maxhoesel.smallstep.step_acme_cert role – Setup an auto-renewing ACME cert using step tooling
Note
This role is part of the maxhoesel.smallstep collection (version 0.24.5).
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it use: ansible-galaxy collection install maxhoesel.smallstep
.
To use it in a playbook, specify: maxhoesel.smallstep.step_acme_cert
.
Entry point main
– Setup an auto-renewing ACME cert using step tooling
Synopsis
This role acquires a certificate from the CA via ACME, then sets up automatic renewal with
step-cli renew
‘s daemon modeRequirements:
Root access using
become: yes
or equivalentThe host must be bootstrapped with step_bootstrap_host and the root user must be able to access the CA
Supported distributions:
Ubuntu 18.04 LTS or newer
Debian 10 or newer
Fedora 36 or newer
A CentOS-compatible distribution like RockyLinux/AlmaLinux 8 or newer. RockyLinux is used for testing
Parameters
Parameter |
Comments |
---|---|
Name of the provisioner on the CA that will issue the ACME cert |
|
Details about the cert file on disk |
|
Group of the file Default: |
|
File mode for the cert file Default: |
|
Owner of the file Default: |
|
Absolute path to the cert file Default: |
|
Contact email for the CA for important notifications Default: |
|
Valid duration of the certificate Uses the provisioner default (typically 24h) if no duration is given |
|
Details about the key file on disk |
|
Group of the file Default: |
|
File mode for the key file Default: |
|
Owner of the file Default: |
|
Absolute path to the key file Default: |
|
The subject name that the certificate will be issued for Default: |
|
Reload or restart these systemd services after a cert renewal Example: Default: |
|
Name of the systemd service that will handle cert renewals If you have multiple cert/key pairs on one system, you will have to set a unique service name for each pair. If you only have one, then you can leave this as is. Default: |
|
Renew the cert when its remaining valid time crosses this threshold Uses the smallstep default (1/3 of the certs valid duration) if left undefined |
|
Subject Alternate Names to add to the cert Default: |
|
If set, this role will use C (step-cli)s webroot mode to get a new certificate. If empty, this role will use the standalone mode instead, causing Note that Default: |
|
Path or name of the step-cli executable to use for executing commands in this role Can be an absolute path or a command (make sure the executable is in $PATH) for all users Default: |
|
Optionally set a custom Example: Default: |