: "ssl-admin@example.com" 21 | subject_alt_name: 22 | - "*.example.com" 23 | acme_challenge_provider: autodns 24 | acme_use_live_directory: false 25 | acme_account_email: "ssl-admin@example.com" 26 | acme_dns_user: "example_dns" 27 | acme_dns_password: !vault | 28 | $ANSIBLE_VAULT;1.1;AES256 29 | ... 30 | ``` 31 | 32 | ### SAN certificate 33 | 34 | ```yaml 35 | - name: create the certificate for example.com 36 | hosts: localhost 37 | collections: 38 | - telekom_mms.acme 39 | roles: 40 | - acme 41 | vars: 42 | acme_domain: 43 | certificate_name: "wildcard.example.com" 44 | zone: "example.com" 45 | email_address: "ssl-admin@example.com" 46 | subject_alt_name: 47 | - "example.com" 48 | - "domain1.example.com" 49 | - "domain2.example.com" 50 | acme_challenge_provider: autodns 51 | acme_use_live_directory: false 52 | acme_account_email: "ssl-admin@example.com" 53 | acme_dns_user: "example_dns" 54 | acme_dns_password: !vault | 55 | $ANSIBLE_VAULT;1.1;AES256 56 | ... 57 | ``` 58 | -------------------------------------------------------------------------------- /tests/integration/targets/acme_letsencrypt/dns-challenge-include-role.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Test if include_role is working 3 | hosts: localhost 4 | tasks: 5 | - name: Create and upload Lets Encrypt certificates 6 | ansible.builtin.include_role: 7 | name: telekom_mms.acme.acme 8 | public: true 9 | vars: 10 | acme_domain: 11 | certificate_name: dns-pebble.example.com 12 | zone: example.com 13 | email_address: ssl-admin@example.com 14 | subject_alt_name: 15 | - example.com 16 | acme_challenge_provider: pebble 17 | acme_use_live_directory: false 18 | acme_account_email: ssl-admin@example.com 19 | acme_staging_directory: https://localhost:14000/dir 20 | acme_validate_certs: false 21 | post_tasks: 22 | - name: Validate certs 23 | vars: 24 | acme_domain: 25 | certificate_name: dns-pebble.example.com 26 | community.crypto.x509_certificate_info: 27 | path: "{{ acme_cert_path }}" 28 | register: result 29 | 30 | - name: Print the certificate 31 | ansible.builtin.debug: 32 | msg: "{{ result }}" 33 | 34 | - name: Check if the certificate is correct 35 | ansible.builtin.assert: 36 | that: 37 | - "'DNS:example.com' in result.subject_alt_name" 38 | - "'Pebble Intermediate CA' in result.issuer.commonName" 39 | 40 | - name: Remove account identifier, to avoid cache problems in CI 41 | ansible.builtin.file: 42 | path: "{{ acme_account_key_path }}" 43 | state: absent 44 | -------------------------------------------------------------------------------- /docs/dns-challenge/domain-offensive.md: -------------------------------------------------------------------------------- 1 | # Variables for Domain Offensive dns-challenge 2 | 3 | | Variable | Required | Default | Description 4 | |-------------------------|----------|---------|------------ 5 | | acme_dns_password | yes | | Let's Encrypt API-Token, you can get here: [do.de](https://my.do.de/settings/domains/general) 6 | 7 | ## Usage 8 | 9 | ### wildcard certificate 10 | 11 | ```yaml 12 | - name: create the certificate for *.example.com 13 | hosts: localhost 14 | collections: 15 | - telekom_mms.acme 16 | roles: 17 | - acme 18 | vars: 19 | acme_domain: 20 | certificate_name: "wildcard.example.com" 21 | zone: "example.com" 22 | email_address: "ssl-admin@example.com" 23 | subject_alt_name: 24 | - "*.example.com" 25 | acme_challenge_provider: domain-offensive 26 | acme_use_live_directory: false 27 | acme_account_email: "ssl-admin@example.com" 28 | acme_dns_password: !vault | 29 | $ANSIBLE_VAULT;1.1;AES256 30 | ... 31 | ``` 32 | 33 | ### SAN certificate 34 | 35 | ```yaml 36 | - name: create the certificate for example.com 37 | hosts: localhost 38 | collections: 39 | - telekom_mms.acme 40 | roles: 41 | - acme 42 | vars: 43 | acme_domain: 44 | certificate_name: "wildcard.example.com" 45 | zone: "example.com" 46 | email_address: "ssl-admin@example.com" 47 | subject_alt_name: 48 | - "example.com" 49 | - "domain1.example.com" 50 | - "domain2.example.com" 51 | acme_challenge_provider: domain-offensive 52 | acme_use_live_directory: false 53 | acme_account_email: "ssl-admin@example.com" 54 | acme_dns_password: !vault | 55 | $ANSIBLE_VAULT;1.1;AES256 56 | ... 57 | ``` 58 | -------------------------------------------------------------------------------- /roles/acme/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ### global 3 | acme_domain: { } 4 | acme_conf_dir: "{{ lookup('env', 'HOME') }}/letsencrypt" 5 | acme_cert_dir: "{{ acme_conf_dir }}/certs" 6 | acme_prerequisites_packagemanager: yum 7 | 8 | ### http challenge / dns challenge 9 | acme_staging_directory: https://acme-staging-v02.api.letsencrypt.org/directory 10 | acme_live_directory: https://acme-v02.api.letsencrypt.org/directory 11 | acme_use_live_directory: false 12 | acme_account_key_path: "{{ acme_conf_dir }}/letsencrypt_account.pem" 13 | acme_account_key_size: "4096" 14 | acme_account_key_type: "ECC" 15 | acme_account_key_curve: "secp384r1" 16 | acme_csr_path: "{{ acme_cert_dir }}/{{ acme_domain.certificate_name }}.csr" 17 | acme_cert_path: "{{ acme_cert_dir }}/{{ acme_domain.certificate_name }}.pem" 18 | acme_pfx_cert_path: "{{ acme_cert_dir }}/{{ acme_domain.certificate_name }}.pfx" 19 | acme_intermediate_path: "{{ acme_cert_dir }}/{{ acme_domain.certificate_name }}_intermediate.pem" 20 | acme_fullchain_path: "{{ acme_cert_dir }}/{{ acme_domain.certificate_name }}_fullchain.pem" 21 | acme_private_key_path: "{{ acme_cert_dir }}/{{ acme_domain.certificate_name }}.key" 22 | acme_private_key_size: "4096" 23 | acme_private_key_type: "ECC" 24 | acme_private_key_curve: "secp384r1" 25 | acme_remaining_days: "30" 26 | acme_challenge_timeout: 3600 27 | 28 | ### provider specific config 29 | acme_s3_config_region: eu-west-1 30 | acme_s3_install_prerequisites: true 31 | acme_local_validation_path: /var/www/html 32 | acme_azure_purge_state: absent 33 | 34 | ### DNS nsupdate challenge parameters 35 | acme_nsupdate_replication_delay: 2 36 | acme_nsupdate_server: 192.168.1.1 37 | acme_nsupdate_ttl: 60 38 | acme_nsupdate_dns_key: 39 | name: 'nsupdate_key' 40 | algorithm: hmac-sha512 41 | secret: "" 42 | 43 | ### certificate download for non-persistent environments 44 | acme_download_cert: false 45 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ACME Collection for Ansible 2 | 3 | This collection manages ACME certificates. 4 | 5 | ## Requirements 6 | * Ansible >= 2.9 7 | * Python >= 3 (if you want to use http-challenge via S3) 8 | 9 | ## Installation 10 | 11 | These modules are distributed as [collections](https://docs.ansible.com/ansible/latest/user_guide/collections_using.html). 12 | To install them, run: 13 | 14 | ```bash 15 | ansible-galaxy collection install telekom_mms.acme 16 | ``` 17 | 18 | Alternatively put the collection into a `requirements.yml`-file: 19 | 20 | ```yaml 21 | --- 22 | collections: 23 | - telekom_mms.acme 24 | ``` 25 | 26 | 27 | ## Usage 28 | 29 | Role `acme` for issuing certificates from a certificate authority which implements the ACME protocol. 30 | Please see [documentation](docs/role-acme.md) for variables, usage and further information for all the different providers. 31 | 32 | ## Testing 33 | 34 | We automatically test key-creation and csr-creation, the `local` http-provider and test the challenge with the local pebble provider. 35 | 36 | Automatically testing the various dns-challenge providers is hard, because we'd need to maintain accounts and zones on them (and pay for them). We'd also need to store credentials in CI which is a security risk. 37 | 38 | Here we list ways to manually test the dns-providers if you have access: 39 | 40 | * Hetzner 41 | 42 | ``` 43 | ansible-playbook tests/integration/targets/acme_letsencrypt/dns-challenge-hetzner.yml -e acme_hetzner_auth_token=YOUR_AUTH_TOKEN -e hetzner_domain_name="example.com" -e hetzner_zone="example.com" 44 | ``` 45 | 46 | * Domain-Offensive 47 | 48 | ``` 49 | ansible-playbook tests/integration/targets/acme_letsencrypt/dns-challenge-domain-offensive.yml -e acme_dns_password=YOUR_DO_AUTH_TOKEN -e domain_offensive_zone="example.com" -e domain_offensive_domain_name="example.com" 50 | ``` 51 | 52 | ## License 53 | 54 | GPLv3 55 | 56 | ## Author Information 57 | 58 | * Sebastian Gumprich 59 | * Andreas Hering 60 | -------------------------------------------------------------------------------- /roles/acme/tasks/challenge/dns-01/pebble.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ### include/role 3 - validate challenge 3 | - name: Validate challenge only if it is created or changed # noqa no-handler 4 | when: acme_challenge is changed 5 | block: 6 | - name: Add a new TXT record to the SAN domains 7 | ansible.builtin.uri: 8 | url: http://localhost:8055/set-txt 9 | method: POST 10 | body_format: json 11 | # the dot after the hostname is required 12 | # crtl-f "Note that a period character is required at the end of the host name here." here: 13 | # https://github.com/letsencrypt/pebble/blob/master/cmd/pebble-challtestsrv/README.md 14 | body: 15 | { 16 | "host": "_acme-challenge.{{ item }}.", 17 | "value": "{{ acme_challenge_data[item]['dns-01']['resource_value'] }}" 18 | } 19 | loop: "{{ acme_domain.subject_alt_name }}" 20 | when: 21 | - acme_domain.subject_alt_name is defined 22 | # only runs if the challenge is run the first time, because then there is challenge_data 23 | - acme_challenge_data[item] is defined 24 | 25 | - name: Let the challenge be validated and retrieve the cert and intermediate certificate 26 | timeout: "{{ acme_challenge_timeout }}" 27 | community.crypto.acme_certificate: 28 | account_key_src: "{{ acme_account_key_path }}" 29 | account_email: "{{ acme_account_email }}" 30 | csr: "{{ acme_csr_path }}" 31 | cert: "{{ acme_cert_path }}" 32 | fullchain: "{{ acme_fullchain_path }}" 33 | chain: "{{ acme_intermediate_path }}" 34 | challenge: dns-01 35 | force: "{{ acme_force_renewal | default(false) }}" 36 | acme_directory: "{{ acme_directory }}" 37 | acme_version: 2 38 | terms_agreed: true 39 | remaining_days: "{{ acme_remaining_days }}" 40 | data: "{{ acme_challenge }}" 41 | validate_certs: "{{ acme_validate_certs | default(true) }}" 42 | -------------------------------------------------------------------------------- /roles/acme/tasks/challenge/dns-01/openstack.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Add new TXT record to DNS zone 3 | openstack.cloud.recordset: 4 | auth: 5 | auth_url: "{{ acme_openstack_auth_url }}" 6 | username: "{{ acme_dns_user }}" 7 | password: "{{ acme_dns_password }}" 8 | project_name: "{{ acme_openstack_project_name }}" 9 | user_domain_name: "{{ acme_openstack_user_domain }}" 10 | state: present 11 | recordset_type: txt 12 | records: 13 | - "\"{{ acme_challenge_data[item]['dns-01']['resource_value'] }}\"" 14 | name: _acme-challenge.{{ item | replace('*.', '') }}. 15 | zone: "{{ acme_domain.zone }}." 16 | loop: "{{ acme_domain.subject_alt_name }}" 17 | when: 18 | - acme_domain.subject_alt_name is defined 19 | - acme_challenge_data[item] is defined 20 | 21 | - name: Let the challenge be validated and retrieve the cert and intermediate certificate 22 | timeout: "{{ acme_challenge_timeout }}" 23 | community.crypto.acme_certificate: 24 | account_key_src: "{{ acme_account_key_path }}" 25 | account_email: "{{ acme_account_email }}" 26 | csr: "{{ acme_csr_path }}" 27 | cert: "{{ acme_cert_path }}" 28 | fullchain: "{{ acme_fullchain_path }}" 29 | chain: "{{ acme_intermediate_path }}" 30 | challenge: dns-01 31 | force: "{{ acme_force_renewal | default(false) }}" 32 | acme_directory: "{{ acme_directory }}" 33 | acme_version: 2 34 | terms_agreed: true 35 | remaining_days: "{{ acme_remaining_days }}" 36 | data: "{{ acme_challenge }}" 37 | 38 | - name: Remove TXT records from DNS zone 39 | openstack.cloud.recordset: 40 | auth: 41 | auth_url: "{{ acme_openstack_auth_url }}" 42 | username: "{{ acme_dns_user }}" 43 | password: "{{ acme_dns_password }}" 44 | project_name: "{{ acme_openstack_project_name }}" 45 | user_domain_name: "{{ acme_openstack_user_domain }}" 46 | state: absent 47 | name: _acme-challenge.{{ item | replace('*.', '') }}. 48 | zone: "{{ acme_domain.zone }}." 49 | loop: "{{ acme_domain.subject_alt_name }}" 50 | when: 51 | - acme_domain.subject_alt_name is defined 52 | - acme_challenge_data[item] is defined 53 | -------------------------------------------------------------------------------- /docs/dns-challenge/azure.md: -------------------------------------------------------------------------------- 1 | # Variables for azure dns-challenge 2 | 3 | | Variable | Required | Default | Description 4 | |---------------------------------|----------|---------|------------ 5 | | acme_azure_resource_group | yes | | Azure Resource Group for zone_name 6 | | subject_alt_name: top_level: | no | | List of top-level domains 7 | | subject_alt_name: second_level: | no | | List of second_level domains 8 | | acme_azure_purge_state | yes | absent | Define if the acme_challenge record should be `present` or `absent`. Useful if record deletion is impossible due to azure mgmt delete locks 9 | 10 | ## Usage 11 | 12 | ### wildcard certificate 13 | 14 | ```yaml 15 | - name: create the certificate for *.example.com 16 | hosts: localhost 17 | collections: 18 | - telekom_mms.acme 19 | roles: 20 | - acme 21 | vars: 22 | acme_challenge_provider: azure 23 | acme_use_live_directory: true 24 | acme_account_email: "ssl-admin@example.com" 25 | acme_azure_resource_group: "azure_resource_group" 26 | acme_convert_cert_to: pfx 27 | acme_azure_purge_state: present 28 | acme_domain: 29 | email_address: "ssl-admin@example.com" 30 | certificate_name: "wildcard.example.com" 31 | zone: "example.com" 32 | subject_alt_name: 33 | top_level: 34 | - "*.example.com" 35 | ``` 36 | 37 | ### SAN certificate 38 | 39 | ```yaml 40 | - name: create the certificate for example.com 41 | hosts: localhost 42 | collections: 43 | - telekom_mms.acme 44 | roles: 45 | - acme 46 | vars: 47 | acme_challenge_provider: azure 48 | acme_use_live_directory: true 49 | acme_account_email: "ssl-admin@example.com" 50 | acme_azure_resource_group: "azure_resource_group" 51 | acme_convert_cert_to: pfx 52 | acme_domain: 53 | certificate_name: "example.com" 54 | zone: "example.com" 55 | email_address: "ssl-admin@example.com" 56 | subject_alt_name: 57 | top_level: 58 | - example.com 59 | - domain1.example.com 60 | - domain2.example.com 61 | second_level: 62 | - domain1.example.co.uk" 63 | ``` 64 | -------------------------------------------------------------------------------- /roles/acme/tasks/challenge/dns-01/domain-offensive.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ### include/role 3 - validate challenge 3 | - name: Validate challenge only if it is created or changed # noqa no-handler 4 | when: acme_challenge is changed 5 | block: 6 | - name: Add a new TXT record to the SAN domains 7 | ansible.builtin.uri: 8 | url: "https://my.do.de/api/letsencrypt" 9 | body_format: form-multipart 10 | body: 11 | token: "{{ acme_dns_password }}" 12 | domain: "_acme-challenge.{{ item | replace('*.', '') }}" 13 | value: "{{ acme_challenge_data[item]['dns-01']['resource_value'] }}" 14 | ttl: "120" 15 | method: POST 16 | loop: "{{ acme_domain.subject_alt_name }}" 17 | when: 18 | - acme_domain.subject_alt_name is defined 19 | # only runs if the challenge is run the first time, because then there is challenge_data 20 | - acme_challenge_data[item] is defined 21 | 22 | - name: Let the challenge be validated and retrieve the cert and intermediate certificate 23 | timeout: "{{ acme_challenge_timeout }}" 24 | community.crypto.acme_certificate: 25 | account_key_src: "{{ acme_account_key_path }}" 26 | account_email: "{{ acme_account_email }}" 27 | csr: "{{ acme_csr_path }}" 28 | cert: "{{ acme_cert_path }}" 29 | fullchain: "{{ acme_fullchain_path }}" 30 | chain: "{{ acme_intermediate_path }}" 31 | challenge: dns-01 32 | force: "{{ acme_force_renewal | default(false) }}" 33 | acme_directory: "{{ acme_directory }}" 34 | acme_version: 2 35 | terms_agreed: true 36 | remaining_days: "{{ acme_remaining_days }}" 37 | data: "{{ acme_challenge }}" 38 | 39 | always: 40 | - name: Remove created SAN TXT records to keep DNS zone clean 41 | ansible.builtin.uri: 42 | url: "https://my.do.de/api/letsencrypt" 43 | body_format: form-multipart 44 | body: 45 | token: "{{ acme_dns_password }}" 46 | domain: "_acme-challenge.{{ item | replace('*.', '') }}" 47 | value: "{{ acme_challenge_data[item]['dns-01']['resource_value'] }}" 48 | action: delete 49 | method: POST 50 | loop: "{{ acme_domain.subject_alt_name }}" 51 | when: 52 | - acme_domain.subject_alt_name is defined 53 | # only runs if the challenge is run the first time, because then there is challenge_data 54 | - acme_challenge_data[item] is defined 55 | -------------------------------------------------------------------------------- /roles/acme/tasks/challenge/http-01/local.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create directory for challenge/hash files 3 | ansible.builtin.file: 4 | path: "{{ acme_local_validation_path }}/.well-known/acme-challenge" 5 | state: directory 6 | mode: "0755" 7 | owner: "{{ acme_local_validation_path_file_owner | default(omit) }}" 8 | group: "{{ acme_local_validation_path_file_group | default(omit) }}" 9 | 10 | - name: Validate challenge only if it is created or changed # noqa no-handler 11 | when: acme_challenge is changed 12 | block: 13 | - name: Create challenge/hash files with SAN domains # noqa template-instead-of-copy 14 | ansible.builtin.copy: 15 | dest: "{{ acme_local_validation_path }}/{{ acme_challenge_data[item]['http-01']['resource'] }}" 16 | content: "{{ acme_challenge_data[item]['http-01']['resource_value'] }}" 17 | mode: "0640" 18 | owner: "{{ acme_local_validation_path_file_owner | default(omit) }}" 19 | group: "{{ acme_local_validation_path_file_group | default(omit) }}" 20 | loop: "{{ acme_domain.subject_alt_name }}" 21 | when: 22 | - acme_domain.subject_alt_name is defined 23 | # only runs if the challenge is run the first time, because then there is challenge_data 24 | - acme_challenge_data[item] is defined 25 | 26 | # validate certificate 27 | - name: Let the challenge be validated and retrieve the cert and intermediate certificate 28 | community.crypto.acme_certificate: 29 | account_key_src: "{{ acme_account_key_path }}" 30 | account_email: "{{ acme_account_email }}" 31 | csr: "{{ acme_csr_path }}" 32 | cert: "{{ acme_cert_path }}" 33 | fullchain: "{{ acme_fullchain_path }}" 34 | chain: "{{ acme_intermediate_path }}" 35 | challenge: http-01 36 | force: "{{ acme_force_renewal | default(false) }}" 37 | acme_directory: "{{ acme_directory }}" 38 | acme_version: 2 39 | terms_agreed: true 40 | remaining_days: "{{ acme_remaining_days }}" 41 | data: "{{ acme_challenge }}" 42 | validate_certs: "{{ acme_validate_certs | default(true) }}" 43 | 44 | - name: Remove challenge/hash files for SAN domains from fs 45 | ansible.builtin.file: 46 | dest: "{{ acme_local_validation_path }}/{{ acme_challenge_data[item]['http-01']['resource'] }}" 47 | state: absent 48 | loop: "{{ acme_domain.subject_alt_name }}" 49 | when: 50 | - acme_domain.subject_alt_name is defined 51 | # only runs if the challenge is run the first time, because then there is challenge_data 52 | - acme_challenge_data[item] is defined 53 | -------------------------------------------------------------------------------- /roles/acme/tasks/create-csr.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create CSR for certificate 3 | community.crypto.openssl_csr: 4 | path: "{{ acme_csr_path }}" 5 | privatekey_path: "{{ acme_private_key_path }}" 6 | email_address: "{{ acme_domain.email_address }}" 7 | country_name: "{{ acme_domain.country | default(omit) }}" 8 | state_or_province_name: "{{ acme_domain.state_or_province | default(omit) }}" 9 | locality_name: "{{ acme_domain.locality | default(omit) }}" 10 | organization_name: "{{ acme_domain.organization | default(omit) }}" 11 | organizational_unit_name: "{{ acme_domain.organizational_unit | default(omit) }}" 12 | common_name: "{{ acme_domain.common_name | default(omit) }}" 13 | subject_alt_name: DNS:{{ acme_domain.subject_alt_name | join(',DNS:') }} 14 | when: 15 | - acme_domain.subject_alt_name.top_level is undefined and acme_domain.subject_alt_name.second_level is undefined 16 | - '"dns-01" in acme_provider_path' 17 | 18 | - name: Create CSR for certificate 19 | community.crypto.openssl_csr: 20 | path: "{{ acme_csr_path }}" 21 | privatekey_path: "{{ acme_private_key_path }}" 22 | email_address: "{{ acme_domain.email_address }}" 23 | country_name: "{{ acme_domain.country | default(omit) }}" 24 | state_or_province_name: "{{ acme_domain.state_or_province | default(omit) }}" 25 | locality_name: "{{ acme_domain.locality | default(omit) }}" 26 | organization_name: "{{ acme_domain.organization | default(omit) }}" 27 | organizational_unit_name: "{{ acme_domain.organizational_unit | default(omit) }}" 28 | common_name: "{{ acme_domain.common_name | default(omit) }}" 29 | subject_alt_name: DNS:{{ (acme_domain.subject_alt_name.top_level | default([])) | union(acme_domain.subject_alt_name.second_level | default([])) | join(',DNS:') }} # noqa yaml[line-length] 30 | when: 31 | - acme_domain.subject_alt_name.top_level is defined or acme_domain.subject_alt_name.second_level is defined 32 | - '"dns-01" in acme_provider_path' 33 | 34 | - name: Create CSR for certificate 35 | community.crypto.openssl_csr: 36 | path: "{{ acme_csr_path }}" 37 | privatekey_path: "{{ acme_private_key_path }}" 38 | email_address: "{{ acme_domain.email_address }}" 39 | country_name: "{{ acme_domain.country | default(omit) }}" 40 | state_or_province_name: "{{ acme_domain.state_or_province | default(omit) }}" 41 | locality_name: "{{ acme_domain.locality | default(omit) }}" 42 | organization_name: "{{ acme_domain.organization | default(omit) }}" 43 | organizational_unit_name: "{{ acme_domain.organizational_unit | default(omit) }}" 44 | common_name: "{{ acme_domain.common_name | default(omit) }}" 45 | subject_alt_name: DNS:{{ acme_domain.subject_alt_name | join(',DNS:') }} 46 | when: 47 | - '"http-01" in acme_provider_path' 48 | -------------------------------------------------------------------------------- /tests/integration/targets/acme_letsencrypt/http-challenge-local.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create the certificate for example.de with http-challenge provider "local" 3 | hosts: localhost 4 | roles: 5 | - telekom_mms.acme.acme 6 | vars: 7 | acme_domain: 8 | certificate_name: http-local.example.de 9 | zone: example.de 10 | email_address: ssl-admin@example.de 11 | country: GB 12 | state_or_province: Anytown 13 | locality: Main Street 14 | organization: ACME Inc. 15 | organizational_unit: ACME Security 16 | subject_alt_name: 17 | - example.de 18 | acme_challenge_provider: local 19 | acme_local_validation_path: /tmp 20 | acme_use_live_directory: false 21 | acme_account_email: ssl-admin@example.de 22 | acme_staging_directory: https://localhost:14000/dir 23 | acme_validate_certs: false 24 | post_tasks: 25 | - name: Validate certificate signing request 26 | community.crypto.openssl_csr_info: 27 | path: "{{ acme_csr_path }}" 28 | register: result_csr 29 | 30 | - name: Print CSR 31 | ansible.builtin.debug: 32 | msg: "{{ result_csr }}" 33 | 34 | # When defining subject fields like countryName, no commonName will be in the subject field of the CSR or final cert, 35 | # so we do not need to test for a commonName. 36 | - name: Check if the CSR has correct data 37 | ansible.builtin.assert: 38 | that: 39 | - "'DNS:example.de' in result_csr.subject_alt_name" 40 | - result_csr.subject.emailAddress == "ssl-admin@example.de" 41 | - result_csr.subject.countryName == "GB" 42 | - result_csr.subject.stateOrProvinceName == "Anytown" 43 | - result_csr.subject.localityName == "Main Street" 44 | - result_csr.subject.organizationName == "ACME Inc." 45 | - result_csr.subject.organizationalUnitName == "ACME Security" 46 | 47 | - name: Validate certs 48 | community.crypto.x509_certificate_info: 49 | path: "{{ acme_cert_path }}" 50 | register: result 51 | 52 | - name: Print certificate 53 | ansible.builtin.debug: 54 | msg: "{{ result }}" 55 | 56 | # Pebble (the CA software for these tests) does throw away the subject fields, so it is not reasonable to test for them in the final cert. 57 | # Nonetheless, other CA software processes the subject fields for the final cert, which is why the CSR is tested above for these fields. 58 | - name: Check if the certificate has correct data 59 | ansible.builtin.assert: 60 | that: 61 | - "'DNS:example.de' in result.subject_alt_name" 62 | - "'Pebble Intermediate CA' in result.issuer.commonName" 63 | 64 | - name: Remove account identifier, to avoid cache problems in CI 65 | ansible.builtin.file: 66 | path: "{{ acme_account_key_path }}" 67 | state: absent 68 | -------------------------------------------------------------------------------- /roles/acme/tasks/challenge/dns-01/hetzner.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ### include/role 3 - validate challenge 3 | - name: Validate challenge only if it is created or changed # noqa no-handler 4 | when: acme_challenge is changed 5 | block: 6 | - name: Lookup the zone_id using the acme_domain.zone 7 | ansible.builtin.uri: 8 | url: https://dns.hetzner.com/api/v1/zones?name={{ acme_domain.zone }} 9 | headers: 10 | Auth-API-Token: "{{ acme_hetzner_auth_token }}" 11 | register: acme_lookup_zone_id 12 | 13 | - name: Add a new TXT record to the SAN domains 14 | ansible.builtin.uri: 15 | url: https://dns.hetzner.com/api/v1/records 16 | method: POST 17 | body_format: json 18 | body: 19 | { 20 | "name": "{{ '_acme-challenge' }}{{ '' if item | replace('*.', '') == (item.split('.')[-2:] | join('.')) else '.' }}\ 21 | {{ (item | replace('*.', '')).split('.')[:-2] | join('.') }}", 22 | "ttl": 60, 23 | "type": "TXT", 24 | "value": "{{ acme_challenge_data[item]['dns-01']['resource_value'] }}", 25 | "zone_id": "{{ acme_lookup_zone_id.json.zones[0].id }}", 26 | } 27 | headers: 28 | Auth-API-Token: "{{ acme_hetzner_auth_token }}" 29 | loop: "{{ acme_domain.subject_alt_name }}" 30 | register: acme_records 31 | when: 32 | - acme_domain.subject_alt_name is defined 33 | # only runs if the challenge is run the first time, because then there is challenge_data 34 | - acme_challenge_data[item] is defined 35 | 36 | - name: Wait 20 seconds 37 | ansible.builtin.pause: 38 | seconds: 20 39 | 40 | - name: Let the challenge be validated and retrieve the cert and intermediate certificate 41 | timeout: "{{ acme_challenge_timeout }}" 42 | community.crypto.acme_certificate: 43 | account_key_src: "{{ acme_account_key_path }}" 44 | account_email: "{{ acme_account_email }}" 45 | csr: "{{ acme_csr_path }}" 46 | cert: "{{ acme_cert_path }}" 47 | fullchain: "{{ acme_fullchain_path }}" 48 | chain: "{{ acme_intermediate_path }}" 49 | challenge: dns-01 50 | force: "{{ acme_force_renewal | default(false) }}" 51 | acme_directory: "{{ acme_directory }}" 52 | acme_version: 2 53 | terms_agreed: true 54 | remaining_days: "{{ acme_remaining_days }}" 55 | data: "{{ acme_challenge }}" 56 | 57 | - name: Remove created SAN TXT records to keep DNS zone clean 58 | ansible.builtin.uri: 59 | url: https://dns.hetzner.com/api/v1/records/{{ item }} 60 | method: DELETE 61 | headers: 62 | Auth-API-Token: "{{ acme_hetzner_auth_token }}" 63 | loop: "{{ acme_records | json_query('results[*].json.record.id') }}" 64 | when: 65 | - acme_domain.subject_alt_name is defined 66 | # only runs if the challenge is run the first time, because then there is challenge_data 67 | - item is defined 68 | -------------------------------------------------------------------------------- /docs/http-challenge/s3.md: -------------------------------------------------------------------------------- 1 | # Variables for s3 http-challenge 2 | 3 | | Variable | Required | Default | Description | 4 | |-------------------------------|----------|-----------|-------------------------------------------------------------------| 5 | | acme_s3_bucket_name | yes | | name of the s3 bucket which should be used | 6 | | acme_s3_access_key | yes | | aws access key for API user of s3 bucket | 7 | | acme_s3_secret_key | yes | | aws secret key for API user of s3 bucket | 8 | | acme_s3_config_region | no | us-west-1 | aws s3 region in which bucket can be found | 9 | | acme_s3_install_prerequisites | no | true | install python-boto3 as prerequisite for s3 challenge file upload | 10 | | acme_s3_endpoint_url | no | omit | use this URL for S3 access instead of AWS | 11 | 12 | ## Validation 13 | 14 | You have to set a redirect rule in your proxy or webserver to allow the acme challenge bot to read the file, during the http-01 challenge to work. 15 | 16 | *Please note that the URL for the bucket needs to be adjusted to the name of your used bucket.* 17 | 18 | **HaProxy variant 1:** 19 | *should work with all versions* 20 | 21 | ```bash 22 | # lets encrypt redirect 23 | http-request del-header X-REWRITE 24 | http-request add-header X-REWRITE %[url] if { path_beg /.well-known/acme-challenge } 25 | http-request replace-header X-REWRITE ^(.well-known/acme-challenge/.*)?$ /\1 if { hdr_cnt(X-REWRITE) gt 0 } 26 | http-request redirect code 301 location https://your-bucket-name.s3.amazonaws.com%[hdr(X-REWRITE)] if { hdr_cnt(X-REWRITE) gt 0 } 27 | ``` 28 | 29 | **HaProxy variant 2:** 30 | *works with version >= 1.6* 31 | 32 | ```bash 33 | http-request redirect code 301 location https://your-bucket-name.s3.amazonaws.com%[url,regsub(^/.well-known/acme-challenge,/.well-known/acme-challenge,)] if { path_beg /.well-known/acme-challenge } 34 | ``` 35 | 36 | (can be set in frontend or backend definition) 37 | 38 | **Apache:** 39 | 40 | ```bash 41 | RewriteRule (\.well-known/acme-challenge.*) https://your-bucket-name.s3.amazonaws.com/$1 42 | ``` 43 | 44 | **Nginx:** 45 | 46 | ```bash 47 | rewrite (\.well-known/acme-challenge.*) https://your-bucket-name.s3.amazonaws.com/$1 48 | ``` 49 | 50 | ## Usage 51 | 52 | ```yaml 53 | - name: create the certificate for example.com 54 | hosts: localhost 55 | collections: 56 | - telekom_mms.acme 57 | roles: 58 | - acme 59 | vars: 60 | acme_domain: 61 | certificate_name: "example.com" 62 | zone: "example.com" 63 | email_address: "ssl-admin@example.com" 64 | subject_alt_name: 65 | - example.com 66 | - domain1.example.com 67 | - domain2.example.com 68 | acme_challenge_provider: "s3" 69 | acme_use_live_directory: false 70 | acme_account_email: "ssl-admin@example.com" 71 | acme_s3_bucket_name: "example-ssl-bucket" 72 | acme_s3_access_key: !vault | 73 | $ANSIBLE_VAULT;1.1;AES256 74 | ... 75 | acme_s3_secret_key: !vault | 76 | $ANSIBLE_VAULT;1.1;AES256 77 | ... 78 | ``` 79 | -------------------------------------------------------------------------------- /roles/acme/tasks/challenge/dns-01/autodns.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ### include/role 3 - validate challenge 3 | - name: Validate challenge only if it is created or changed 4 | when: acme_challenge is changed 5 | block: 6 | - name: Login to autodns # noqa no-handler 7 | ansible.builtin.uri: 8 | url: https://api.autodns.com/v1/login 9 | method: POST 10 | body_format: json 11 | body: { context: "4", user: "{{ acme_dns_user }}", password: "{{ acme_dns_password }}" } 12 | register: acme_login 13 | 14 | - name: Add a new TXT record to the SAN domains 15 | ansible.builtin.uri: 16 | url: https://api.autodns.com/v1/zone/{{ acme_domain.zone }}/a.ns14.net 17 | method: PATCH 18 | body_format: json 19 | body: 20 | { 21 | "origin": "{{ item }}", 22 | "resourceRecordsAdd": [ 23 | { 24 | # "remove" '*.' from entry when it occurs. without it it would try to create a 25 | # record like _acme-challenge.*.example.com which is not allowed by AutoDNS 26 | # see: https://jinja.palletsprojects.com/en/master/templates/#replace 27 | # and: https://jbmoelker.github.io/jinja-compat-tests/filters/replace/#pattern 28 | "name": "_acme-challenge.{{ item | replace('*.', '') }}", 29 | "ttl": 60, 30 | "type": "TXT", 31 | "value": "{{ acme_challenge_data[item]['dns-01']['resource_value'] }}" 32 | } 33 | ] 34 | } 35 | headers: 36 | Cookie: "{{ acme_login.set_cookie }}" 37 | loop: "{{ acme_domain.subject_alt_name }}" 38 | when: 39 | - acme_domain.subject_alt_name is defined 40 | # only runs if the challenge is run the first time, because then there is challenge_data 41 | - acme_challenge_data[item] is defined 42 | 43 | - name: Let the challenge be validated and retrieve the cert and intermediate certificate 44 | timeout: "{{ acme_challenge_timeout }}" 45 | community.crypto.acme_certificate: 46 | account_key_src: "{{ acme_account_key_path }}" 47 | account_email: "{{ acme_account_email }}" 48 | csr: "{{ acme_csr_path }}" 49 | cert: "{{ acme_cert_path }}" 50 | fullchain: "{{ acme_fullchain_path }}" 51 | chain: "{{ acme_intermediate_path }}" 52 | challenge: dns-01 53 | force: "{{ acme_force_renewal | default(false) }}" 54 | acme_directory: "{{ acme_directory }}" 55 | acme_version: 2 56 | terms_agreed: true 57 | remaining_days: "{{ acme_remaining_days }}" 58 | data: "{{ acme_challenge }}" 59 | 60 | always: 61 | - name: Remove created SAN TXT records to keep DNS zone clean 62 | ansible.builtin.uri: 63 | url: https://api.autodns.com/v1/zone/{{ acme_domain.zone }}/a.ns14.net 64 | method: PATCH 65 | body_format: json 66 | body: 67 | { 68 | "origin": "{{ item }}", 69 | "resourceRecordsRem": [ 70 | { 71 | "name": "_acme-challenge.{{ item | replace('*.', '') }}", 72 | "ttl": 60, 73 | "type": "TXT", 74 | "value": "{{ acme_challenge_data[item]['dns-01']['resource_value'] }}" 75 | } 76 | ] 77 | } 78 | headers: 79 | Cookie: "{{ acme_login.set_cookie }}" 80 | loop: "{{ acme_domain.subject_alt_name }}" 81 | when: 82 | - acme_domain.subject_alt_name is defined 83 | # only runs if the challenge is run the first time, because then there is challenge_data 84 | - acme_challenge_data[item] is defined 85 | -------------------------------------------------------------------------------- /roles/acme/tasks/challenge/dns-01/nsupdate.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # include/role 3 - validate challenge 3 | - name: Validate challenge only if it is created or changed # noqa no-handler 4 | when: acme_challenge is changed 5 | connection: local 6 | delegate_to: localhost 7 | block: 8 | - name: Add a new TXT record to the relevant domains 9 | vars: 10 | record_name: "_acme-challenge.{{ domain | replace('*.', '') }}." # replace '*.' in the case of a wildcard 11 | record_data: "{{ acme_challenge_data[domain]['dns-01']['resource_value'] }}" 12 | community.general.nsupdate: 13 | key_name: "{{ acme_nsupdate_dns_key.name | default('nsupdate_key') }}" 14 | key_secret: "{{ acme_nsupdate_dns_key.secret }}" 15 | key_algorithm: "{{ acme_nsupdate_dns_key.algorithm | default('hmac-sha512') }}" 16 | server: "{{ acme_nsupdate_server }}" 17 | zone: "{{ acme_domain.zone | default(domain) }}" 18 | record: "{{ record_name }}" 19 | value: "{{ record_data }}" 20 | type: "TXT" 21 | ttl: "{{ acme_nsupdate_ttl }}" 22 | loop: "{{ acme_domain.subject_alt_name }}" 23 | loop_control: 24 | label: "zone={{ domain | replace('*.', '') }} rr={{ record_name }} (TXT) {{ record_data }}" 25 | loop_var: "domain" 26 | when: 27 | - acme_domain.subject_alt_name is defined 28 | # only runs if the challenge is run the first time, because then there is challenge_data 29 | - domain in acme_challenge_data 30 | 31 | - name: Wait for DNS replication to catch up 32 | ansible.builtin.pause: 33 | seconds: "{{ acme_nsupdate_replication_delay }}" 34 | 35 | - name: Let the challenge be validated and retrieve the cert and intermediate certificate 36 | timeout: "{{ acme_challenge_timeout }}" 37 | community.crypto.acme_certificate: 38 | account_key_src: "{{ acme_account_key_path }}" 39 | account_email: "{{ acme_account_email }}" 40 | csr: "{{ acme_csr_path }}" 41 | cert: "{{ acme_cert_path }}" 42 | fullchain: "{{ acme_fullchain_path }}" 43 | chain: "{{ acme_intermediate_path }}" 44 | challenge: dns-01 45 | force: "{{ acme_force_renewal | default(false) }}" 46 | acme_directory: "{{ acme_directory }}" 47 | acme_version: 2 48 | terms_agreed: true 49 | remaining_days: "{{ acme_remaining_days }}" 50 | data: "{{ acme_challenge }}" 51 | when: 52 | - acme_certificate_enabled | default(true) 53 | 54 | always: 55 | - name: Remove the TXT record from the relevant domains 56 | vars: 57 | record_name: "_acme-challenge.{{ domain | replace('*.', '') }}." # replace '*.' in the case of a wildcard 58 | record_data: "{{ acme_challenge_data[domain]['dns-01']['resource_value'] }}" 59 | community.general.nsupdate: 60 | key_name: "{{ acme_nsupdate_dns_key.name | default('nsupdate_key') }}" 61 | key_secret: "{{ acme_nsupdate_dns_key.secret }}" 62 | key_algorithm: "{{ acme_nsupdate_dns_key.algorithm | default('hmac-sha512') }}" 63 | server: "{{ acme_nsupdate_server }}" 64 | zone: "{{ acme_domain.zone | default(domain) }}" 65 | record: "{{ record_name }}" 66 | value: "{{ record_data }}" 67 | type: "TXT" 68 | ttl: "{{ acme_nsupdate_ttl }}" 69 | state: absent 70 | loop: "{{ acme_domain.subject_alt_name }}" 71 | loop_control: 72 | label: "zone={{ domain | replace('*.', '') }} rr={{ record_name }} (TXT) {{ record_data }}" 73 | loop_var: "domain" 74 | when: 75 | - acme_domain.subject_alt_name is defined 76 | # only runs if the challenge is run the first time, because then there is challenge_data 77 | - domain in acme_challenge_data 78 | -------------------------------------------------------------------------------- /roles/acme/tasks/challenge/http-01/s3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install prerequisites on localhost 3 | delegate_to: localhost 4 | ansible.builtin.package: 5 | name: 6 | - python-boto3 7 | state: present 8 | use: "{{ acme_prerequisites_packagemanager }}" 9 | when: 10 | - acme_s3_install_prerequisites | bool 11 | 12 | - name: Validate challenge only if it is created or changed # noqa no-handler 13 | when: acme_challenge is changed 14 | block: 15 | - name: Create challenge file with SAN domain for s3 upload # noqa template-instead-of-copy 16 | ansible.builtin.copy: 17 | dest: acme-challenge.{{ item }} 18 | content: "{{ acme_challenge_data[item]['http-01']['resource_value'] }}" 19 | mode: "0640" 20 | loop: "{{ acme_domain.subject_alt_name }}" 21 | when: 22 | - acme_domain.subject_alt_name is defined 23 | # only runs if the challenge is run the first time, because then there is challenge_data 24 | - acme_challenge_data[item] is defined 25 | 26 | - name: Upload challenge file for SAN domain to s3 bucket 27 | amazon.aws.s3_object: 28 | access_key: "{{ acme_s3_access_key }}" 29 | secret_key: "{{ acme_s3_secret_key }}" 30 | bucket: "{{ acme_s3_bucket_name }}" 31 | object: "{{ acme_challenge_data[item]['http-01']['resource'] }}" 32 | src: acme-challenge.{{ item }} 33 | mode: put 34 | region: "{{ acme_s3_config_region }}" 35 | permission: public-read 36 | endpoint_url: "{{ acme_s3_endpoint_url | default(omit) }}" 37 | loop: "{{ acme_domain.subject_alt_name }}" 38 | when: 39 | - acme_domain.subject_alt_name is defined 40 | # only runs if the challenge is run the first time, because then there is challenge_data 41 | - acme_challenge_data[item] is defined 42 | 43 | # validate certificate 44 | - name: Let the challenge be validated and retrieve the cert and intermediate certificate 45 | community.crypto.acme_certificate: 46 | account_key_src: "{{ acme_account_key_path }}" 47 | account_email: "{{ acme_account_email }}" 48 | csr: "{{ acme_csr_path }}" 49 | cert: "{{ acme_cert_path }}" 50 | fullchain: "{{ acme_fullchain_path }}" 51 | chain: "{{ acme_intermediate_path }}" 52 | challenge: http-01 53 | force: "{{ acme_force_renewal | default(false) }}" 54 | acme_directory: "{{ acme_directory }}" 55 | acme_version: 2 56 | terms_agreed: true 57 | remaining_days: "{{ acme_remaining_days }}" 58 | data: "{{ acme_challenge }}" 59 | 60 | - name: Remove challenge file for SAN domain from s3 bucket 61 | amazon.aws.s3_object: 62 | access_key: "{{ acme_s3_access_key }}" 63 | secret_key: "{{ acme_s3_secret_key }}" 64 | bucket: "{{ acme_s3_bucket_name }}" 65 | object: "{{ acme_challenge_data[item]['http-01']['resource'] }}" 66 | mode: delobj 67 | region: "{{ acme_s3_config_region }}" 68 | endpoint_url: "{{ acme_s3_endpoint_url | default(omit) }}" 69 | loop: "{{ acme_domain.subject_alt_name }}" 70 | when: 71 | - acme_domain.subject_alt_name is defined 72 | # only runs if the challenge is run the first time, because then there is challenge_data 73 | - acme_challenge_data[item] is defined 74 | 75 | - name: Remove challenge file for SAN domain from fs 76 | ansible.builtin.file: 77 | dest: acme-challenge.{{ item }} 78 | state: absent 79 | loop: "{{ acme_domain.subject_alt_name }}" 80 | when: 81 | - acme_domain.subject_alt_name is defined 82 | # only runs if the challenge is run the first time, because then there is challenge_data 83 | - acme_challenge_data[item] is defined 84 | -------------------------------------------------------------------------------- /roles/acme/tasks/challenge/http-01/azbs.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Validate challenge only if it is created or changed # noqa no-handler 3 | when: acme_challenge is changed 4 | block: 5 | - name: Create challenge file with SAN domain for azure blob storage upload # noqa template-instead-of-copy 6 | ansible.builtin.copy: 7 | dest: acme-challenge.{{ item }} 8 | content: "{{ acme_challenge_data[item]['http-01']['resource_value'] }}" 9 | mode: "0640" 10 | loop: "{{ acme_domain.subject_alt_name }}" 11 | when: 12 | - acme_domain.subject_alt_name is defined 13 | # only runs if the challenge is run the first time, because then there is challenge_data 14 | - acme_challenge_data[item] is defined 15 | 16 | - name: Create storage container and upload challenge file to it 17 | azure.azcollection.azure_rm_storageblob: 18 | resource_group: "{{ acme_azbs_resource_group }}" 19 | storage_account_name: "{{ acme_azbs_storage_account_name }}" 20 | public_access: blob 21 | container: "{{ acme_azbs_container_name }}" 22 | blob: "{{ acme_challenge_data[item]['http-01']['resource'] }}" 23 | src: acme-challenge.{{ item }} 24 | content_type: text/plain # _type or _encoding have to be set 25 | subscription_id: "{{ acme_azbs_subscription_id }}" 26 | client_id: "{{ acme_azbs_client_id }}" 27 | secret: "{{ acme_azbs_secret }}" 28 | tenant: "{{ acme_azbs_tenant_id }}" 29 | loop: "{{ acme_domain.subject_alt_name }}" 30 | when: 31 | - acme_domain.subject_alt_name is defined 32 | # only runs if the challenge is run the first time, because then there is challenge_data 33 | - acme_challenge_data[item] is defined 34 | 35 | # validate certificate 36 | - name: Let the challenge be validated and retrieve the cert and intermediate certificate 37 | community.crypto.acme_certificate: 38 | account_key_src: "{{ acme_account_key_path }}" 39 | account_email: "{{ acme_account_email }}" 40 | csr: "{{ acme_csr_path }}" 41 | cert: "{{ acme_cert_path }}" 42 | fullchain: "{{ acme_fullchain_path }}" 43 | chain: "{{ acme_intermediate_path }}" 44 | challenge: http-01 45 | force: "{{ acme_force_renewal | default(false) }}" 46 | acme_directory: "{{ acme_directory }}" 47 | acme_version: 2 48 | terms_agreed: true 49 | remaining_days: "{{ acme_remaining_days }}" 50 | data: "{{ acme_challenge }}" 51 | 52 | - name: Remove challenge file for SAN domain from azure blob storage container 53 | azure.azcollection.azure_rm_storageblob: 54 | resource_group: "{{ acme_azbs_resource_group }}" 55 | storage_account_name: "{{ acme_azbs_storage_account_name }}" 56 | container: "{{ acme_azbs_container_name }}" 57 | blob: "{{ acme_challenge_data[item]['http-01']['resource'] }}" 58 | state: absent 59 | subscription_id: "{{ acme_azbs_subscription_id }}" 60 | client_id: "{{ acme_azbs_client_id }}" 61 | secret: "{{ acme_azbs_secret }}" 62 | tenant: "{{ acme_azbs_tenant_id }}" 63 | loop: "{{ acme_domain.subject_alt_name }}" 64 | when: 65 | - acme_domain.subject_alt_name is defined 66 | # only runs if the challenge is run the first time, because then there is challenge_data 67 | - acme_challenge_data[item] is defined 68 | 69 | - name: Remove challenge file for SAN domain from fs 70 | ansible.builtin.file: 71 | dest: acme-challenge.{{ item }} 72 | state: absent 73 | loop: "{{ acme_domain.subject_alt_name }}" 74 | when: 75 | - acme_domain.subject_alt_name is defined 76 | # only runs if the challenge is run the first time, because then there is challenge_data 77 | - acme_challenge_data[item] is defined 78 | -------------------------------------------------------------------------------- /roles/acme/tasks/challenge/dns-01/azure.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # split top_level for zone_name and if subdomain is defined add subdomain to relative_name 3 | - name: Add a new TXT record to the SAN top-level domains 4 | azure.azcollection.azure_rm_dnsrecordset: 5 | resource_group: "{{ acme_azure_resource_group }}" 6 | relative_name: "{{ '_acme-challenge' }}{{ '' if item | replace('*.', '') == (item.split('.')[-2:] | join('.')) else '.' }}{{ (item | replace('*.', '')).split('.')[:-2] | join('.') }}" # noqa yaml[line-length] 7 | zone_name: "{{ item.split('.')[-2:] | join('.') }}" 8 | record_mode: append 9 | state: present 10 | record_type: TXT 11 | records: 12 | - entry: "{{ acme_challenge_data[item]['dns-01']['resource_value'] }}" 13 | loop: "{{ acme_domain.subject_alt_name.top_level }}" 14 | when: 15 | - acme_domain.subject_alt_name.top_level is defined 16 | # only runs if the challenge is run the first time, because then there is challenge_data 17 | - acme_challenge_data[item] is defined 18 | 19 | # split second_level for zone_name and if subdomain is defined add subdomain to relative_name 20 | - name: Add a new TXT record to the SAN second-level domains 21 | azure.azcollection.azure_rm_dnsrecordset: 22 | resource_group: "{{ acme_azure_resource_group }}" 23 | relative_name: "{{ '_acme-challenge' }}{{ '' if item | replace('*.', '') == (item.split('.')[-3:] | join('.')) else '.' }}{{ (item | replace('*.', '')).split('.')[:-3] | join('.') }}" # noqa yaml[line-length] 24 | zone_name: "{{ item.split('.')[-3:] | join('.') }}" 25 | record_mode: append 26 | state: present 27 | record_type: TXT 28 | records: 29 | - entry: "{{ acme_challenge_data[item]['dns-01']['resource_value'] }}" 30 | loop: "{{ acme_domain.subject_alt_name.second_level }}" 31 | when: 32 | - acme_domain.subject_alt_name.second_level is defined 33 | # only runs if the challenge is run the first time, because then there is challenge_data 34 | - acme_challenge_data[item] is defined 35 | 36 | - name: Let the challenge be validated and retrieve the cert and intermediate certificate 37 | timeout: "{{ acme_challenge_timeout }}" 38 | community.crypto.acme_certificate: 39 | account_key_src: "{{ acme_account_key_path }}" 40 | account_email: "{{ acme_account_email }}" 41 | csr: "{{ acme_csr_path }}" 42 | cert: "{{ acme_cert_path }}" 43 | fullchain: "{{ acme_fullchain_path }}" 44 | chain: "{{ acme_intermediate_path }}" 45 | challenge: dns-01 46 | force: "{{ acme_force_renewal | default(false) }}" 47 | acme_directory: "{{ acme_directory }}" 48 | acme_version: 2 49 | terms_agreed: true 50 | remaining_days: "{{ acme_remaining_days }}" 51 | data: "{{ acme_challenge }}" 52 | 53 | - name: Remove created SAN top-level TXT records to keep DNS zone clean 54 | azure.azcollection.azure_rm_dnsrecordset: 55 | resource_group: "{{ acme_azure_resource_group }}" 56 | relative_name: "{{ '_acme-challenge' }}{{ '' if item | replace('*.', '') == (item.split('.')[-2:] | join('.')) else '.' }}{{ (item | replace('*.', '')).split('.')[:-2] | join('.') }}" # noqa yaml[line-length] 57 | zone_name: "{{ item.split('.')[-2:] | join('.') }}" 58 | record_mode: purge 59 | state: "{{ acme_azure_purge_state }}" 60 | record_type: TXT 61 | records: 62 | - entry: "{{ acme_challenge_data[item]['dns-01']['resource_value'] }}" 63 | loop: "{{ acme_domain.subject_alt_name.top_level }}" 64 | when: 65 | - acme_domain.subject_alt_name.top_level is defined 66 | # only runs if the challenge is run the first time, because then there is challenge_data 67 | - acme_challenge_data[item] is defined 68 | 69 | - name: Remove created SAN second-level TXT records to keep DNS zone clean 70 | azure.azcollection.azure_rm_dnsrecordset: 71 | resource_group: "{{ acme_azure_resource_group }}" 72 | relative_name: "{{ '_acme-challenge' }}{{ '' if item | replace('*.', '') == (item.split('.')[-3:] | join('.')) else '.' }}{{ (item | replace('*.', '')).split('.')[:-3] | join('.') }}" # noqa yaml[line-length] 73 | zone_name: "{{ item.split('.')[-3:] | join('.') }}" 74 | record_mode: purge 75 | state: "{{ acme_azure_purge_state }}" 76 | record_type: TXT 77 | records: 78 | - entry: "{{ acme_challenge_data[item]['dns-01']['resource_value'] }}" 79 | loop: "{{ acme_domain.subject_alt_name.second_level }}" 80 | when: 81 | - acme_domain.subject_alt_name.second_level is defined 82 | # only runs if the challenge is run the first time, because then there is challenge_data 83 | - acme_challenge_data[item] is defined 84 | -------------------------------------------------------------------------------- /docs/http-challenge/azbs.md: -------------------------------------------------------------------------------- 1 | # Variables for Azure blob storage http-challenge 2 | 3 | | Variable | Required | Default | Description 4 | |-----------------------|----------|-----------|------------ 5 | | acme_azbs_resource_group | yes | | Name of the Azure resource group to which the storage account has been allocated 6 | | acme_azbs_storage_account_name | yes | | Azure storage account name which should be used 7 | | acme_azbs_container_name | yes | | Azure container name which will be used/created in Azure storage account 8 | | acme_azbs_subscription_id | yes | | Azure subscription id 9 | | acme_azbs_client_id | yes | | Client ID of service principal/application 10 | | acme_azbs_secret | yes | | Value of secret of service principal/application (Note: not the ID) 11 | | acme_azbs_tenant_id | yes | | Tenant ID of service principal/application 12 | 13 | ## Validation 14 | 15 | You have to create a service principal/application in the Azure Active Directory. 16 | This can be done via Frontend, Azure CLI or terraform. 17 | See https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals 18 | 19 | You also have to set a redirect rule in your proxy or webserver to allow the acme challenge bot to read the file, during the http-01 challenge to work. 20 | 21 | *Please note that the URL for the storage account and container needs to be adjusted to the name of your used account and container.* 22 | 23 | **HaProxy:** 24 | *works with version >= 1.6* 25 | 26 | ```bash 27 | http-request redirect code 301 location https://your-storage-account-name.blob.core.windows.net[url,regsub(^/.well-known/acme-challenge,/my-containername,)] if { path_beg /.well-known/acme-challenge } 28 | ``` 29 | 30 | (can be set in frontend or backend definition) 31 | 32 | **Apache:** 33 | 34 | ```bash 35 | RewriteRule \.well-known/acme-challenge/(.*) https://your-storage-account-name.blob.core.windows.net/your-container-name/$1 36 | ``` 37 | 38 | **Nginx:** 39 | 40 | ```bash 41 | rewrite \.well-known/acme-challenge/(.*) https://your-storage-account-name.blob.core.windows.net/your-container-name/$1 42 | ``` 43 | 44 | ## Usage 45 | 46 | > you should think about encrypting all azure account infos 47 | 48 | ```yaml 49 | - name: create the certificate for example.com 50 | hosts: localhost 51 | collections: 52 | - telekom_mms.acme 53 | roles: 54 | - acme 55 | vars: 56 | acme_domain: 57 | certificate_name: "example.com" 58 | zone: "example.com" 59 | email_address: "ssl-admin@example.com" 60 | subject_alt_name: 61 | - example.com 62 | - domain1.example.com 63 | - domain2.example.com 64 | acme_challenge_provider: "azbs" 65 | acme_use_live_directory: false 66 | acme_account_email: "ssl-admin@example.com" 67 | acme_azbs_resource_group: "my-resource-group" 68 | acme_azbs_storage_account_name: "my-storage-account-name" 69 | acme_azbs_container_name: "my-container" 70 | acme_azbs_subscription_id: "0000-11111-2222-3333-444444" 71 | acme_azbs_client_id: "1234-21231-14152-1231" 72 | acme_azbs_secret: !vault | 73 | $ANSIBLE_VAULT;1.1;AES256 74 | ... 75 | acme_azbs_tenant_id: "2132184-3534543-54354-3543" 76 | ``` 77 | 78 | ```yaml 79 | --- 80 | - name: Lets Encrypt certificates 81 | hosts: localhost 82 | vars: 83 | acme_account_email: "ssl-admin@example.com" 84 | acme_challenge_provider: "azbs" 85 | acme_use_live_directory: true 86 | acme_convert_cert_to: pfx 87 | acme_azbs_resource_group: "my-resource-group" 88 | acme_azbs_storage_account_name: "my-storage-account-name" 89 | acme_azbs_container_name: "my-container" 90 | acme_azbs_subscription_id: "0000-11111-2222-3333-444444" 91 | acme_azbs_tenant_id: "2132184-3534543-54354-3543" 92 | acme_azbs_client_id: "1234-21231-14152-1231" 93 | acme_azbs_secret: !vault | 94 | $ANSIBLE_VAULT;1.1;AES256 95 | ... 96 | az_acme_certificates: 97 | example-com: 98 | zone: example.com 99 | subject_alt_name: [ example.com, domain1.example.com, domain2.example.com ] 100 | example2-com: 101 | zone: example2.com 102 | subject_alt_name: [ example2.com, domain1.example2.com, domain2.example2.com ] 103 | tasks: 104 | - name: Create and upload Lets Encrypt certificates 105 | ansible.builtin.include_role: 106 | name: telekom_mms.acme.acme 107 | vars: 108 | acme_domain: 109 | email_address: "ssl-admin@example.com" 110 | certificate_name: "{{ certificate.key }}" 111 | zone: "{{ certificate.value.zone }}" 112 | subject_alt_name: "{{ certificate.value.subject_alt_name }}" 113 | loop: "{{ az_acme_certificates | dict2items }}" 114 | loop_control: 115 | loop_var: certificate 116 | ``` 117 | -------------------------------------------------------------------------------- /docs/dns-challenge/nsupdate.md: -------------------------------------------------------------------------------- 1 | # Variables for nsupdate dns-challenge 2 | 3 | | Variable | Required | Default | Description | 4 | |-----------------------------------|----------|--------------|-------------------------------------------------------------------------------------------------------------------------------------| 5 | | | | | | 6 | | acme_nsupdate_server | yes | | The IPv4/IPv6 address of the DNS server where nsupdate manages the _acme-challenge TXT records. (can also be a DNS name, see below) | 7 | | acme_nsupdate_dns_key: | yes | | The acme_nsupdate_dns_key dictionary mirrors the settings of a bind DNS keyfile. | 8 | | acme_nsupdate_dns_key: name: | no | nsupdate_key | Name of the | 9 | | acme_nsupdate_dns_key: algorithm: | no | hmac-sha512 | Hash algo of the key (i.e. hmac-sha512, hmac-sha256) | 10 | | acme_nsupdate_dns_key: secret: | yes | | The key | 11 | | acme_nsupdate_replication_delay | no | 2 | Wait time after the TXT record is issued, before the certificate is fetched via ACME | 12 | | acme_nsupdate_ttl | no | 60 | The TTL for the TXT record | 13 | 14 | ## Usage 15 | 16 | ### wildcard certificate 17 | 18 | ```yaml 19 | - name: create the certificate for *.example.org 20 | hosts: localhost 21 | collections: 22 | - telekom_mms.acme 23 | roles: 24 | - acme 25 | vars: 26 | acme_domain: 27 | certificate_name: "wildcard.example.org" 28 | zone: "example.org" 29 | email_address: "ssl-admin@example.org" 30 | subject_alt_name: 31 | - "*.example.org" 32 | acme_challenge_provider: nsupdate 33 | acme_use_live_directory: false 34 | acme_account_email: "ssl-admin@example.org" 35 | acme_nsupdate_server: "{{ lookup('community.general.dig', 'primary.nsforexample.org', qtype='A') }}" 36 | acme_nsupdate_dns_key: 37 | name: 'nsupdate_key' 38 | algorithm: hmac-sha512 39 | secret: "" 40 | ``` 41 | 42 | ### SAN certificate 43 | 44 | ```yaml 45 | - name: create the certificate for example.org 46 | hosts: localhost 47 | collections: 48 | - telekom_mms.acme 49 | roles: 50 | - acme 51 | vars: 52 | acme_domain: 53 | certificate_name: "test.example.org" 54 | zone: "example.org" 55 | email_address: "ssl-admin@example.org" 56 | subject_alt_name: 57 | - "test.example.org" 58 | - "domain1.example.org" 59 | - "domain2.example.org" 60 | acme_challenge_provider: nsupdate 61 | acme_use_live_directory: false 62 | acme_account_email: "ssl-admin@example.org" 63 | acme_nsupdate_server: "{{ lookup('community.general.dig', 'primary.nsforexample.org', qtype='A') }}" 64 | acme_nsupdate_dns_key: 65 | name: 'nsupdate_key' 66 | algorithm: hmac-sha512 67 | secret: "" 68 | ``` 69 | 70 | ### acme_nsupdate_server 71 | The acme_nsupdate_server MUST be a IPv4/IPv6 address (limitation of the nsupdate ansible module). To work with a DNS 72 | name, you can use the dig lookup: 73 | ``` 74 | acme_nsupdate_server: "{{ lookup('community.general.dig', 'primary.nsforexample.org', qtype='A') }}" 75 | ``` 76 | 77 | ### acme_domain.zone 78 | In some cases your DNS server may not be authoritative for a subdomain but the parent domain. In such cases you can 79 | override which zone is used when the nsupdate is issued. For example: 80 | 81 | * certificate zone (acme_domain.zone) = mysub.example.org 82 | * DNS is authoritative for example.org and the zonefile should contain the following entry 83 | ``` 84 | _acme-challenge.mysub.example.org. 120 IN TXT "nsupdate-test123" 85 | ``` 86 | In this scenario the following dictionary should be placed in acme_nsupdate_override_domain 87 | ``` 88 | acme_domain: 89 | certificate_name: "mysub.example.org" 90 | zone: "example.org" 91 | subject_alt_name: 92 | - "test.example.org" 93 | - "domain1.example.org" 94 | - "domain2.example.org" 95 | ``` 96 | 97 | The same is true for SAN certificates. Please note, that SAN certificates can have multiple subdomain names but 98 | are limited to one zone. 99 | ``` 100 | acme_domain: 101 | certificate_name: "mysub.example.org" 102 | zone: "example.org" 103 | ``` 104 | 105 | ### acme_nsupdate_replication_delay 106 | If you are using a primary/secondary DNS server setup it might be a good idea to wait a second or two after the 107 | nsupdate on the primary was issued. 108 | -------------------------------------------------------------------------------- /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: ansible-test 3 | 4 | on: 5 | # Run CI against all pushes (direct commits, also merged PRs), Pull Requests 6 | push: 7 | branches: [main] 8 | pull_request: 9 | # The branches below must be a subset of the branches above 10 | branches: [main] 11 | # Run CI once per week (at 06:00 UTC) 12 | # This ensures that even if there haven't been commits that we are still 13 | # testing against latest version of ansible-test for each ansible-core 14 | # version 15 | schedule: 16 | - cron: '0 6 * * 1' 17 | 18 | # A workflow run is made up of one or more jobs that can run sequentially or in parallel 19 | jobs: 20 | ansible-sanity-tests: 21 | name: Sanity (Ⓐ${{ matrix.ansible }}+py${{ matrix.python }}) 22 | strategy: 23 | matrix: 24 | ansible: 25 | # It's important that Sanity is tested against all stable-X.Y branches 26 | # Testing against `devel` may fail as new tests are added. 27 | - stable-2.17 28 | - stable-2.18 29 | - stable-2.19 30 | - devel 31 | python: 32 | - "3.12" 33 | runs-on: ubuntu-latest 34 | steps: 35 | # ansible-test requires the collection to be in a directory in the form 36 | # .../ansible_collections/NAMESPACE/COLLECTION_NAME/ 37 | 38 | - name: Check out code 39 | uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 40 | with: 41 | path: ansible_collections/telekom_mms/acme 42 | 43 | - name: Set up Python ${{ matrix.ansible }} 44 | uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 45 | with: 46 | python-version: ${{ matrix.python }} 47 | 48 | # Install the head of the given branch (devel, stable-2.10) 49 | - name: Install ansible-base (${{ matrix.ansible }}) 50 | run: python -m pip install https://github.com/ansible/ansible/archive/${{ matrix.ansible }}.tar.gz --disable-pip-version-check 51 | 52 | # run ansible-test sanity inside of Docker. 53 | # The docker container has all the pinned dependencies that are required. 54 | # Explicitly specify the version of Python we want to test 55 | - name: Run sanity tests 56 | run: ansible-test sanity --docker -v --color --python ${{ matrix.python }} 57 | working-directory: ./ansible_collections/telekom_mms/acme 58 | 59 | linting: 60 | name: Ansible Lint 61 | runs-on: ubuntu-latest 62 | steps: 63 | - name: Check out code 64 | uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 65 | 66 | - name: Run Linting 67 | uses: ansible/ansible-lint@40f24c2d511c6662ba96b53a35f386cf8b0c11ad # 25.12.1 68 | 69 | integration-tests: 70 | runs-on: ubuntu-latest 71 | defaults: 72 | run: 73 | working-directory: ansible_collections/telekom_mms/acme 74 | strategy: 75 | fail-fast: false 76 | matrix: 77 | ansible: 78 | - stable-2.18 79 | - stable-2.19 80 | - devel 81 | # - milestone 82 | python: 83 | - '3.12' 84 | - '3.13' 85 | include: 86 | # Add new versions announced in 87 | # https://github.com/ansible-collections/news-for-maintainers in a timely manner, 88 | # consider dropping testing against EOL versions and versions you don't support. 89 | # ansible-core 2.17 90 | - ansible: stable-2.17 91 | python: '3.10' 92 | - ansible: stable-2.17 93 | python: '3.11' 94 | - ansible: stable-2.17 95 | python: '3.12' 96 | # start nginx as service to test validation via http-challenge local path 97 | services: 98 | nginx: 99 | image: nginx@sha256:fb01117203ff38c2f9af91db1a7409459182a37c87cced5cb442d1d8fcc66d19 100 | volumes: 101 | - /tmp:/usr/share/nginx/html 102 | ports: 103 | - 5002:80 104 | 105 | steps: 106 | - name: Check out code to collections-folder, so ansible finds it 107 | uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 108 | with: 109 | path: ansible_collections/telekom_mms/acme 110 | 111 | - name: Run Pebble and challtestsrv 112 | run: curl https://raw.githubusercontent.com/letsencrypt/pebble/master/docker-compose.yml | docker compose -f - up -d 113 | 114 | - name: Set up Pebble 115 | run: curl --request POST --data '{"ip":"10.30.50.1"}' http://localhost:8055/set-default-ipv4 116 | 117 | # change uid of nginx user in nginx service container to uid of github runner id to allow reading of created hash file by nginx process 118 | - name: change uid of nginx user in container 119 | run: docker exec -i ${{ job.services.nginx.id }} usermod -u 1001 nginx 120 | 121 | # restart docker container to start nginx process with new uid 122 | - name: restart docker container of service 123 | run: docker restart ${{ job.services.nginx.id }} 124 | 125 | - name: Set up Python ${{ matrix.ansible }} 126 | uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 127 | with: 128 | python-version: ${{ matrix.python }} 129 | 130 | - name: Install ansible-base (${{ matrix.ansible }}) 131 | run: python -m pip install https://github.com/ansible/ansible/archive/${{ matrix.ansible }}.tar.gz --disable-pip-version-check 132 | 133 | - name: build the collection 134 | run: ansible-galaxy collection build 135 | 136 | - name: install the collection 137 | run: ansible-galaxy collection install -p /home/runner/work/ansible-collection-acme/ansible-collection-acme *.tar.gz 138 | 139 | - name: install community.crypto collection 140 | run: ansible-galaxy collection install -p /home/runner/work/ansible-collection-acme/ansible-collection-acme community.crypto 141 | 142 | - name: Run integration tests 143 | run: ansible-test integration -v --color --retry-on-error --continue-on-error --diff --python ${{ matrix.python }} --requirements 144 | working-directory: ./ansible_collections/telekom_mms/acme 145 | -------------------------------------------------------------------------------- /plugins/filter/find_challenges.py: -------------------------------------------------------------------------------- 1 | from ansible.errors import AnsibleError 2 | 3 | 4 | def find_challenges(challenge_response: dict, challenge_type: str, expected_domains: list) -> dict: 5 | """ 6 | 1. check if all the expected domains are present in the challenge response 7 | 2. construct and return the following dictionary out of the API response 8 | challenge_data and authorizations fields 9 | {'': {[http-01/dns-01]: 'resource': resource_value': }} 10 | """ 11 | if challenge_type not in ['http-01', 'dns-01']: 12 | raise AssertionError(f"Unknown challenge_type ({challenge_type})") 13 | 14 | if 'challenge_data' not in challenge_response or 'authorizations' not in challenge_response: 15 | raise AssertionError("Bogus API response: 'challenge_data'/'authorizations' missing.") 16 | 17 | challenges = build_challenges(challenge_response, challenge_type, expected_domains) 18 | domains_in_response = find_domains_in_response(challenge_response, challenge_type) 19 | errors = [] 20 | 21 | if domains_in_response == set(expected_domains): 22 | return challenges 23 | else: 24 | expected_not_found = set(expected_domains).difference(domains_in_response) 25 | if expected_not_found: 26 | errors.append(f"Expected {challenge_type} challenges for the following domains not found: " 27 | f"{','.join(expected_not_found)}") 28 | 29 | unexpected_from_api = domains_in_response.difference(set(expected_domains)) 30 | if unexpected_from_api: 31 | errors.append(f"The API responded with {challenge_type} challenges for the following domains " 32 | f"we did not expect: {','.join(unexpected_from_api)}") 33 | if errors: 34 | raise AnsibleError(" // ".join(errors)) 35 | 36 | return dict() 37 | 38 | 39 | def find_domains_in_response(challenge_response: dict, challenge_type: str) -> set: 40 | """ 41 | find the domains in the response for which the API responded with a challenge of the specified challenge_type 42 | """ 43 | domains = set() 44 | for domain, domain_data in challenge_response['challenge_data'].items(): 45 | if challenge_type in domain_data: 46 | domains.add(domain) 47 | 48 | for domain, domain_data in challenge_response['authorizations'].items(): 49 | for challenge in domain_data['challenges']: 50 | if challenge['type'] == challenge_type: 51 | domains.add(domain) 52 | 53 | return domains 54 | 55 | 56 | def build_challenges(challenge_response: dict, challenge_type: str, expected_domains: list) -> dict: 57 | """ 58 | try to extract the challenge for all expected_domains from the challenge_data field (first)0 59 | and then from the authorization field, if not found 60 | """ 61 | extracted_challenges = {} 62 | for domain in expected_domains: 63 | extracted_challenges[domain] = {} 64 | if domain in challenge_response['challenge_data']: 65 | extracted_challenges[domain] = extract_challenge_from_challenge_data(domain, challenge_response, 66 | challenge_type) 67 | elif domain in challenge_response['authorizations']: 68 | extracted_challenges[domain] = extract_challenge_from_authorizations_data(domain, challenge_response, 69 | challenge_type) 70 | 71 | return extracted_challenges 72 | 73 | 74 | def extract_challenge_from_challenge_data(domain, challenge_response: dict, challenge_type: str) -> dict: 75 | """ 76 | return the challenge data fields (record, resource, resource_value) out of the challenge_data field for domain 77 | """ 78 | if challenge_type not in challenge_response['challenge_data'][domain]: 79 | raise AssertionError(f"challenge_type '{challenge_type}' not in 'challenge_data'") 80 | 81 | return {challenge_type: challenge_response['challenge_data'][domain][challenge_type]} 82 | 83 | 84 | def extract_challenge_from_authorizations_data(domain, challenge_response: dict, challenge_type: str) -> dict: 85 | """ 86 | return the challenge data fields from the authorizations field - note that the format is different from challange_data: 87 | the authorizations field specifies the challenges with their type in a list instead of a dict 88 | """ 89 | if 'challenges' not in challenge_response['authorizations'][domain]: 90 | raise AssertionError(f"'challenges' missing in 'authorizations' field of domain '{domain}'") 91 | 92 | for challenge in challenge_response['authorizations'][domain]['challenges']: 93 | if challenge['type'] == challenge_type: 94 | if challenge_type == 'dns-01': 95 | return {challenge_type: build_data_from_authorizations_dns01(challenge['token'], domain)} 96 | elif challenge_type == 'http-01': 97 | return {challenge_type: build_data_from_authorizations_http01(challenge['token'], domain)} 98 | 99 | raise AssertionError(f"challenge_type '{challenge_type}' not in 'authorizations' for domain '{domain}'") 100 | 101 | 102 | def build_data_from_authorizations_dns01(token: str, domain: str) -> dict: 103 | """ 104 | build the fields that one would expect out of challenge_data for data coming out of authorizations (for DNS-01) 105 | """ 106 | return { 107 | "record": f"_acme-challenge.{domain}", 108 | "resource": "_acme-challenge", 109 | "resource_value": token 110 | } 111 | 112 | 113 | def build_data_from_authorizations_http01(token: str, domain: str) -> dict: 114 | """ 115 | build the fields that one would expect out of challange_data for data coming out of authorizations (for HTTP-01) 116 | """ 117 | return { 118 | "resource": f".well-known/acme-challenge/{token}", 119 | "resource_value": token 120 | } 121 | 122 | 123 | class FilterModule(object): 124 | """ utility filters for operating on dictionary """ 125 | @staticmethod 126 | def filters(): 127 | return { 128 | 'find_challenges': find_challenges 129 | } 130 | -------------------------------------------------------------------------------- /docs/role-acme.md: -------------------------------------------------------------------------------- 1 | # Acme role 2 | 3 | This role issues certificates via the ACME protocol. By default the API of Let's Encrypt is used. 4 | 5 | This role does not distribute certificates - it only creates them. You have to implement the distribution in your own playbooks or roles. 6 | 7 | ## Providers 8 | 9 | The role supports multiple providers for http- and dns-challenges. 10 | Please see the corresponding readme files for specific variables and examples. 11 | 12 | Feel free to contribute more DNS or HTTP APIs :) 13 | 14 | * DNS-01 15 | * [AutoDNS](/docs/dns-challenge/autodns.md) 16 | * [Azure](/docs/dns-challenge/azure.md) 17 | * [Domain Offensive](/docs/dns-challenge/domain-offensive.md) 18 | * [hetzner](/docs/dns-challenge/hetzner.md) 19 | * [nsupdate](/docs/dns-challenge/nsupdate.md) 20 | * [openstack](/docs/dns-challenge/openstack.md) 21 | * [pebble](/docs/dns-challenge/pebble.md) 22 | * HTTP-01 23 | * [local](/docs/http-challenge/local.md) 24 | * [s3](/docs/http-challenge/s3.md) 25 | 26 | ## General variables 27 | 28 | | Variable | Required | Default | Description | 29 | |--------------------------------------|----------|---------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| 30 | | **domain configuration acme_domain** | | | | 31 | | certificate_name | yes | | Name of the resulting certificate. Most useful for wildcard certificates to not have files named '*.example.com' on the filesystem | 32 | | zone | yes | | zone in which the dns records should be created | 33 | | subject_alt_name | yes | | Domain(s) for which the certificate(s) should be validated. If you are issuing a wildcard certificate you should also add the main domain for which you are issuing the certificate | 34 | | email_address | yes | | Mail address which is used for the certificate (reminder mails are sent here) and the field `email_address` as specified in section [4.1.2.6. Subject](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 "Link to the IETF RFC 5280") of the RFC 5280 | 35 | | country | no | | containing a digraph for the country as in ISO 3166 | 36 | | state_or_province | no | | a string representing the state or province to be put into the subject field of the certificate | 37 | | locality | no | | a string representing a locality to be put into the subject field of the certificate | 38 | | organization | no | | a string representing the organization to be put into the subject field of the certificate | 39 | | organizational_unit | no | | a string representing the organizational unit to be put into the subject field of the certificate | 40 | | common_name | yes*no | | MUST be set, if any of the other fields `country`, `state_or_province`, `locality`, `organization` or `organizational_unit` does contain any value. MUST be a domain name as you would give it for a Subject Alternative Name | 41 | | **configuration options** | | | | 42 | | acme_account_key_content | no | | Content of the created account key | 43 | | acme_private_key_content | no | | Content of the created private key for the certificate (allows reuse of keys) | 44 | | acme_use_live_directory | no | false | Choose if production certificates should be created, the staging directory of LE will be used by default | 45 | | acme_force_renewal | no | | Force renewal of certificate before `remaining_days` is reached | 46 | | acme_challenge_provider | yes | | Which DNS provider should be used. See "Usage" of provider for the correct keyword | 47 | | acme_challenge_timeout | no | 3600 | How long to wait on a challenge check to succeed before a failure is thrown | 48 | 49 | ## Variables for dns-challenge 50 | 51 | | Variable | Required | Default | Description | 52 | |-------------------|----------|---------|--------------------------------| 53 | | acme_dns_user | yes | | Username to access the DNS api | 54 | | acme_dns_password | yes | | Password to access the DNS api | 55 | 56 | ## Variables for Certificate Download 57 | 58 | If you are running this role in a temporary environment such as a CI runner and you use your certificates on a https server you can enable the download of the current certificate from the web server. This prevents unnecessary renewal of certificates which aren't due for renewal yet. 59 | 60 | | Variable | Required | Default | Description | 61 | |-------------------------|----------|-----------------------------------|----------------------------------------------| 62 | | acme_download_cert | no | false | Enable Certificate Download | 63 | | acme_cert_download_host | no | uses first SAN of the Certificate | Hostname/IP to Download the Certificate from | 64 | | acme_cert_download_port | no | 443 | Port to Download the Certificate from | 65 | | acme_cert_san_name | no | uses first SAN of the Certificate | Hostname for SNI for Cert File Download | 66 | 67 | ## Global role variables 68 | 69 | | Variable | Required | Default | Description | 70 | |-----------------------------------|----------|--------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------| 71 | | acme_conf_dir | no | $HOME/letsencrypt | Overwrite acme_conf_dir if you want to use another directory which is accessible to the user which runs the playbook | 72 | | acme_prerequisites_packagemanager | no | yum | Set the packagemanager which is used of the ansible_host. Possible values are all supported package managers from ansible package module | 73 | | acme_staging_directory | no | acme-staging-v02.api.letsencrypt.org | Acme directory which will be used for certificate challenge | 74 | | acme_live_directory | no | acme-v02.api.letsencrypt.org | Acme directory which will be used for certificate challenge | 75 | | acme_account_key_path | no | $acme_conf_dir | Path for account key | 76 | | acme_account_key_size | no | 4096 | Account key size | 77 | | acme_account_key_type | no | ECC | Account key type | 78 | | acme_account_key_curve | no | secp384r1 | Account key curve used | 79 | | acme_csr_path | no | $acme_conf_dir/certs | Path for csr which is created for challenge | 80 | | acme_cert_path | no | $acme_conf_dir/certs | Path for issued certificate | 81 | | acme_intermediate_path | no | $acme_conf_dir/certs | Path for intermediate chain | 82 | | acme_fullchain_path | no | $acme_conf_dir/certs | Path for full chain file (certificate + intermediate) | 83 | | acme_private_key_path | no | $acme_conf_dir/certs | Path for private key | 84 | | acme_private_key_size | no | 4096 | Private key size | 85 | | acme_private_key_type | no | ECC | Private key type | 86 | | acme_private_key_curve | no | secp384r1 | Private key curve used | 87 | | acme_remaining_days | no | 30 | Min days remaining before certificate will be renewed | 88 | | acme_convert_cert_to | no | | Format to convert the certificate to: `pfx` | 89 | | acme_validate_certs | no | | Only used in integration tests with pebble server | 90 | 91 | ### Usage 92 | 93 | ```bash 94 | ansible-playbook playbooks/domain1.yml [--ask-vault] 95 | ``` 96 | 97 | ### gitlab-pipeline 98 | 99 | * create a job which runs the certificate playbook 100 | 101 | ```yaml 102 | stages: 103 | - renew-certificates 104 | 105 | certificates: 106 | stage: renew-certificates 107 | script: 108 | - echo $ANSIBLE_VAULT_PASSWORD > .vault_password.txt 109 | - ansible-playbook playbooks/acme-certificates/domain1.yml --vault-password-file .vault_password.txt --diff 110 | - rm -f .vault_password.txt 111 | ``` 112 | 113 | * if you have multiple domains, for which a certificate should be created, create a job in gitlab-ci to run a playbook which imports all certificate playbooks of your domains 114 | * playbook to import certificate playbooks 115 | 116 | ```yaml 117 | - name: import play for domain1 118 | import_playbook: domain1.yml 119 | 120 | - name: import play for domain2 121 | import_playbook: domain2.yml 122 | ``` 123 | 124 | * run playbook 125 | 126 | ```yaml 127 | stages: 128 | - renew-certificates 129 | 130 | certificates: 131 | stage: renew-certificates 132 | script: 133 | - echo $ANSIBLE_VAULT_PASSWORD > .vault_password.txt 134 | - ansible-playbook playbooks/acme-certificates/all-certificates.yml --vault-password-file . vault_password.txt --diff 135 | - rm -f .vault_password.txt 136 | ``` 137 | -------------------------------------------------------------------------------- /tests/integration/targets/acme_letsencrypt/find-challenge-filter-plugin.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Create the certificate for example.com with dns-challenge provider "pebble" 4 | hosts: localhost 5 | gather_facts: false 6 | vars: 7 | data_with_challenge_data: 8 | account_uri: https://ACME.with_authorizations.de/v2/... 9 | authorizations: 10 | blahtest1.example.org: 11 | challenges: 12 | - status: pending 13 | token: Uwqt4U_l6lp04J2KW5nvgJ6LMPXvSrhr 14 | type: dns-01 15 | url: https://ACME.with_authorizations.de/v2/... 16 | - status: pending 17 | token: ukTTEZIqv_KM9J0iEnysAaiiO31-Rpxg 18 | type: http-01 19 | url: https://ACME.with_authorizations.de/v2/.... 20 | expires: '2025-03-26T09:00:45Z' 21 | identifier: 22 | type: dns 23 | value: blahtest1.example.org 24 | status: pending 25 | uri: https://ACME.with_authorizations.de/v2/... 26 | blahtest2.example.org: 27 | challenges: 28 | - status: pending 29 | token: WfZ7M6gF63LZjxyqhXKyDkb3pg2NlvjFKHFTOdgd 30 | type: dns-01 31 | url: https://ACME.with_authorizations.de/v2/... 32 | - status: pending 33 | token: ALKOBSIHfEBtdeDVeGj3zROeyECNNry9CD4pqwci 34 | type: http-01 35 | url: https://ACME.with_authorizations.de/v2/.... 36 | expires: '2025-03-26T09:00:45Z' 37 | identifier: 38 | type: dns 39 | value: blahtest2.example.org 40 | status: pending 41 | uri: https://ACME.with_authorizations.de/v2/... 42 | cert_days: -1 43 | challenge_data: 44 | blahtest1.example.org: 45 | dns-01: 46 | record: _acme-challenge.blahtest1.example.org 47 | resource: _acme-challenge 48 | resource_value: bob4Yd3_SVv-7JET__3G5ZDVWaeGIOxAQmRf3SURbSY 49 | http-01: 50 | resource: .well-known/acme-challenge/ukTTEZIqv_KM9J0iEnysAaiiO31-Rpxg 51 | resource_value: L0bB8aZyOyuw5LNDlslQptrKYBw5P0nPpmt6bGhTYyWP1wTogi9W3V.L0bB8aZyOyuw5LNDlslQptrKYBw5P0nPpmt6bGhTYyWP1wTogi9W3V 52 | blahtest2.example.org: 53 | dns-01: 54 | record: _acme-challenge.blahtest2.example.org 55 | resource: _acme-challenge 56 | resource_value: eksnHDhxBOzrTlOgiDzKlUXZtccjSwKIhc 57 | http-01: 58 | resource: .well-known/acme-challenge/ukTTEZIqv_KM9J0iEnysAaiiO31-Rpxg 59 | resource_value: 8fV3Wc5hIqxMohz4llcqLqHuCv7WriMrgWYRogPypoTY5KRT84sfeU.8fV3Wc5hIqxMohz4llcqLqHuCv7WriMrgWYRogPypoTY5KRT84sfeU 60 | challenge_data_dns: 61 | _acme-challenge.blahtest1.example.org: 62 | - bob4Yd3_SVv-7JET__3G5ZDVWaeGIOxAQmRf3SURbSY 63 | _acme-challenge.blahtest2.example.org: 64 | - eksnHDhxBOzrTlOgiDzKlUXZtccjSwKIhc 65 | pre_tasks: 66 | - name: Data_without_challenge_data 67 | ansible.builtin.set_fact: 68 | data_without_challenge_data: "{{ data_with_challenge_data | combine({'challenge_data': {}, 'challenge_data_dns': {}}) }}" 69 | tasks: 70 | 71 | # --- 72 | - name: TEST-01 default / dns-01 / 2 domains 73 | block: 74 | - name: Set test_challenge 75 | ignore_errors: true 76 | ansible.builtin.set_fact: 77 | test_challenge: "{{ data_with_challenge_data | telekom_mms.acme.find_challenges('dns-01', ['blahtest1.example.org', 'blahtest2.example.org']) }}" 78 | register: set_fact_result 79 | - name: Test assert TEST-01 80 | ansible.builtin.assert: 81 | that: 82 | - "set_fact_result is not failed" 83 | - "'blahtest1.example.org' in test_challenge and 'blahtest2.example.org' in test_challenge" 84 | - "data_with_challenge_data['challenge_data']['blahtest1.example.org']['dns-01']['record'] in test_challenge['blahtest1.example.org']['dns-01'].record" 85 | - "data_with_challenge_data['challenge_data']['blahtest1.example.org']['dns-01']['resource'] in test_challenge['blahtest1.example.org']['dns-01'].resource" 86 | - "data_with_challenge_data['challenge_data']['blahtest1.example.org']['dns-01']['resource_value'] in test_challenge['blahtest1.example.org']['dns-01'].resource_value" 87 | 88 | 89 | - name: TEST-02 default / http-01 / 2 domains 90 | block: 91 | - name: Set test_challenge 92 | ignore_errors: true 93 | ansible.builtin.set_fact: 94 | test_challenge: "{{ data_with_challenge_data | telekom_mms.acme.find_challenges('http-01', ['blahtest1.example.org', 'blahtest2.example.org']) }}" 95 | register: set_fact_result 96 | - name: Test assert TEST-02 97 | ansible.builtin.assert: 98 | that: 99 | - "set_fact_result is not failed" 100 | - "'blahtest1.example.org' in test_challenge and 'blahtest2.example.org' in test_challenge" 101 | - "data_with_challenge_data['challenge_data']['blahtest1.example.org']['http-01']['resource'] in test_challenge['blahtest1.example.org']['http-01'].resource" 102 | - "data_with_challenge_data['challenge_data']['blahtest1.example.org']['http-01']['resource_value'] in test_challenge['blahtest1.example.org']['http-01'].resource_value" 103 | 104 | - name: TEST-03-1 default / dns-01 / expect less then provided by response 105 | block: 106 | - name: Set test_challenge 107 | ignore_errors: true 108 | ansible.builtin.set_fact: 109 | test_challenge: "{{ data_with_challenge_data | telekom_mms.acme.find_challenges('dns-01', ['blahtest1.example.org']) }}" 110 | register: set_fact_result 111 | - name: Test assert TEST-03-1 112 | ansible.builtin.assert: 113 | that: 114 | - "set_fact_result is failed" 115 | - "'The API responded with dns-01 challenges for the following domains we did not expect:' in set_fact_result.msg" 116 | 117 | - name: TEST-03-2 default / dns-01 / expect more than provided 118 | block: 119 | - name: Set test_challenge 120 | ignore_errors: true 121 | ansible.builtin.set_fact: 122 | test_challenge: "{{ data_with_challenge_data | telekom_mms.acme.find_challenges('dns-01', ['blahtest1.example.org', 'blahtest2.example.org', 'one.more.is.one.too.many']) }}" 123 | register: set_fact_result 124 | - name: Test assert TEST-03-2 125 | ansible.builtin.assert: 126 | that: 127 | - "set_fact_result is failed" 128 | - "'Expected dns-01 challenges for the following domains not found: one.more.is.one.too.many' in set_fact_result.msg" 129 | 130 | - name: TEST-04-1 with_authorizations / dns-01 / 2 domains / data_with_challenge_data 131 | block: 132 | - name: Set test_challenge 133 | ignore_errors: true 134 | ansible.builtin.set_fact: 135 | test_challenge: "{{ data_with_challenge_data | telekom_mms.acme.find_challenges('dns-01', ['blahtest1.example.org', 'blahtest2.example.org']) }}" 136 | register: set_fact_result 137 | - name: Test assert TEST-04-1 138 | ansible.builtin.assert: 139 | that: 140 | - "set_fact_result is not failed" 141 | - "'blahtest1.example.org' in test_challenge and 'blahtest2.example.org' in test_challenge" 142 | - "data_with_challenge_data['challenge_data']['blahtest1.example.org']['dns-01']['record'] in test_challenge['blahtest1.example.org']['dns-01'].record" 143 | - "data_with_challenge_data['challenge_data']['blahtest1.example.org']['dns-01']['resource'] in test_challenge['blahtest1.example.org']['dns-01'].resource" 144 | - "data_with_challenge_data['challenge_data']['blahtest1.example.org']['dns-01']['resource_value'] in test_challenge['blahtest1.example.org']['dns-01'].resource_value" 145 | 146 | - name: TEST-04-2 with_authorizations / http-01 / 2 domains / data_with_challenge_data 147 | block: 148 | - name: Set test_challenge 149 | ignore_errors: true 150 | ansible.builtin.set_fact: 151 | test_challenge: "{{ data_with_challenge_data | telekom_mms.acme.find_challenges('http-01', ['blahtest1.example.org', 'blahtest2.example.org']) }}" 152 | register: set_fact_result 153 | - name: Test assert TEST-04-2 154 | ansible.builtin.assert: 155 | that: 156 | - "set_fact_result is not failed" 157 | - "'blahtest1.example.org' in test_challenge and 'blahtest2.example.org' in test_challenge" 158 | - "data_with_challenge_data['challenge_data']['blahtest1.example.org']['http-01']['resource'] in test_challenge['blahtest1.example.org']['http-01'].resource" 159 | - "data_with_challenge_data['challenge_data']['blahtest1.example.org']['http-01']['resource_value'] in test_challenge['blahtest1.example.org']['http-01'].resource_value" 160 | 161 | - name: TEST-05 with_authorizations / dns-01 / 2 domains / data_without_challenge_data 162 | block: 163 | - name: Set test_challenge 164 | ignore_errors: true 165 | ansible.builtin.set_fact: 166 | test_challenge: "{{ data_without_challenge_data | telekom_mms.acme.find_challenges('dns-01', ['blahtest1.example.org', 'blahtest2.example.org']) }}" 167 | register: set_fact_result 168 | - name: Test assert TEST-05 169 | ansible.builtin.assert: 170 | that: 171 | - "set_fact_result is not failed" 172 | - "'blahtest1.example.org' in test_challenge and 'blahtest2.example.org' in test_challenge" 173 | - "data_with_challenge_data['authorizations']['blahtest1.example.org']['challenges'][0]['token'] in test_challenge['blahtest1.example.org']['dns-01'].resource_value" 174 | 175 | - name: TEST-06 with_authorizations / http-01 / 2 domains / data_without_challenge_data 176 | block: 177 | - name: Set test_challenge 178 | ignore_errors: true 179 | ansible.builtin.set_fact: 180 | test_challenge: "{{ data_without_challenge_data | telekom_mms.acme.find_challenges('http-01', ['blahtest1.example.org', 'blahtest2.example.org']) }}" 181 | register: set_fact_result 182 | - name: Test assert TEST-06 183 | ansible.builtin.assert: 184 | that: 185 | - "set_fact_result is not failed" 186 | - "'blahtest1.example.org' in test_challenge and 'blahtest2.example.org' in test_challenge" 187 | - "data_without_challenge_data['authorizations']['blahtest1.example.org']['challenges'][1]['token'] in test_challenge['blahtest1.example.org']['http-01'].resource_value" 188 | 189 | - name: TEST-07 with_authorizations / http-01 / unexpected / data_without_challenge_data 190 | block: 191 | - name: Set test_challenge 192 | ignore_errors: true 193 | ansible.builtin.set_fact: 194 | test_challenge: "{{ data_without_challenge_data | telekom_mms.acme.find_challenges('http-01', ['blahtest1.example.org']) }}" 195 | register: set_fact_result 196 | - name: Test assert TEST-07 197 | ansible.builtin.assert: 198 | that: 199 | - "set_fact_result is failed" 200 | 201 | - name: TEST-08 with_mixed_challenge_and_authorizations / http-01 202 | vars: 203 | # blahtest1 is "valid" and therefore can't be found in the "challenge_data" 204 | data_with_mixed_challenge_data: 205 | account_uri: https://ACME.with_authorizations.de/v2/... 206 | authorizations: 207 | blahtest1.example.org: 208 | challenges: 209 | - status: valid 210 | token: Uwqt4U_l6lp04J2KW5nvgJ6LMPXvSrhr 211 | type: dns-01 212 | url: https://ACME.with_authorizations.de/v2/... 213 | - status: valid 214 | token: ukTTEZIqv_KM9J0iEnysAaiiO31-Rpxg 215 | type: http-01 216 | url: https://ACME.with_authorizations.de/v2/.... 217 | expires: '2025-03-26T09:00:45Z' 218 | identifier: 219 | type: dns 220 | value: blahtest1.example.org 221 | status: pending 222 | uri: https://ACME.with_authorizations.de/v2/... 223 | blahtest2.example.org: 224 | challenges: 225 | - status: pending 226 | token: WfZ7M6gF63LZjxyqhXKyDkb3pg2NlvjFKHFTOdgd 227 | type: dns-01 228 | url: https://ACME.with_authorizations.de/v2/... 229 | - status: pending 230 | token: ALKOBSIHfEBtdeDVeGj3zROeyECNNry9CD4pqwci 231 | type: http-01 232 | url: https://ACME.with_authorizations.de/v2/.... 233 | expires: '2025-03-26T09:00:45Z' 234 | identifier: 235 | type: dns 236 | value: blahtest2.example.org 237 | status: pending 238 | uri: https://ACME.with_authorizations.de/v2/... 239 | cert_days: -1 240 | challenge_data: 241 | blahtest2.example.org: 242 | dns-01: 243 | record: _acme-challenge.blahtest2.example.org 244 | resource: _acme-challenge 245 | resource_value: eksnHDhxBOzrTlOgiDzKlUXZtccjSwKIhc 246 | http-01: 247 | resource: .well-known/acme-challenge/ukTTEZIqv_KM9J0iEnysAaiiO31-Rpxg 248 | resource_value: 8fV3Wc5hIqxMohz4llcqLqHuCv7WriMrgWYRogPypoTY5KRT84sfeU.8fV3Wc5hIqxMohz4llcqLqHuCv7WriMrgWYRogPypoTY5KRT84sfeU 249 | challenge_data_dns: 250 | _acme-challenge.blahtest1.example.org: 251 | - bob4Yd3_SVv-7JET__3G5ZDVWaeGIOxAQmRf3SURbSY 252 | _acme-challenge.blahtest2.example.org: 253 | - eksnHDhxBOzrTlOgiDzKlUXZtccjSwKIhc 254 | block: 255 | - name: Set test_challenge 256 | ignore_errors: true 257 | ansible.builtin.set_fact: 258 | test_challenge: "{{ data_with_mixed_challenge_data | telekom_mms.acme.find_challenges('http-01', ['blahtest1.example.org', 'blahtest2.example.org']) }}" 259 | register: set_fact_result 260 | - name: Test assert TEST-08 261 | ansible.builtin.assert: 262 | that: 263 | - "set_fact_result is not failed" 264 | - "'blahtest1.example.org' in test_challenge and 'blahtest2.example.org' in test_challenge" 265 | - "data_with_mixed_challenge_data['authorizations']['blahtest1.example.org']['challenges'][1]['token'] in test_challenge['blahtest1.example.org']['http-01'].resource_value" 266 | - "data_with_mixed_challenge_data['challenge_data']['blahtest2.example.org']['http-01'].resource_value in test_challenge['blahtest2.example.org']['http-01'].resource_value" 267 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | ## [4.3.3](https://github.com/telekom-mms/ansible-collection-acme/tree/4.3.3) (2025-12-12) 4 | 5 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/4.3.2...4.3.3) 6 | 7 | **Merged pull requests:** 8 | 9 | - chore\(deps\): update nginx docker digest to fb01117 [\#213](https://github.com/telekom-mms/ansible-collection-acme/pull/213) ([renovate[bot]](https://github.com/apps/renovate)) 10 | - chore\(deps\): update ansible/ansible-lint action to v25.12.1 [\#212](https://github.com/telekom-mms/ansible-collection-acme/pull/212) ([renovate[bot]](https://github.com/apps/renovate)) 11 | - chore\(deps\): update ansible/ansible-lint action to v25.12.0 [\#211](https://github.com/telekom-mms/ansible-collection-acme/pull/211) ([renovate[bot]](https://github.com/apps/renovate)) 12 | - chore\(deps\): update actions/setup-python digest to 83679a8 [\#210](https://github.com/telekom-mms/ansible-collection-acme/pull/210) ([renovate[bot]](https://github.com/apps/renovate)) 13 | - chore\(deps\): update ansible/ansible-lint action to v25.11.1 [\#209](https://github.com/telekom-mms/ansible-collection-acme/pull/209) ([renovate[bot]](https://github.com/apps/renovate)) 14 | - chore\(deps\): update actions/checkout action to v6 [\#208](https://github.com/telekom-mms/ansible-collection-acme/pull/208) ([renovate[bot]](https://github.com/apps/renovate)) 15 | - chore\(deps\): update nginx docker digest to 553f64a [\#207](https://github.com/telekom-mms/ansible-collection-acme/pull/207) ([renovate[bot]](https://github.com/apps/renovate)) 16 | - chore\(deps\): update actions/checkout digest to 93cb6ef [\#206](https://github.com/telekom-mms/ansible-collection-acme/pull/206) ([renovate[bot]](https://github.com/apps/renovate)) 17 | - chore\(deps\): update ansible/ansible-lint action to v25.11.0 [\#205](https://github.com/telekom-mms/ansible-collection-acme/pull/205) ([renovate[bot]](https://github.com/apps/renovate)) 18 | - chore\(deps\): update nginx docker digest to 1beed3c [\#204](https://github.com/telekom-mms/ansible-collection-acme/pull/204) ([renovate[bot]](https://github.com/apps/renovate)) 19 | - chore\(deps\): update nginx docker digest to f547e3d [\#203](https://github.com/telekom-mms/ansible-collection-acme/pull/203) ([renovate[bot]](https://github.com/apps/renovate)) 20 | - chore\(deps\): update nginx docker digest to 029d446 [\#202](https://github.com/telekom-mms/ansible-collection-acme/pull/202) ([renovate[bot]](https://github.com/apps/renovate)) 21 | - Update Ansible versions to current, fix tests [\#201](https://github.com/telekom-mms/ansible-collection-acme/pull/201) ([schurzi](https://github.com/schurzi)) 22 | - chore\(deps\): update nginx docker digest to d5f28ef [\#200](https://github.com/telekom-mms/ansible-collection-acme/pull/200) ([renovate[bot]](https://github.com/apps/renovate)) 23 | - chore\(deps\): update actions/setup-python action to v6 [\#199](https://github.com/telekom-mms/ansible-collection-acme/pull/199) ([renovate[bot]](https://github.com/apps/renovate)) 24 | - chore\(deps\): update actions/checkout action to v5 [\#197](https://github.com/telekom-mms/ansible-collection-acme/pull/197) ([renovate[bot]](https://github.com/apps/renovate)) 25 | - chore\(deps\): update ansible/ansible-lint action to v25.9.2 [\#196](https://github.com/telekom-mms/ansible-collection-acme/pull/196) ([renovate[bot]](https://github.com/apps/renovate)) 26 | - chore\(deps\): update nginx docker digest to 33e0bbc [\#195](https://github.com/telekom-mms/ansible-collection-acme/pull/195) ([renovate[bot]](https://github.com/apps/renovate)) 27 | - chore: add missing link to nsupdate doc [\#193](https://github.com/telekom-mms/ansible-collection-acme/pull/193) ([neubi4](https://github.com/neubi4)) 28 | - chore\(deps\): update nginx docker digest to 93230cd [\#190](https://github.com/telekom-mms/ansible-collection-acme/pull/190) ([renovate[bot]](https://github.com/apps/renovate)) 29 | - chore\(deps\): update nginx docker digest to dc53c8f [\#188](https://github.com/telekom-mms/ansible-collection-acme/pull/188) ([renovate[bot]](https://github.com/apps/renovate)) 30 | 31 | ## [4.3.2](https://github.com/telekom-mms/ansible-collection-acme/tree/4.3.2) (2025-06-26) 32 | 33 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/4.3.1...4.3.2) 34 | 35 | **Fixed bugs:** 36 | 37 | - Fixing missing endpoint\_url on S3 remove task [\#189](https://github.com/telekom-mms/ansible-collection-acme/pull/189) ([diLLec](https://github.com/diLLec)) 38 | 39 | **Merged pull requests:** 40 | 41 | - chore\(deps\): update ansible/ansible-lint action to v25.6.1 [\#187](https://github.com/telekom-mms/ansible-collection-acme/pull/187) ([renovate[bot]](https://github.com/apps/renovate)) 42 | - Optimize assertions for API responses [\#186](https://github.com/telekom-mms/ansible-collection-acme/pull/186) ([diLLec](https://github.com/diLLec)) 43 | 44 | ## [4.3.1](https://github.com/telekom-mms/ansible-collection-acme/tree/4.3.1) (2025-06-17) 45 | 46 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/4.3.0...4.3.1) 47 | 48 | **Fixed bugs:** 49 | 50 | - \[Bug\] Handle half validated requests with multiple domains [\#185](https://github.com/telekom-mms/ansible-collection-acme/pull/185) ([diLLec](https://github.com/diLLec)) 51 | 52 | ## [4.3.0](https://github.com/telekom-mms/ansible-collection-acme/tree/4.3.0) (2025-06-16) 53 | 54 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/4.2.0...4.3.0) 55 | 56 | **Implemented enhancements:** 57 | 58 | - Use challenge\_data and authorizations from ACME API validation response [\#171](https://github.com/telekom-mms/ansible-collection-acme/pull/171) ([diLLec](https://github.com/diLLec)) 59 | 60 | **Merged pull requests:** 61 | 62 | - chore\(deps\): update nginx docker digest to 6784fb0 [\#183](https://github.com/telekom-mms/ansible-collection-acme/pull/183) ([renovate[bot]](https://github.com/apps/renovate)) 63 | - chore\(deps\): update ansible/ansible-lint action to v25.5.0 [\#182](https://github.com/telekom-mms/ansible-collection-acme/pull/182) ([renovate[bot]](https://github.com/apps/renovate)) 64 | - chore\(deps\): update nginx docker digest to fb39280 [\#181](https://github.com/telekom-mms/ansible-collection-acme/pull/181) ([renovate[bot]](https://github.com/apps/renovate)) 65 | - chore\(deps\): update nginx docker digest to c15da6c [\#180](https://github.com/telekom-mms/ansible-collection-acme/pull/180) ([renovate[bot]](https://github.com/apps/renovate)) 66 | - chore\(deps\): update ansible/ansible-lint action to v25.4.0 [\#179](https://github.com/telekom-mms/ansible-collection-acme/pull/179) ([renovate[bot]](https://github.com/apps/renovate)) 67 | - chore\(deps\): update actions/setup-python digest to a26af69 [\#178](https://github.com/telekom-mms/ansible-collection-acme/pull/178) ([renovate[bot]](https://github.com/apps/renovate)) 68 | - chore\(deps\): update nginx docker digest to 5ed8fcc [\#177](https://github.com/telekom-mms/ansible-collection-acme/pull/177) ([renovate[bot]](https://github.com/apps/renovate)) 69 | - chore\(deps\): update nginx docker digest to 09369da [\#176](https://github.com/telekom-mms/ansible-collection-acme/pull/176) ([renovate[bot]](https://github.com/apps/renovate)) 70 | - chore\(deps\): update ansible/ansible-lint action to v25.2.1 [\#175](https://github.com/telekom-mms/ansible-collection-acme/pull/175) ([renovate[bot]](https://github.com/apps/renovate)) 71 | - chore\(deps\): update actions/setup-python digest to 8d9ed9a [\#174](https://github.com/telekom-mms/ansible-collection-acme/pull/174) ([renovate[bot]](https://github.com/apps/renovate)) 72 | - chore\(deps\): update nginx docker digest to 124b44b [\#173](https://github.com/telekom-mms/ansible-collection-acme/pull/173) ([renovate[bot]](https://github.com/apps/renovate)) 73 | - chore\(deps\): update nginx docker digest to 9d6b58f [\#172](https://github.com/telekom-mms/ansible-collection-acme/pull/172) ([renovate[bot]](https://github.com/apps/renovate)) 74 | - chore\(deps\): update ansible/ansible-lint action to v25.1.3 [\#170](https://github.com/telekom-mms/ansible-collection-acme/pull/170) ([renovate[bot]](https://github.com/apps/renovate)) 75 | 76 | ## [4.2.0](https://github.com/telekom-mms/ansible-collection-acme/tree/4.2.0) (2025-02-14) 77 | 78 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/4.1.0...4.2.0) 79 | 80 | **Implemented enhancements:** 81 | 82 | - Adding nsupdate DNS challenge [\#169](https://github.com/telekom-mms/ansible-collection-acme/pull/169) ([diLLec](https://github.com/diLLec)) 83 | 84 | **Merged pull requests:** 85 | 86 | - chore\(deps\): update nginx docker digest to 9173428 [\#168](https://github.com/telekom-mms/ansible-collection-acme/pull/168) ([renovate[bot]](https://github.com/apps/renovate)) 87 | - chore\(deps\): update nginx docker digest to bc2f6a7 [\#167](https://github.com/telekom-mms/ansible-collection-acme/pull/167) ([renovate[bot]](https://github.com/apps/renovate)) 88 | - chore\(deps\): update ansible/ansible-lint action to v25 [\#163](https://github.com/telekom-mms/ansible-collection-acme/pull/163) ([renovate[bot]](https://github.com/apps/renovate)) 89 | 90 | ## [4.1.0](https://github.com/telekom-mms/ansible-collection-acme/tree/4.1.0) (2025-01-30) 91 | 92 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/4.0.0...4.1.0) 93 | 94 | **Implemented enhancements:** 95 | 96 | - \[Enhancement\] Support creating ECC Keys [\#87](https://github.com/telekom-mms/ansible-collection-acme/issues/87) 97 | - feat: also download chain when downloading an cert [\#164](https://github.com/telekom-mms/ansible-collection-acme/pull/164) ([neubi4](https://github.com/neubi4)) 98 | - role should be usable via include\_role, vars should be possible via loop [\#145](https://github.com/telekom-mms/ansible-collection-acme/pull/145) ([michaelamattes](https://github.com/michaelamattes)) 99 | 100 | **Merged pull requests:** 101 | 102 | - chore\(deps\): update actions/setup-python digest to 4237552 [\#165](https://github.com/telekom-mms/ansible-collection-acme/pull/165) ([renovate[bot]](https://github.com/apps/renovate)) 103 | - chore\(deps\): update nginx docker digest to 0a399eb [\#162](https://github.com/telekom-mms/ansible-collection-acme/pull/162) ([renovate[bot]](https://github.com/apps/renovate)) 104 | - chore\(deps\): update nginx docker digest to 42e917a [\#161](https://github.com/telekom-mms/ansible-collection-acme/pull/161) ([renovate[bot]](https://github.com/apps/renovate)) 105 | - chore\(deps\): update ansible/ansible-lint action to v24.12.2 [\#160](https://github.com/telekom-mms/ansible-collection-acme/pull/160) ([renovate[bot]](https://github.com/apps/renovate)) 106 | - chore\(deps\): update nginx docker digest to fb19759 [\#159](https://github.com/telekom-mms/ansible-collection-acme/pull/159) ([renovate[bot]](https://github.com/apps/renovate)) 107 | - add retries to certificate download task [\#158](https://github.com/telekom-mms/ansible-collection-acme/pull/158) ([z-bsod](https://github.com/z-bsod)) 108 | - chore\(deps\): update nginx docker digest to 0c86ddd [\#157](https://github.com/telekom-mms/ansible-collection-acme/pull/157) ([renovate[bot]](https://github.com/apps/renovate)) 109 | - chore\(deps\): update ansible/ansible-lint action to v24.10.0 [\#156](https://github.com/telekom-mms/ansible-collection-acme/pull/156) ([renovate[bot]](https://github.com/apps/renovate)) 110 | - chore\(deps\): update nginx docker digest to bc5eac5 [\#155](https://github.com/telekom-mms/ansible-collection-acme/pull/155) ([renovate[bot]](https://github.com/apps/renovate)) 111 | - chore\(deps\): update actions/setup-python digest to 0b93645 [\#154](https://github.com/telekom-mms/ansible-collection-acme/pull/154) ([renovate[bot]](https://github.com/apps/renovate)) 112 | - chore\(deps\): update actions/checkout digest to 11bd719 [\#153](https://github.com/telekom-mms/ansible-collection-acme/pull/153) ([renovate[bot]](https://github.com/apps/renovate)) 113 | - chore\(deps\): update nginx docker digest to 28402db [\#152](https://github.com/telekom-mms/ansible-collection-acme/pull/152) ([renovate[bot]](https://github.com/apps/renovate)) 114 | - chore\(deps\): update actions/checkout digest to eef6144 [\#151](https://github.com/telekom-mms/ansible-collection-acme/pull/151) ([renovate[bot]](https://github.com/apps/renovate)) 115 | - chore\(deps\): update nginx docker digest to d2eb569 [\#150](https://github.com/telekom-mms/ansible-collection-acme/pull/150) ([renovate[bot]](https://github.com/apps/renovate)) 116 | - chore\(deps\): update nginx docker digest to b5d3f3e [\#149](https://github.com/telekom-mms/ansible-collection-acme/pull/149) ([renovate[bot]](https://github.com/apps/renovate)) 117 | - chore\(deps\): update ansible/ansible-lint action to v24.9.2 [\#148](https://github.com/telekom-mms/ansible-collection-acme/pull/148) ([renovate[bot]](https://github.com/apps/renovate)) 118 | - chore\(deps\): update ansible/ansible-lint action to v24.9.0 [\#147](https://github.com/telekom-mms/ansible-collection-acme/pull/147) ([renovate[bot]](https://github.com/apps/renovate)) 119 | - chore\(deps\): update nginx docker digest to 04ba374 [\#146](https://github.com/telekom-mms/ansible-collection-acme/pull/146) ([renovate[bot]](https://github.com/apps/renovate)) 120 | - chore\(deps\): update actions/setup-python digest to f677139 [\#144](https://github.com/telekom-mms/ansible-collection-acme/pull/144) ([renovate[bot]](https://github.com/apps/renovate)) 121 | - chore\(deps\): update nginx docker digest to 447a866 [\#143](https://github.com/telekom-mms/ansible-collection-acme/pull/143) ([renovate[bot]](https://github.com/apps/renovate)) 122 | - Update linting action [\#142](https://github.com/telekom-mms/ansible-collection-acme/pull/142) ([avalor1](https://github.com/avalor1)) 123 | - chore\(deps\): update nginx docker digest to 6af79ae [\#141](https://github.com/telekom-mms/ansible-collection-acme/pull/141) ([renovate[bot]](https://github.com/apps/renovate)) 124 | 125 | ## [4.0.0](https://github.com/telekom-mms/ansible-collection-acme/tree/4.0.0) (2024-07-22) 126 | 127 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/3.1.2...4.0.0) 128 | 129 | **Breaking changes:** 130 | 131 | - Add ECC key creation support [\#95](https://github.com/telekom-mms/ansible-collection-acme/pull/95) ([avalor1](https://github.com/avalor1)) 132 | 133 | **Merged pull requests:** 134 | 135 | - Update test matrix [\#140](https://github.com/telekom-mms/ansible-collection-acme/pull/140) ([avalor1](https://github.com/avalor1)) 136 | - chore\(deps\): update actions/setup-python digest to 39cd149 [\#139](https://github.com/telekom-mms/ansible-collection-acme/pull/139) ([renovate[bot]](https://github.com/apps/renovate)) 137 | - chore\(deps\): update nginx docker digest to 67682bd [\#138](https://github.com/telekom-mms/ansible-collection-acme/pull/138) ([renovate[bot]](https://github.com/apps/renovate)) 138 | - chore\(deps\): update nginx docker digest to 9c36718 [\#137](https://github.com/telekom-mms/ansible-collection-acme/pull/137) ([renovate[bot]](https://github.com/apps/renovate)) 139 | - chore\(deps\): update nginx docker digest to 56b388b [\#136](https://github.com/telekom-mms/ansible-collection-acme/pull/136) ([renovate[bot]](https://github.com/apps/renovate)) 140 | - chore\(deps\): update actions/checkout digest to 692973e [\#135](https://github.com/telekom-mms/ansible-collection-acme/pull/135) ([renovate[bot]](https://github.com/apps/renovate)) 141 | - chore\(deps\): update nginx docker digest to 0f04e4f [\#134](https://github.com/telekom-mms/ansible-collection-acme/pull/134) ([renovate[bot]](https://github.com/apps/renovate)) 142 | - chore\(deps\): update actions/checkout digest to a5ac7e5 [\#133](https://github.com/telekom-mms/ansible-collection-acme/pull/133) ([renovate[bot]](https://github.com/apps/renovate)) 143 | - chore\(deps\): update nginx docker digest to a484819 [\#132](https://github.com/telekom-mms/ansible-collection-acme/pull/132) ([renovate[bot]](https://github.com/apps/renovate)) 144 | - chore\(deps\): update nginx docker digest to 32e76d4 [\#131](https://github.com/telekom-mms/ansible-collection-acme/pull/131) ([renovate[bot]](https://github.com/apps/renovate)) 145 | - chore\(deps\): update actions/checkout digest to 0ad4b8f [\#130](https://github.com/telekom-mms/ansible-collection-acme/pull/130) ([renovate[bot]](https://github.com/apps/renovate)) 146 | - chore\(deps\): update nginx docker digest to ed6d2c4 [\#129](https://github.com/telekom-mms/ansible-collection-acme/pull/129) ([renovate[bot]](https://github.com/apps/renovate)) 147 | - chore\(deps\): update actions/checkout digest to 1d96c77 [\#128](https://github.com/telekom-mms/ansible-collection-acme/pull/128) ([renovate[bot]](https://github.com/apps/renovate)) 148 | - chore\(deps\): update nginx docker digest to 0463a96 [\#127](https://github.com/telekom-mms/ansible-collection-acme/pull/127) ([renovate[bot]](https://github.com/apps/renovate)) 149 | - chore\(deps\): update nginx docker digest to 9ff236e [\#126](https://github.com/telekom-mms/ansible-collection-acme/pull/126) ([renovate[bot]](https://github.com/apps/renovate)) 150 | - chore\(deps\): update actions/setup-python digest to 82c7e63 [\#125](https://github.com/telekom-mms/ansible-collection-acme/pull/125) ([renovate[bot]](https://github.com/apps/renovate)) 151 | 152 | ## [3.1.2](https://github.com/telekom-mms/ansible-collection-acme/tree/3.1.2) (2024-03-21) 153 | 154 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/3.1.1...3.1.2) 155 | 156 | ## [3.1.1](https://github.com/telekom-mms/ansible-collection-acme/tree/3.1.1) (2024-03-21) 157 | 158 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/3.1.0...3.1.1) 159 | 160 | **Merged pull requests:** 161 | 162 | - Update galaxy.yml [\#124](https://github.com/telekom-mms/ansible-collection-acme/pull/124) ([rndmh3ro](https://github.com/rndmh3ro)) 163 | - chore\(deps\): update nginx docker digest to 6db391d [\#121](https://github.com/telekom-mms/ansible-collection-acme/pull/121) ([renovate[bot]](https://github.com/apps/renovate)) 164 | 165 | ## [3.1.0](https://github.com/telekom-mms/ansible-collection-acme/tree/3.1.0) (2024-03-20) 166 | 167 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/3.0.2...3.1.0) 168 | 169 | **Merged pull requests:** 170 | 171 | - commonName is deprecated [\#123](https://github.com/telekom-mms/ansible-collection-acme/pull/123) ([rndmh3ro](https://github.com/rndmh3ro)) 172 | - Add domain-offensive as dns-01 challenge [\#122](https://github.com/telekom-mms/ansible-collection-acme/pull/122) ([SvenLie](https://github.com/SvenLie)) 173 | - chore\(deps\): update nginx docker digest to c26ae74 [\#120](https://github.com/telekom-mms/ansible-collection-acme/pull/120) ([renovate[bot]](https://github.com/apps/renovate)) 174 | - chore\(deps\): update nginx docker digest to 84c52df [\#119](https://github.com/telekom-mms/ansible-collection-acme/pull/119) ([renovate[bot]](https://github.com/apps/renovate)) 175 | - chore\(deps\): update nginx docker digest to 5f44022 [\#118](https://github.com/telekom-mms/ansible-collection-acme/pull/118) ([renovate[bot]](https://github.com/apps/renovate)) 176 | - chore\(deps\): update nginx docker digest to 6eb9534 [\#117](https://github.com/telekom-mms/ansible-collection-acme/pull/117) ([renovate[bot]](https://github.com/apps/renovate)) 177 | - rename master branch to main [\#116](https://github.com/telekom-mms/ansible-collection-acme/pull/116) ([rndmh3ro](https://github.com/rndmh3ro)) 178 | - chore\(deps\): update nginx docker digest to 4c0fdaa [\#115](https://github.com/telekom-mms/ansible-collection-acme/pull/115) ([renovate[bot]](https://github.com/apps/renovate)) 179 | - chore\(deps\): update nginx docker digest to 2bdc49f [\#114](https://github.com/telekom-mms/ansible-collection-acme/pull/114) ([renovate[bot]](https://github.com/apps/renovate)) 180 | - release only on releases, not pre-releases [\#113](https://github.com/telekom-mms/ansible-collection-acme/pull/113) ([rndmh3ro](https://github.com/rndmh3ro)) 181 | - Add Readme for Certificate Download [\#112](https://github.com/telekom-mms/ansible-collection-acme/pull/112) ([z-bsod](https://github.com/z-bsod)) 182 | - feat: add certificate download for temporary environments [\#111](https://github.com/telekom-mms/ansible-collection-acme/pull/111) ([z-bsod](https://github.com/z-bsod)) 183 | - chore\(deps\): update nginx docker digest to 5040a25 [\#110](https://github.com/telekom-mms/ansible-collection-acme/pull/110) ([renovate[bot]](https://github.com/apps/renovate)) 184 | - chore\(deps\): update actions/setup-python action to v5 [\#109](https://github.com/telekom-mms/ansible-collection-acme/pull/109) ([renovate[bot]](https://github.com/apps/renovate)) 185 | 186 | ## [3.0.2](https://github.com/telekom-mms/ansible-collection-acme/tree/3.0.2) (2023-12-01) 187 | 188 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/3.0.1...3.0.2) 189 | 190 | ## [3.0.1](https://github.com/telekom-mms/ansible-collection-acme/tree/3.0.1) (2023-12-01) 191 | 192 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/3.0.0...3.0.1) 193 | 194 | **Merged pull requests:** 195 | 196 | - allow to skip installation of prerequisites [\#108](https://github.com/telekom-mms/ansible-collection-acme/pull/108) ([beechesII](https://github.com/beechesII)) 197 | - chore\(deps\): update nginx docker digest to 10d1f5b [\#107](https://github.com/telekom-mms/ansible-collection-acme/pull/107) ([renovate[bot]](https://github.com/apps/renovate)) 198 | - chore\(deps\): update nginx docker digest to ad90e20 [\#106](https://github.com/telekom-mms/ansible-collection-acme/pull/106) ([renovate[bot]](https://github.com/apps/renovate)) 199 | - use shared release workflow [\#105](https://github.com/telekom-mms/ansible-collection-acme/pull/105) ([rndmh3ro](https://github.com/rndmh3ro)) 200 | - chore\(deps\): pin dependencies [\#104](https://github.com/telekom-mms/ansible-collection-acme/pull/104) ([renovate[bot]](https://github.com/apps/renovate)) 201 | - chore\(deps\): update actions/checkout action to v4.1.1 [\#103](https://github.com/telekom-mms/ansible-collection-acme/pull/103) ([renovate[bot]](https://github.com/apps/renovate)) 202 | - chore\(deps\): update actions/checkout action to v4 [\#102](https://github.com/telekom-mms/ansible-collection-acme/pull/102) ([renovate[bot]](https://github.com/apps/renovate)) 203 | - chore\(deps\): update actions/checkout action to v3.6.0 [\#101](https://github.com/telekom-mms/ansible-collection-acme/pull/101) ([renovate[bot]](https://github.com/apps/renovate)) 204 | - update test matrix and do not ansible-lint .github [\#100](https://github.com/telekom-mms/ansible-collection-acme/pull/100) ([rndmh3ro](https://github.com/rndmh3ro)) 205 | - rename challenge-var to include role\_prefix [\#99](https://github.com/telekom-mms/ansible-collection-acme/pull/99) ([rndmh3ro](https://github.com/rndmh3ro)) 206 | 207 | ## [3.0.0](https://github.com/telekom-mms/ansible-collection-acme/tree/3.0.0) (2023-06-27) 208 | 209 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/2.3.6...3.0.0) 210 | 211 | **Merged pull requests:** 212 | 213 | - Move organization [\#98](https://github.com/telekom-mms/ansible-collection-acme/pull/98) ([avalor1](https://github.com/avalor1)) 214 | - run CI-tests only once peer week [\#97](https://github.com/telekom-mms/ansible-collection-acme/pull/97) ([rndmh3ro](https://github.com/rndmh3ro)) 215 | - chore\(deps\): update actions/checkout action to v3.5.3 [\#96](https://github.com/telekom-mms/ansible-collection-acme/pull/96) ([renovate[bot]](https://github.com/apps/renovate)) 216 | - add spellchecking with codespell [\#94](https://github.com/telekom-mms/ansible-collection-acme/pull/94) ([schurzi](https://github.com/schurzi)) 217 | - linting with ansible-lint [\#93](https://github.com/telekom-mms/ansible-collection-acme/pull/93) ([rndmh3ro](https://github.com/rndmh3ro)) 218 | - chore\(deps\): update actions/checkout action to v3.5.2 [\#92](https://github.com/telekom-mms/ansible-collection-acme/pull/92) ([renovate[bot]](https://github.com/apps/renovate)) 219 | - use reusable workflow [\#80](https://github.com/telekom-mms/ansible-collection-acme/pull/80) ([rndmh3ro](https://github.com/rndmh3ro)) 220 | 221 | ## [2.3.6](https://github.com/telekom-mms/ansible-collection-acme/tree/2.3.6) (2023-03-29) 222 | 223 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/2.3.5...2.3.6) 224 | 225 | **Fixed bugs:** 226 | 227 | - Fix azure dns challenge bug [\#91](https://github.com/telekom-mms/ansible-collection-acme/pull/91) ([avalor1](https://github.com/avalor1)) 228 | 229 | **Merged pull requests:** 230 | 231 | - chore\(deps\): update actions/checkout action to v3.5.0 [\#90](https://github.com/telekom-mms/ansible-collection-acme/pull/90) ([renovate[bot]](https://github.com/apps/renovate)) 232 | 233 | ## [2.3.5](https://github.com/telekom-mms/ansible-collection-acme/tree/2.3.5) (2023-03-23) 234 | 235 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/2.3.4...2.3.5) 236 | 237 | **Merged pull requests:** 238 | 239 | - Add Azure blob storage provider [\#89](https://github.com/telekom-mms/ansible-collection-acme/pull/89) ([avalor1](https://github.com/avalor1)) 240 | - update README.md [\#88](https://github.com/telekom-mms/ansible-collection-acme/pull/88) ([beechesII](https://github.com/beechesII)) 241 | - update links to providers [\#86](https://github.com/telekom-mms/ansible-collection-acme/pull/86) ([rndmh3ro](https://github.com/rndmh3ro)) 242 | - chore\(deps\): update actions/checkout action to v3.3.0 [\#84](https://github.com/telekom-mms/ansible-collection-acme/pull/84) ([renovate[bot]](https://github.com/apps/renovate)) 243 | - chore\(deps\): update actions/checkout action to v3.2.0 [\#82](https://github.com/telekom-mms/ansible-collection-acme/pull/82) ([renovate[bot]](https://github.com/apps/renovate)) 244 | - chore\(deps\): update actions/checkout action to v3.1.0 [\#78](https://github.com/telekom-mms/ansible-collection-acme/pull/78) ([renovate[bot]](https://github.com/apps/renovate)) 245 | - when pushing, run action only on master [\#77](https://github.com/telekom-mms/ansible-collection-acme/pull/77) ([rndmh3ro](https://github.com/rndmh3ro)) 246 | 247 | ## [2.3.4](https://github.com/telekom-mms/ansible-collection-acme/tree/2.3.4) (2022-11-30) 248 | 249 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/2.3.3...2.3.4) 250 | 251 | **Fixed bugs:** 252 | 253 | - Fix wrong module name in roles/acme/tasks/challenge/http-01/s3.yml [\#81](https://github.com/telekom-mms/ansible-collection-acme/pull/81) ([beechesII](https://github.com/beechesII)) 254 | 255 | **Closed issues:** 256 | 257 | - Requirements missing [\#50](https://github.com/telekom-mms/ansible-collection-acme/issues/50) 258 | 259 | **Merged pull requests:** 260 | 261 | - fix linting [\#79](https://github.com/telekom-mms/ansible-collection-acme/pull/79) ([rndmh3ro](https://github.com/rndmh3ro)) 262 | - fix linting - uppercase first letter of task-names [\#76](https://github.com/telekom-mms/ansible-collection-acme/pull/76) ([rndmh3ro](https://github.com/rndmh3ro)) 263 | - update used versions in tests [\#75](https://github.com/telekom-mms/ansible-collection-acme/pull/75) ([rndmh3ro](https://github.com/rndmh3ro)) 264 | 265 | ## [2.3.3](https://github.com/telekom-mms/ansible-collection-acme/tree/2.3.3) (2022-07-04) 266 | 267 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/2.3.2...2.3.3) 268 | 269 | **Fixed bugs:** 270 | 271 | - autodns: remove TXT RRs when validation fails [\#74](https://github.com/telekom-mms/ansible-collection-acme/pull/74) ([z-bsod](https://github.com/z-bsod)) 272 | 273 | **Merged pull requests:** 274 | 275 | - Update actions/setup-python action to v4 [\#73](https://github.com/telekom-mms/ansible-collection-acme/pull/73) ([renovate[bot]](https://github.com/apps/renovate)) 276 | - Update actions/checkout action to v3 [\#72](https://github.com/telekom-mms/ansible-collection-acme/pull/72) ([renovate[bot]](https://github.com/apps/renovate)) 277 | 278 | ## [2.3.2](https://github.com/telekom-mms/ansible-collection-acme/tree/2.3.2) (2022-06-09) 279 | 280 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/2.3.1...2.3.2) 281 | 282 | **Fixed bugs:** 283 | 284 | - fix ansible-lint errors [\#67](https://github.com/telekom-mms/ansible-collection-acme/pull/67) ([rndmh3ro](https://github.com/rndmh3ro)) 285 | 286 | **Closed issues:** 287 | 288 | - Test against recent ansible versions [\#64](https://github.com/telekom-mms/ansible-collection-acme/issues/64) 289 | 290 | **Merged pull requests:** 291 | 292 | - Update github-actions-x/commit action to v2.9 [\#71](https://github.com/telekom-mms/ansible-collection-acme/pull/71) ([renovate[bot]](https://github.com/apps/renovate)) 293 | - Update charmixer/auto-changelog-action action to v1.4 [\#69](https://github.com/telekom-mms/ansible-collection-acme/pull/69) ([renovate[bot]](https://github.com/apps/renovate)) 294 | - Update actions/checkout action to v2.4.2 [\#68](https://github.com/telekom-mms/ansible-collection-acme/pull/68) ([renovate[bot]](https://github.com/apps/renovate)) 295 | - Configure Renovate [\#66](https://github.com/telekom-mms/ansible-collection-acme/pull/66) ([renovate[bot]](https://github.com/apps/renovate)) 296 | - Test against recent ansible versions [\#65](https://github.com/telekom-mms/ansible-collection-acme/pull/65) ([avalor1](https://github.com/avalor1)) 297 | 298 | ## [2.3.1](https://github.com/telekom-mms/ansible-collection-acme/tree/2.3.1) (2021-08-19) 299 | 300 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/2.3.0...2.3.1) 301 | 302 | **Implemented enhancements:** 303 | 304 | - pfx convert has no full chain [\#59](https://github.com/telekom-mms/ansible-collection-acme/issues/59) 305 | 306 | **Fixed bugs:** 307 | 308 | - Remove delegate\_to when creating directories for certificate [\#63](https://github.com/telekom-mms/ansible-collection-acme/pull/63) ([avalor1](https://github.com/avalor1)) 309 | 310 | **Closed issues:** 311 | 312 | - Use temp-dir for creation of certificates? [\#5](https://github.com/telekom-mms/ansible-collection-acme/issues/5) 313 | 314 | ## [2.3.0](https://github.com/telekom-mms/ansible-collection-acme/tree/2.3.0) (2021-08-02) 315 | 316 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/2.2.0...2.3.0) 317 | 318 | **Implemented enhancements:** 319 | 320 | - all chains should be included after convert [\#60](https://github.com/telekom-mms/ansible-collection-acme/pull/60) ([michaelamattes](https://github.com/michaelamattes)) 321 | 322 | ## [2.2.0](https://github.com/telekom-mms/ansible-collection-acme/tree/2.2.0) (2021-07-09) 323 | 324 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/2.1.0...2.2.0) 325 | 326 | **Implemented enhancements:** 327 | 328 | - enhancement: new variables for letting the user set subject fields [\#57](https://github.com/telekom-mms/ansible-collection-acme/pull/57) ([Zephyr82](https://github.com/Zephyr82)) 329 | 330 | **Closed issues:** 331 | 332 | - Test collection with other acme providers [\#55](https://github.com/telekom-mms/ansible-collection-acme/issues/55) 333 | 334 | ## [2.1.0](https://github.com/telekom-mms/ansible-collection-acme/tree/2.1.0) (2021-05-30) 335 | 336 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/2.0.1...2.1.0) 337 | 338 | **Implemented enhancements:** 339 | 340 | - add hetzner dns tests [\#54](https://github.com/telekom-mms/ansible-collection-acme/pull/54) ([rndmh3ro](https://github.com/rndmh3ro)) 341 | - add possibility to keep and purge challenge record in Azure [\#52](https://github.com/telekom-mms/ansible-collection-acme/pull/52) ([michaelamattes](https://github.com/michaelamattes)) 342 | 343 | **Closed issues:** 344 | 345 | - add possibility azure dns challenge purge entry [\#51](https://github.com/telekom-mms/ansible-collection-acme/issues/51) 346 | 347 | ## [2.0.1](https://github.com/telekom-mms/ansible-collection-acme/tree/2.0.1) (2021-05-18) 348 | 349 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/2.0.0...2.0.1) 350 | 351 | **Fixed bugs:** 352 | 353 | - Lookup ZoneID and fix challenge record format. [\#53](https://github.com/telekom-mms/ansible-collection-acme/pull/53) ([smapjb](https://github.com/smapjb)) 354 | 355 | ## [2.0.0](https://github.com/telekom-mms/ansible-collection-acme/tree/2.0.0) (2021-03-26) 356 | 357 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/1.0.2...2.0.0) 358 | 359 | **Breaking changes:** 360 | 361 | - Unify variables [\#44](https://github.com/telekom-mms/ansible-collection-acme/issues/44) 362 | - Rename collection | simplify provider selection | unify variables [\#46](https://github.com/telekom-mms/ansible-collection-acme/pull/46) ([avalor1](https://github.com/avalor1)) 363 | 364 | **Implemented enhancements:** 365 | 366 | - add possibility to define owner/group for local validation path and local challenge files [\#48](https://github.com/telekom-mms/ansible-collection-acme/pull/48) ([beechesII](https://github.com/beechesII)) 367 | 368 | **Closed issues:** 369 | 370 | - Rename collection to avoid LE trademark [\#43](https://github.com/telekom-mms/ansible-collection-acme/issues/43) 371 | - Simplify challenge provider selection [\#42](https://github.com/telekom-mms/ansible-collection-acme/issues/42) 372 | 373 | **Merged pull requests:** 374 | 375 | - Adjust collection name for galaxy [\#49](https://github.com/telekom-mms/ansible-collection-acme/pull/49) ([avalor1](https://github.com/avalor1)) 376 | 377 | ## [1.0.2](https://github.com/telekom-mms/ansible-collection-acme/tree/1.0.2) (2021-03-17) 378 | 379 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/1.0.1...1.0.2) 380 | 381 | **Fixed bugs:** 382 | 383 | - Improve Release Action [\#47](https://github.com/telekom-mms/ansible-collection-acme/pull/47) ([schurzi](https://github.com/schurzi)) 384 | 385 | ## [1.0.1](https://github.com/telekom-mms/ansible-collection-acme/tree/1.0.1) (2021-02-05) 386 | 387 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/1.0.0...1.0.1) 388 | 389 | **Merged pull requests:** 390 | 391 | - Add README.md link in role [\#41](https://github.com/telekom-mms/ansible-collection-acme/pull/41) ([avalor1](https://github.com/avalor1)) 392 | 393 | ## [1.0.0](https://github.com/telekom-mms/ansible-collection-acme/tree/1.0.0) (2021-02-05) 394 | 395 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/0.1.0...1.0.0) 396 | 397 | **Implemented enhancements:** 398 | 399 | - unify challenge provider logic [\#35](https://github.com/telekom-mms/ansible-collection-acme/pull/35) ([schurzi](https://github.com/schurzi)) 400 | - Account key content as variable [\#33](https://github.com/telekom-mms/ansible-collection-acme/pull/33) ([Nemental](https://github.com/Nemental)) 401 | - Add "local" provider for http-challenge [\#30](https://github.com/telekom-mms/ansible-collection-acme/pull/30) ([avalor1](https://github.com/avalor1)) 402 | 403 | **Closed issues:** 404 | 405 | - Documentation restructuring [\#32](https://github.com/telekom-mms/ansible-collection-acme/issues/32) 406 | 407 | **Merged pull requests:** 408 | 409 | - Release 1.0 [\#40](https://github.com/telekom-mms/ansible-collection-acme/pull/40) ([avalor1](https://github.com/avalor1)) 410 | - use more labels for version-generation [\#39](https://github.com/telekom-mms/ansible-collection-acme/pull/39) ([rndmh3ro](https://github.com/rndmh3ro)) 411 | - Documentation restructuring [\#37](https://github.com/telekom-mms/ansible-collection-acme/pull/37) ([avalor1](https://github.com/avalor1)) 412 | - use ternary to simplify tasks for directory usage, remove comments [\#36](https://github.com/telekom-mms/ansible-collection-acme/pull/36) ([rndmh3ro](https://github.com/rndmh3ro)) 413 | - use version for github action, short sha is no longer supported [\#34](https://github.com/telekom-mms/ansible-collection-acme/pull/34) ([schurzi](https://github.com/schurzi)) 414 | 415 | ## [0.1.0](https://github.com/telekom-mms/ansible-collection-acme/tree/0.1.0) (2021-01-25) 416 | 417 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/0.0.8...0.1.0) 418 | 419 | **Implemented enhancements:** 420 | 421 | - Feature / dns challenge otc openstack [\#31](https://github.com/telekom-mms/ansible-collection-acme/pull/31) ([Nemental](https://github.com/Nemental)) 422 | 423 | **Merged pull requests:** 424 | 425 | - update documentation [\#28](https://github.com/telekom-mms/ansible-collection-acme/pull/28) ([avalor1](https://github.com/avalor1)) 426 | 427 | ## [0.0.8](https://github.com/telekom-mms/ansible-collection-acme/tree/0.0.8) (2021-01-11) 428 | 429 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/0.0.7...0.0.8) 430 | 431 | **Closed issues:** 432 | 433 | - Integration Tests for role [\#3](https://github.com/telekom-mms/ansible-collection-acme/issues/3) 434 | 435 | **Merged pull requests:** 436 | 437 | - fix galaxy-release action [\#29](https://github.com/telekom-mms/ansible-collection-acme/pull/29) ([rndmh3ro](https://github.com/rndmh3ro)) 438 | - adjust variable naming in example files and readme [\#27](https://github.com/telekom-mms/ansible-collection-acme/pull/27) ([avalor1](https://github.com/avalor1)) 439 | - Create runtime.yml [\#26](https://github.com/telekom-mms/ansible-collection-acme/pull/26) ([rndmh3ro](https://github.com/rndmh3ro)) 440 | - Create LICENSE [\#25](https://github.com/telekom-mms/ansible-collection-acme/pull/25) ([rndmh3ro](https://github.com/rndmh3ro)) 441 | - run tests on a schedule [\#24](https://github.com/telekom-mms/ansible-collection-acme/pull/24) ([rndmh3ro](https://github.com/rndmh3ro)) 442 | - build integration tests [\#23](https://github.com/telekom-mms/ansible-collection-acme/pull/23) ([rndmh3ro](https://github.com/rndmh3ro)) 443 | 444 | ## [0.0.7](https://github.com/telekom-mms/ansible-collection-acme/tree/0.0.7) (2020-12-15) 445 | 446 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/0.0.6...0.0.7) 447 | 448 | **Fixed bugs:** 449 | 450 | - fix broken AutoDNS wildcard creation \#20 [\#21](https://github.com/telekom-mms/ansible-collection-acme/pull/21) ([avalor1](https://github.com/avalor1)) 451 | 452 | **Closed issues:** 453 | 454 | - creation of wildcard certificates with autodns challenge not working with release 0.0.5 [\#20](https://github.com/telekom-mms/ansible-collection-acme/issues/20) 455 | 456 | ## [0.0.6](https://github.com/telekom-mms/ansible-collection-acme/tree/0.0.6) (2020-12-15) 457 | 458 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/0.0.5...0.0.6) 459 | 460 | **Implemented enhancements:** 461 | 462 | - Add Hetzner DNS as letsencrypt\_dns\_provider [\#22](https://github.com/telekom-mms/ansible-collection-acme/pull/22) ([stndrf](https://github.com/stndrf)) 463 | 464 | ## [0.0.5](https://github.com/telekom-mms/ansible-collection-acme/tree/0.0.5) (2020-12-09) 465 | 466 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/0.0.4...0.0.5) 467 | 468 | **Implemented enhancements:** 469 | 470 | - Push to Galaxy Fails [\#13](https://github.com/telekom-mms/ansible-collection-acme/issues/13) 471 | - add second checkout to solve race condition \(version gets updated but… [\#15](https://github.com/telekom-mms/ansible-collection-acme/pull/15) ([avalor1](https://github.com/avalor1)) 472 | 473 | **Closed issues:** 474 | 475 | - subject\_alt\_name not optional [\#9](https://github.com/telekom-mms/ansible-collection-acme/issues/9) 476 | 477 | **Merged pull requests:** 478 | 479 | - fix ansible error if group is empty [\#19](https://github.com/telekom-mms/ansible-collection-acme/pull/19) ([avalor1](https://github.com/avalor1)) 480 | - remove common\_name variable [\#18](https://github.com/telekom-mms/ansible-collection-acme/pull/18) ([avalor1](https://github.com/avalor1)) 481 | - remove letsencrypt\_create\_private\_keys variable from examples [\#17](https://github.com/telekom-mms/ansible-collection-acme/pull/17) ([avalor1](https://github.com/avalor1)) 482 | 483 | ## [0.0.4](https://github.com/telekom-mms/ansible-collection-acme/tree/0.0.4) (2020-11-12) 484 | 485 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/0.0.3...0.0.4) 486 | 487 | **Implemented enhancements:** 488 | 489 | - add description of force\_renewal variable [\#12](https://github.com/telekom-mms/ansible-collection-acme/pull/12) ([avalor1](https://github.com/avalor1)) 490 | 491 | **Merged pull requests:** 492 | 493 | - update checkout version for release workflow [\#11](https://github.com/telekom-mms/ansible-collection-acme/pull/11) ([avalor1](https://github.com/avalor1)) 494 | - update checkout version in galaxy push workflow [\#10](https://github.com/telekom-mms/ansible-collection-acme/pull/10) ([avalor1](https://github.com/avalor1)) 495 | 496 | ## [0.0.3](https://github.com/telekom-mms/ansible-collection-acme/tree/0.0.3) (2020-11-12) 497 | 498 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/0.0.2...0.0.3) 499 | 500 | **Closed issues:** 501 | 502 | - Remove unwanted files from release-tarball [\#4](https://github.com/telekom-mms/ansible-collection-acme/issues/4) 503 | 504 | **Merged pull requests:** 505 | 506 | - Add Azure dns provider challenge [\#8](https://github.com/telekom-mms/ansible-collection-acme/pull/8) ([michaelamattes](https://github.com/michaelamattes)) 507 | 508 | ## [0.0.2](https://github.com/telekom-mms/ansible-collection-acme/tree/0.0.2) (2020-11-06) 509 | 510 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/0.0.1...0.0.2) 511 | 512 | **Merged pull requests:** 513 | 514 | - remove variable letsencrypt\_create\_private\_keys [\#7](https://github.com/telekom-mms/ansible-collection-acme/pull/7) ([avalor1](https://github.com/avalor1)) 515 | - add build\_ignore to filter unwanted files from release-tarball [\#6](https://github.com/telekom-mms/ansible-collection-acme/pull/6) ([avalor1](https://github.com/avalor1)) 516 | 517 | ## [0.0.1](https://github.com/telekom-mms/ansible-collection-acme/tree/0.0.1) (2020-11-04) 518 | 519 | [Full Changelog](https://github.com/telekom-mms/ansible-collection-acme/compare/6c0445f6769360d1b8ea12df58483ac4a8b602f3...0.0.1) 520 | 521 | **Merged pull requests:** 522 | 523 | - Workflows [\#2](https://github.com/telekom-mms/ansible-collection-acme/pull/2) ([avalor1](https://github.com/avalor1)) 524 | - add Workflows [\#1](https://github.com/telekom-mms/ansible-collection-acme/pull/1) ([avalor1](https://github.com/avalor1)) 525 | 526 | 527 | 528 | \* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)* 529 | --------------------------------------------------------------------------------