blob: 6e8708a12c877e74c487cd6d991da3aab51cce16 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
Quick Instructions
==================
To use this role, you add the following to the host_vars file
for the target system:
dehydrated_http_domains - list of domains for http-01 check
dehydrated_dns_domains - list of domains for dns-01 check
dehydrated_domains_txt - defines the contents of /etc/dehydrated/domains.txt
Example of usage is in host_vars/publishing-ap.linaro.org
Ansible Command Line Options
============================
As a convenience for testing, you may define the var "snakeoil" to any
value and this role will set the following vars to point to the self-signed
certificate on the server:
- ssl_cert
- ssl_key
- ssl_ca
And it will not attempt to install dehydrated on the server instance.
You may also define the var "testing" which will use the LetsEncrypt
staging environment for acquiring the certificates. The staging
environment does not have a rate limit on failed requests and should
be used until you know that the certificates will deploy correctly
to the server.
To have dehydrated install certificates from the LetsEncrypt production
environment, make leave "snakeoil" and "testing" undefined.
domains.txt
===========
See the dehydrated documentation for the full details.
Certs get dumped into: /etc/dehydrated/certs/<domain>/
fullchain.pem - fullchain cert
privkey.pem - cert key
You can setup a cert to contain multiple domains by listing multiple
domains on a single line. The first domain will be where the combined
cert is deposited.
Note: only one kind of challenge may be used per line in the domain file.
In order to get around this, if you have a cert that requires a different
challenge method place it on its own line before the combined cert.
Example: "releases.linaro.org" requires dns-01, so it gets its own
entry in domains.txt so that it will be authenticated when it's included
in the "releases-ap.linaro.org" (which uses http-01) cert later.
Automation
==========
Certs are checked/renewed every 12 hours by cron job in /etc/cron.d/dehydrated
Certs should renew 30 days from their expiration. Any email alerts received
from LetsEncrypt warning that a cert has less than 30 days until expiry should
be investigated.
Manual Intervention
===================
To check/rebuild the certs manually run:
dehydrated -c
(same as cron job)
|
