a-c-m
/
community.crypto
mirror of https://github.com/ansible-collections/community.crypto.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
community.crypto/pr/612/acme_certificate_module.html

986 lines
117 KiB
HTML
Raw Normal View History

deploy: 57a8c7e65230e427da11bfd5ae72bf1319699fa9
2023-06-26 12:37:45 +00:00
<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
<meta charset="utf-8" /><meta name="generator" content="Docutils 0.18.1: http://docutils.sourceforge.net/" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>community.crypto.acme_certificate module Create SSL/TLS certificates with the ACME protocol &mdash; Community.Crypto Collection documentation</title>
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="_static/css/ansible.css" type="text/css" />
<link rel="stylesheet" href="_static/antsibull-minimal.css" type="text/css" />
<link rel="stylesheet" href="_static/css/rtd-ethical-ads.css" type="text/css" />
<link rel="shortcut icon" href="_static/images/Ansible-Mark-RGB_Black.png"/>
<!--[if lt IE 9]>
<script src="_static/js/html5shiv.min.js"></script>
<![endif]-->
<script src="_static/jquery.js"></script>
<script src="_static/_sphinx_javascript_frameworks_compat.js"></script>
<script data-url_root="./" id="documentation_options" src="_static/documentation_options.js"></script>
<script src="_static/doctools.js"></script>
<script src="_static/sphinx_highlight.js"></script>
<script src="_static/js/theme.js"></script>
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="community.crypto.acme_certificate_revoke module Revoke certificates with the ACME protocol" href="acme_certificate_revoke_module.html" />
<link rel="prev" title="community.crypto.acme_account_info module Retrieves information on ACME accounts" href="acme_account_info_module.html" /><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->
</head>
<body class="wy-body-for-nav"><!-- extra body elements for Ansible beyond RTD Sphinx Theme -->
<div class="DocSite-globalNav ansibleNav">
<ul>
<li><a href="https://www.ansible.com/ansiblefest" target="_blank">AnsibleFest</a></li>
<li><a href="https://www.ansible.com/tower" target="_blank">Products</a></li>
<li><a href="https://www.ansible.com/community" target="_blank">Community</a></li>
<li><a href="https://www.ansible.com/webinars-training" target="_blank">Webinars & Training</a></li>
<li><a href="https://www.ansible.com/blog" target="_blank">Blog</a></li>
</ul>
</div>
<a class="DocSite-nav" href="https://ansible-collections.github.io/community.crypto/branch/main/" style="padding-bottom: 30px;">
<img class="DocSiteNav-logo"
src="_static/images/Ansible-Mark-RGB_White.png"
alt="Ansible Logo">
<div class="DocSiteNav-title">Community.Crypto Collection Docs</div>
</a>
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="index.html" class="icon icon-home">
Community.Crypto Collection
</a><!--- Based on https://github.com/rtfd/sphinx_rtd_theme/pull/438/files -->
<div class="version">
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="search.html" method="get">
<label class="sr-only" for="q">Search docs:</label>
<input type="text" class="st-default-search-input" id="q" name="q" placeholder="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<ul>
<li class="toctree-l1"><a class="reference internal" href="docsite/guide_selfsigned.html">How to create self-signed certificates</a></li>
<li class="toctree-l1"><a class="reference internal" href="docsite/guide_ownca.html">How to create a small CA</a></li>
</ul>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="acme_account_module.html">community.crypto.acme_account module Create, modify or delete ACME accounts</a></li>
<li class="toctree-l1"><a class="reference internal" href="acme_account_info_module.html">community.crypto.acme_account_info module Retrieves information on ACME accounts</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="#">community.crypto.acme_certificate module Create SSL/TLS certificates with the ACME protocol</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#synopsis">Synopsis</a></li>
<li class="toctree-l2"><a class="reference internal" href="#requirements">Requirements</a></li>
<li class="toctree-l2"><a class="reference internal" href="#parameters">Parameters</a></li>
<li class="toctree-l2"><a class="reference internal" href="#attributes">Attributes</a></li>
<li class="toctree-l2"><a class="reference internal" href="#notes">Notes</a></li>
<li class="toctree-l2"><a class="reference internal" href="#see-also">See Also</a></li>
<li class="toctree-l2"><a class="reference internal" href="#examples">Examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="#return-values">Return Values</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#authors">Authors</a></li>
<li class="toctree-l3"><a class="reference internal" href="#collection-links">Collection links</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="acme_certificate_revoke_module.html">community.crypto.acme_certificate_revoke module Revoke certificates with the ACME protocol</a></li>
<li class="toctree-l1"><a class="reference internal" href="acme_challenge_cert_helper_module.html">community.crypto.acme_challenge_cert_helper module Prepare certificates required for ACME challenges such as <code class="docutils literal notranslate"><span class="pre">tls-alpn-01</span></code></a></li>
<li class="toctree-l1"><a class="reference internal" href="acme_inspect_module.html">community.crypto.acme_inspect module Send direct requests to an ACME server</a></li>
<li class="toctree-l1"><a class="reference internal" href="certificate_complete_chain_module.html">community.crypto.certificate_complete_chain module Complete certificate chain given a set of untrusted and root certificates</a></li>
<li class="toctree-l1"><a class="reference internal" href="crypto_info_module.html">community.crypto.crypto_info module Retrieve cryptographic capabilities</a></li>
<li class="toctree-l1"><a class="reference internal" href="ecs_certificate_module.html">community.crypto.ecs_certificate module Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
<li class="toctree-l1"><a class="reference internal" href="ecs_domain_module.html">community.crypto.ecs_domain module Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
<li class="toctree-l1"><a class="reference internal" href="get_certificate_module.html">community.crypto.get_certificate module Get a certificate from a host:port</a></li>
<li class="toctree-l1"><a class="reference internal" href="luks_device_module.html">community.crypto.luks_device module Manage encrypted (LUKS) devices</a></li>
<li class="toctree-l1"><a class="reference internal" href="openssh_cert_module.html">community.crypto.openssh_cert module Generate OpenSSH host or user certificates.</a></li>
<li class="toctree-l1"><a class="reference internal" href="openssh_keypair_module.html">community.crypto.openssh_keypair module Generate OpenSSH private and public keys</a></li>
<li class="toctree-l1"><a class="reference internal" href="openssl_csr_module.html">community.crypto.openssl_csr module Generate OpenSSL Certificate Signing Request (CSR)</a></li>
<li class="toctree-l1"><a class="reference internal" href="openssl_csr_info_module.html">community.crypto.openssl_csr_info module Provide information of OpenSSL Certificate Signing Requests (CSR)</a></li>
<li class="toctree-l1"><a class="reference internal" href="openssl_csr_pipe_module.html">community.crypto.openssl_csr_pipe module Generate OpenSSL Certificate Signing Request (CSR)</a></li>
<li class="toctree-l1"><a class="reference internal" href="openssl_dhparam_module.html">community.crypto.openssl_dhparam module Generate OpenSSL Diffie-Hellman Parameters</a></li>
<li class="toctree-l1"><a class="reference internal" href="openssl_pkcs12_module.html">community.crypto.openssl_pkcs12 module Generate OpenSSL PKCS#12 archive</a></li>
<li class="toctree-l1"><a class="reference internal" href="openssl_privatekey_module.html">community.crypto.openssl_privatekey module Generate OpenSSL private keys</a></li>
<li class="toctree-l1"><a class="reference internal" href="openssl_privatekey_convert_module.html">community.crypto.openssl_privatekey_convert module Convert OpenSSL private keys</a></li>
<li class="toctree-l1"><a class="reference internal" href="openssl_privatekey_info_module.html">community.crypto.openssl_privatekey_info module Provide information for OpenSSL private keys</a></li>
<li class="toctree-l1"><a class="reference internal" href="openssl_privatekey_pipe_module.html">community.crypto.openssl_privatekey_pipe module Generate OpenSSL private keys without disk access</a></li>
<li class="toctree-l1"><a class="reference internal" href="openssl_publickey_module.html">community.crypto.openssl_publickey module Generate an OpenSSL public key from its private key.</a></li>
<li class="toctree-l1"><a class="reference internal" href="openssl_publickey_info_module.html">community.crypto.openssl_publickey_info module Provide information for OpenSSL public keys</a></li>
<li class="toctree-l1"><a class="reference internal" href="openssl_signature_module.html">community.crypto.openssl_signature module Sign data with openssl</a></li>
<li class="toctree-l1"><a class="reference internal" href="openssl_signature_info_module.html">community.crypto.openssl_signature_info module Verify signatures with openssl</a></li>
<li class="toctree-l1"><a class="reference internal" href="x509_certificate_module.html">community.crypto.x509_certificate module Generate and/or check OpenSSL certificates</a></li>
<li class="toctree-l1"><a class="reference internal" href="x509_certificate_info_module.html">community.crypto.x509_certificate_info module Provide information of OpenSSL X.509 certificates</a></li>
<li class="toctree-l1"><a class="reference internal" href="x509_certificate_pipe_module.html">community.crypto.x509_certificate_pipe module Generate and/or check OpenSSL certificates</a></li>
<li class="toctree-l1"><a class="reference internal" href="x509_crl_module.html">community.crypto.x509_crl module Generate Certificate Revocation Lists (CRLs)</a></li>
<li class="toctree-l1"><a class="reference internal" href="x509_crl_info_module.html">community.crypto.x509_crl_info module Retrieve information on Certificate Revocation Lists (CRLs)</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="openssl_csr_info_filter.html">community.crypto.openssl_csr_info filter Retrieve information from OpenSSL Certificate Signing Requests (CSR)</a></li>
<li class="toctree-l1"><a class="reference internal" href="openssl_privatekey_info_filter.html">community.crypto.openssl_privatekey_info filter Retrieve information from OpenSSL private keys</a></li>
<li class="toctree-l1"><a class="reference internal" href="openssl_publickey_info_filter.html">community.crypto.openssl_publickey_info filter Retrieve information from OpenSSL public keys in PEM format</a></li>
<li class="toctree-l1"><a class="reference internal" href="split_pem_filter.html">community.crypto.split_pem filter Split PEM file contents into multiple objects</a></li>
<li class="toctree-l1"><a class="reference internal" href="x509_certificate_info_filter.html">community.crypto.x509_certificate_info filter Retrieve information from X.509 certificates in PEM format</a></li>
<li class="toctree-l1"><a class="reference internal" href="x509_crl_info_filter.html">community.crypto.x509_crl_info filter Retrieve information from X.509 CRLs in PEM format</a></li>
</ul>
<!-- extra nav elements for Ansible beyond RTD Sphinx Theme -->
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="index.html">Community.Crypto Collection</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="index.html" class="icon icon-home" aria-label="Home"></a></li>
<li class="breadcrumb-item active">community.crypto.acme_certificate module Create SSL/TLS certificates with the ACME protocol</li>
<li class="wy-breadcrumbs-aside">
<!-- User defined GitHub URL -->
<a href="https://github.com/ansible-collections/community.crypto/edit/main/plugins/modules/acme_certificate.py?description=%23%23%23%23%23%20SUMMARY%0A%3C!—%20Your%20description%20here%20%3E%0A%0A%0A%23%23%23%23%23%20ISSUE%20TYPE%0A-%20Docs%20Pull%20Request%0A%0A%2Blabel:%20docsite_pr" class="fa fa-github"> Edit on GitHub</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<span class="target" id="ansible-collections-community-crypto-acme-certificate-module"></span><section id="community-crypto-acme-certificate-module-create-ssl-tls-certificates-with-the-acme-protocol">
<h1>community.crypto.acme_certificate module Create SSL/TLS certificates with the ACME protocol<a class="headerlink" href="#community-crypto-acme-certificate-module-create-ssl-tls-certificates-with-the-acme-protocol" title="Permalink to this heading"></a></h1>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>This module is part of the <a class="reference external" href="https://galaxy.ansible.com/community/crypto">community.crypto collection</a> (version 2.14.1).</p>
<p>To install it, use: <code class="code docutils literal notranslate"><span class="pre">ansible-galaxy</span> <span class="pre">collection</span> <span class="pre">install</span> <span class="pre">community.crypto</span></code>.
You need further requirements to be able to use this module,
see <a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-requirements"><span class="std std-ref">Requirements</span></a> for details.</p>
<p>To use it in a playbook, specify: <code class="code docutils literal notranslate"><span class="pre">community.crypto.acme_certificate</span></code>.</p>
</div>
<nav class="contents local" id="contents">
<ul class="simple">
<li><p><a class="reference internal" href="#synopsis" id="id1">Synopsis</a></p></li>
<li><p><a class="reference internal" href="#requirements" id="id2">Requirements</a></p></li>
<li><p><a class="reference internal" href="#parameters" id="id3">Parameters</a></p></li>
<li><p><a class="reference internal" href="#attributes" id="id4">Attributes</a></p></li>
<li><p><a class="reference internal" href="#notes" id="id5">Notes</a></p></li>
<li><p><a class="reference internal" href="#see-also" id="id6">See Also</a></p></li>
<li><p><a class="reference internal" href="#examples" id="id7">Examples</a></p></li>
<li><p><a class="reference internal" href="#return-values" id="id8">Return Values</a></p></li>
</ul>
</nav>
<section id="synopsis">
<h2><a class="toc-backref" href="#id1" role="doc-backlink">Synopsis</a><a class="headerlink" href="#synopsis" title="Permalink to this heading"></a></h2>
<ul class="simple">
<li><p>Create and renew SSL/TLS certificates with a CA supporting the <a class="reference external" href="https://tools.ietf.org/html/rfc8555">ACME protocol</a>, such as <a class="reference external" href="https://letsencrypt.org/">Lets Encrypt</a> or <a class="reference external" href="https://www.buypass.com/">Buypass</a>. The current implementation supports the <code class="ansible-value docutils literal notranslate"><span class="pre">http-01</span></code>, <code class="ansible-value docutils literal notranslate"><span class="pre">dns-01</span></code> and <code class="ansible-value docutils literal notranslate"><span class="pre">tls-alpn-01</span></code> challenges.</p></li>
<li><p>To use this module, it has to be executed twice. Either as two different tasks in the same run or during two runs. Note that the output of the first run needs to be recorded and passed to the second run as the module argument <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-data"><span class="std std-ref"><span class="pre">data</span></span></a></strong></code>.</p></li>
<li><p>Between these two tasks you have to fulfill the required steps for the chosen challenge by whatever means necessary. For <code class="ansible-value docutils literal notranslate"><span class="pre">http-01</span></code> that means creating the necessary challenge file on the destination webserver. For <code class="ansible-value docutils literal notranslate"><span class="pre">dns-01</span></code> the necessary dns record has to be created. For <code class="ansible-value docutils literal notranslate"><span class="pre">tls-alpn-01</span></code> the necessary certificate has to be created and served. It is <em>not</em> the responsibility of this module to perform these steps.</p></li>
<li><p>For details on how to fulfill these challenges, you might have to read through <a class="reference external" href="https://tools.ietf.org/html/rfc8555#section-8">the main ACME specification</a> and the <a class="reference external" href="https://www.rfc-editor.org/rfc/rfc8737.html#section-3">TLS-ALPN-01 specification</a>. Also, consider the examples provided for this module.</p></li>
<li><p>The module includes experimental support for IP identifiers according to the <a class="reference external" href="https://www.rfc-editor.org/rfc/rfc8738.html">RFC 8738</a>.</p></li>
</ul>
</section>
<section id="requirements">
<span id="ansible-collections-community-crypto-acme-certificate-module-requirements"></span><h2><a class="toc-backref" href="#id2" role="doc-backlink">Requirements</a><a class="headerlink" href="#requirements" title="Permalink to this heading"></a></h2>
<p>The below requirements are needed on the host that executes this module.</p>
<ul class="simple">
<li><p>either openssl or <a class="reference external" href="https://cryptography.io/">cryptography</a> &gt;= 1.5</p></li>
<li><p>ipaddress</p></li>
</ul>
</section>
<section id="parameters">
<h2><a class="toc-backref" href="#id3" role="doc-backlink">Parameters</a><a class="headerlink" href="#parameters" title="Permalink to this heading"></a></h2>
<table class="ansible-option-table docutils align-default" style="width: 100%">
<thead>
<tr class="row-odd"><th class="head"><p>Parameter</p></th>
<th class="head"><p>Comments</p></th>
</tr>
</thead>
<tbody>
<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-account_email"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-account-email"><strong>account_email</strong></p>
<a class="ansibleOptionLink" href="#parameter-account_email" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>The email address associated with this account.</p>
<p>It will be used for certificate expiration warnings.</p>
<p>Note that when <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-modify-account"><span class="std std-ref"><span class="pre">modify_account</span></span></a></strong></code> is not set to <code class="ansible-value docutils literal notranslate"><span class="pre">false</span></code> and you also used the <a class="reference internal" href="acme_account_module.html#ansible-collections-community-crypto-acme-account-module"><span class="std std-ref">community.crypto.acme_account</span></a> module to specify more than one contact for your account, this module will update your account and restrict it to the (at most one) contact email address specified here.</p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-account_key_content"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-account-key-content"><strong>account_key_content</strong></p>
<a class="ansibleOptionLink" href="#parameter-account_key_content" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Content of the ACME account RSA or Elliptic Curve key.</p>
<p>Mutually exclusive with <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-account-key-src"><span class="std std-ref"><span class="pre">account_key_src</span></span></a></strong></code>.</p>
<p>Required if <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-account-key-src"><span class="std std-ref"><span class="pre">account_key_src</span></span></a></strong></code> is not used.</p>
<p><strong>Warning:</strong> the content will be written into a temporary file, which will be deleted by Ansible when the module completes. Since this is an important private key — it can be used to change the account key, or to revoke your certificates without knowing their private keys —, this might not be acceptable.</p>
<p>In case <code class="docutils literal notranslate"><span class="pre">cryptography</span></code> is used, the content is not written into a temporary file. It can still happen that it is written to disk by Ansible in the process of moving the module with its argument to the node where it is executed.</p>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-account_key_passphrase"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-account-key-passphrase"><strong>account_key_passphrase</strong></p>
<a class="ansibleOptionLink" href="#parameter-account_key_passphrase" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
<p><span class="ansible-option-versionadded">added in community.crypto 1.6.0</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Phassphrase to use to decode the account key.</p>
<p><strong>Note:</strong> this is not supported by the <code class="docutils literal notranslate"><span class="pre">openssl</span></code> backend, only by the <code class="docutils literal notranslate"><span class="pre">cryptography</span></code> backend.</p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-account_key_src"></div>
<div class="ansibleOptionAnchor" id="parameter-account_key"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-account-key-src"><span id="ansible-collections-community-crypto-acme-certificate-module-parameter-account-key"></span><strong>account_key_src</strong></p>
<a class="ansibleOptionLink" href="#parameter-account_key_src" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-aliases">aliases: account_key</span></p>
<p class="ansible-option-type-line"><span class="ansible-option-type">path</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Path to a file containing the ACME account RSA or Elliptic Curve key.</p>
<p>Private keys can be created with the <a class="reference internal" href="openssl_privatekey_module.html#ansible-collections-community-crypto-openssl-privatekey-module"><span class="std std-ref">community.crypto.openssl_privatekey</span></a> or <a class="reference internal" href="openssl_privatekey_pipe_module.html#ansible-collections-community-crypto-openssl-privatekey-pipe-module"><span class="std std-ref">community.crypto.openssl_privatekey_pipe</span></a> modules. If the requisite (cryptography) is not available, keys can also be created directly with the <code class="docutils literal notranslate"><span class="pre">openssl</span></code> command line tool: RSA keys can be created with <code class="docutils literal notranslate"><span class="pre">openssl</span> <span class="pre">genrsa</span> <span class="pre">...</span></code>. Elliptic curve keys can be created with <code class="docutils literal notranslate"><span class="pre">openssl</span> <span class="pre">ecparam</span> <span class="pre">-genkey</span> <span class="pre">...</span></code>. Any other tool creating private keys in PEM format can be used as well.</p>
<p>Mutually exclusive with <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-account-key-content"><span class="std std-ref"><span class="pre">account_key_content</span></span></a></strong></code>.</p>
<p>Required if <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-account-key-content"><span class="std std-ref"><span class="pre">account_key_content</span></span></a></strong></code> is not used.</p>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-account_uri"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-account-uri"><strong>account_uri</strong></p>
<a class="ansibleOptionLink" href="#parameter-account_uri" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>If specified, assumes that the account URI is as given. If the account key does not match this account, or an account with this URI does not exist, the module fails.</p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-acme_directory"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-acme-directory"><strong>acme_directory</strong></p>
<a class="ansibleOptionLink" href="#parameter-acme_directory" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span> / <span class="ansible-option-required">required</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>The ACME directory to use. This is the entry point URL to access the ACME CA server API.</p>
<p>For safety reasons the default is set to the Lets Encrypt staging server (for the ACME v1 protocol). This will create technically correct, but untrusted certificates.</p>
<p>For Lets Encrypt, all staging endpoints can be found here: <a class="reference external" href="https://letsencrypt.org/docs/staging-environment/">https://letsencrypt.org/docs/staging-environment/</a>. For Buypass, all endpoints can be found here: <a class="reference external" href="https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints">https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints</a></p>
<p>For <strong>Lets Encrypt</strong>, the production directory URL for ACME v2 is <a class="reference external" href="https://acme-v02.api.letsencrypt.org/directory">https://acme-v02.api.letsencrypt.org/directory</a>.</p>
<p>For <strong>Buypass</strong>, the production directory URL for ACME v2 and v1 is <a class="reference external" href="https://api.buypass.com/acme/directory">https://api.buypass.com/acme/directory</a>.</p>
<p>For <strong>ZeroSSL</strong>, the production directory URL for ACME v2 is <a class="reference external" href="https://acme.zerossl.com/v2/DV90">https://acme.zerossl.com/v2/DV90</a>.</p>
<p>For <strong>Sectigo</strong>, the production directory URL for ACME v2 is <a class="reference external" href="https://acme-qa.secure.trust-provider.com/v2/DV">https://acme-qa.secure.trust-provider.com/v2/DV</a>.</p>
<p>The notes for this module contain a list of ACME services this module has been tested against.</p>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-acme_version"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-acme-version"><strong>acme_version</strong></p>
<a class="ansibleOptionLink" href="#parameter-acme_version" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">integer</span> / <span class="ansible-option-required">required</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>The ACME version of the endpoint.</p>
<p>Must be <code class="ansible-value docutils literal notranslate"><span class="pre">1</span></code> for the classic Lets Encrypt and Buypass ACME endpoints, or <code class="ansible-value docutils literal notranslate"><span class="pre">2</span></code> for standardized ACME v2 endpoints.</p>
<p>The value <code class="ansible-value docutils literal notranslate"><span class="pre">1</span></code> is deprecated since community.crypto 2.0.0 and will be removed from community.crypto 3.0.0.</p>
<p class="ansible-option-line"><span class="ansible-option-choices">Choices:</span></p>
<ul class="simple">
<li><p><code class="ansible-option-choices-entry docutils literal notranslate"><span class="pre">1</span></code></p></li>
<li><p><code class="ansible-option-choices-entry docutils literal notranslate"><span class="pre">2</span></code></p></li>
</ul>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-agreement"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-agreement"><strong>agreement</strong></p>
<a class="ansibleOptionLink" href="#parameter-agreement" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>URI to a terms of service document you agree to when using the ACME v1 service at <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-acme-directory"><span class="std std-ref"><span class="pre">acme_directory</span></span></a></strong></code>.</p>
<p>Default is latest gathered from <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-acme-directory"><span class="std std-ref"><span class="pre">acme_directory</span></span></a></strong></code> URL.</p>
<p>This option will only be used when <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-acme-version"><span class="std std-ref"><span class="pre">acme_version</span></span></a></strong></code> is 1.</p>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-chain_dest"></div>
<div class="ansibleOptionAnchor" id="parameter-chain"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-chain-dest"><span id="ansible-collections-community-crypto-acme-certificate-module-parameter-chain"></span><strong>chain_dest</strong></p>
<a class="ansibleOptionLink" href="#parameter-chain_dest" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-aliases">aliases: chain</span></p>
<p class="ansible-option-type-line"><span class="ansible-option-type">path</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>If specified, the intermediate certificate will be written to this file.</p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-challenge"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-challenge"><strong>challenge</strong></p>
<a class="ansibleOptionLink" href="#parameter-challenge" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>The challenge to be performed.</p>
<p>If set to <code class="ansible-value docutils literal notranslate"><span class="pre">no</span> <span class="pre">challenge</span></code>, no challenge will be used. This is necessary for some private CAs which use External Account Binding and other means of validating certificate assurance. For example, an account could be allowed to issue certificates for <code class="docutils literal notranslate"><span class="pre">foo.example.com</span></code> without any further validation for a certain period of time.</p>
<p class="ansible-option-line"><span class="ansible-option-choices">Choices:</span></p>
<ul class="simple">
<li><p><code class="ansible-option-default-bold docutils literal notranslate"><span class="pre">&quot;http-01&quot;</span></code> <span class="ansible-option-choices-default-mark">← (default)</span></p></li>
<li><p><code class="ansible-option-choices-entry docutils literal notranslate"><span class="pre">&quot;dns-01&quot;</span></code></p></li>
<li><p><code class="ansible-option-choices-entry docutils literal notranslate"><span class="pre">&quot;tls-alpn-01&quot;</span></code></p></li>
<li><p><code class="ansible-option-choices-entry docutils literal notranslate"><span class="pre">&quot;no</span> <span class="pre">challenge&quot;</span></code></p></li>
</ul>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-csr"></div>
<div class="ansibleOptionAnchor" id="parameter-src"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-src"><span id="ansible-collections-community-crypto-acme-certificate-module-parameter-csr"></span><strong>csr</strong></p>
<a class="ansibleOptionLink" href="#parameter-csr" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-aliases">aliases: src</span></p>
<p class="ansible-option-type-line"><span class="ansible-option-type">path</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>File containing the CSR for the new certificate.</p>
<p>Can be created with <a class="reference internal" href="openssl_csr_module.html#ansible-collections-community-crypto-openssl-csr-module"><span class="std std-ref">community.crypto.openssl_csr</span></a> or <code class="docutils literal notranslate"><span class="pre">openssl</span> <span class="pre">req</span> <span class="pre">...</span></code>.</p>
<p>The CSR may contain multiple Subject Alternate Names, but each one will lead to an individual challenge that must be fulfilled for the CSR to be signed.</p>
<p><em>Note</em>: the private key used to create the CSR <em>must not</em> be the account key. This is a bad idea from a security point of view, and the CA should not accept the CSR. The ACME server should return an error in this case.</p>
<p>Precisely one of <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-csr"><span class="std std-ref"><span class="pre">csr</span></span></a></strong></code> or <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-csr-content"><span class="std std-ref"><span class="pre">csr_content</span></span></a></strong></code> must be specified.</p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-csr_content"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-csr-content"><strong>csr_content</strong></p>
<a class="ansibleOptionLink" href="#parameter-csr_content" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
<p><span class="ansible-option-versionadded">added in community.crypto 1.2.0</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Content of the CSR for the new certificate.</p>
<p>Can be created with <a class="reference internal" href="openssl_csr_pipe_module.html#ansible-collections-community-crypto-openssl-csr-pipe-module"><span class="std std-ref">community.crypto.openssl_csr_pipe</span></a> or <code class="docutils literal notranslate"><span class="pre">openssl</span> <span class="pre">req</span> <span class="pre">...</span></code>.</p>
<p>The CSR may contain multiple Subject Alternate Names, but each one will lead to an individual challenge that must be fulfilled for the CSR to be signed.</p>
<p><em>Note</em>: the private key used to create the CSR <em>must not</em> be the account key. This is a bad idea from a security point of view, and the CA should not accept the CSR. The ACME server should return an error in this case.</p>
<p>Precisely one of <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-csr"><span class="std std-ref"><span class="pre">csr</span></span></a></strong></code> or <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-csr-content"><span class="std std-ref"><span class="pre">csr_content</span></span></a></strong></code> must be specified.</p>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-data"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-data"><strong>data</strong></p>
<a class="ansibleOptionLink" href="#parameter-data" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">dictionary</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>The data to validate ongoing challenges. This must be specified for the second run of the module only.</p>
<p>The value that must be used here will be provided by a previous use of this module. See the examples for more details.</p>
<p>Note that for ACME v2, only the <code class="docutils literal notranslate"><span class="pre">order_uri</span></code> entry of <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-data"><span class="std std-ref"><span class="pre">data</span></span></a></strong></code> will be used. For ACME v1, <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-data"><span class="std std-ref"><span class="pre">data</span></span></a></strong></code> must be non-empty to indicate the second stage is active; all needed data will be taken from the CSR.</p>
<p><em>Note</em>: the <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-data"><span class="std std-ref"><span class="pre">data</span></span></a></strong></code> option was marked as <code class="docutils literal notranslate"><span class="pre">no_log</span></code> up to Ansible 2.5. From Ansible 2.6 on, it is no longer marked this way as it causes error messages to be come unusable, and <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-data"><span class="std std-ref"><span class="pre">data</span></span></a></strong></code> does not contain any information which can be used without having access to the account key or which are not public anyway.</p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-deactivate_authzs"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-deactivate-authzs"><strong>deactivate_authzs</strong></p>
<a class="ansibleOptionLink" href="#parameter-deactivate_authzs" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Deactivate authentication objects (authz) after issuing a certificate, or when issuing the certificate failed.</p>
<p>Authentication objects are bound to an account key and remain valid for a certain amount of time, and can be used to issue certificates without having to re-authenticate the domain. This can be a security concern.</p>
<p class="ansible-option-line"><span class="ansible-option-choices">Choices:</span></p>
<ul class="simple">
<li><p><code class="ansible-option-default-bold docutils literal notranslate"><span class="pre">false</span></code> <span class="ansible-option-choices-default-mark">← (default)</span></p></li>
<li><p><code class="ansible-option-choices-entry docutils literal notranslate"><span class="pre">true</span></code></p></li>
</ul>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-dest"></div>
<div class="ansibleOptionAnchor" id="parameter-cert"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-dest"><span id="ansible-collections-community-crypto-acme-certificate-module-parameter-cert"></span><strong>dest</strong></p>
<a class="ansibleOptionLink" href="#parameter-dest" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-aliases">aliases: cert</span></p>
<p class="ansible-option-type-line"><span class="ansible-option-type">path</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>The destination file for the certificate.</p>
<p>Required if <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-fullchain-dest"><span class="std std-ref"><span class="pre">fullchain_dest</span></span></a></strong></code> is not specified.</p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-force"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-force"><strong>force</strong></p>
<a class="ansibleOptionLink" href="#parameter-force" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Enforces the execution of the challenge and validation, even if an existing certificate is still valid for more than <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-remaining-days"><span class="std std-ref"><span class="pre">remaining_days</span></span></a></strong></code>.</p>
<p>This is especially helpful when having an updated CSR, for example with additional domains for which a new certificate is desired.</p>
<p class="ansible-option-line"><span class="ansible-option-choices">Choices:</span></p>
<ul class="simple">
<li><p><code class="ansible-option-default-bold docutils literal notranslate"><span class="pre">false</span></code> <span class="ansible-option-choices-default-mark">← (default)</span></p></li>
<li><p><code class="ansible-option-choices-entry docutils literal notranslate"><span class="pre">true</span></code></p></li>
</ul>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-fullchain_dest"></div>
<div class="ansibleOptionAnchor" id="parameter-fullchain"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-fullchain-dest"><span id="ansible-collections-community-crypto-acme-certificate-module-parameter-fullchain"></span><strong>fullchain_dest</strong></p>
<a class="ansibleOptionLink" href="#parameter-fullchain_dest" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-aliases">aliases: fullchain</span></p>
<p class="ansible-option-type-line"><span class="ansible-option-type">path</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>The destination file for the full chain (that is, a certificate followed by chain of intermediate certificates).</p>
<p>Required if <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-dest"><span class="std std-ref"><span class="pre">dest</span></span></a></strong></code> is not specified.</p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-modify_account"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-modify-account"><strong>modify_account</strong></p>
<a class="ansibleOptionLink" href="#parameter-modify_account" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Boolean indicating whether the module should create the account if necessary, and update its contact data.</p>
<p>Set to <code class="ansible-value docutils literal notranslate"><span class="pre">false</span></code> if you want to use the <a class="reference internal" href="acme_account_module.html#ansible-collections-community-crypto-acme-account-module"><span class="std std-ref">community.crypto.acme_account</span></a> module to manage your account instead, and to avoid accidental creation of a new account using an old key if you changed the account key with <a class="reference internal" href="acme_account_module.html#ansible-collections-community-crypto-acme-account-module"><span class="std std-ref">community.crypto.acme_account</span></a>.</p>
<p>If set to <code class="ansible-value docutils literal notranslate"><span class="pre">false</span></code>, <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-terms-agreed"><span class="std std-ref"><span class="pre">terms_agreed</span></span></a></strong></code> and <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-account-email"><span class="std std-ref"><span class="pre">account_email</span></span></a></strong></code> are ignored.</p>
<p class="ansible-option-line"><span class="ansible-option-choices">Choices:</span></p>
<ul class="simple">
<li><p><code class="ansible-option-choices-entry docutils literal notranslate"><span class="pre">false</span></code></p></li>
<li><p><code class="ansible-option-default-bold docutils literal notranslate"><span class="pre">true</span></code> <span class="ansible-option-choices-default-mark">← (default)</span></p></li>
</ul>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-remaining_days"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-remaining-days"><strong>remaining_days</strong></p>
<a class="ansibleOptionLink" href="#parameter-remaining_days" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">integer</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>The number of days the certificate must have left being valid. If <code class="ansible-return-value docutils literal notranslate"><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-return-cert-days"><span class="std std-ref"><span class="pre">cert_days</span></span></a></code> &lt; <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-remaining-days"><span class="std std-ref"><span class="pre">remaining_days</span></span></a></strong></code>, then it will be renewed. If the certificate is not renewed, module return values will not include <code class="ansible-return-value docutils literal notranslate"><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-return-challenge-data"><span class="std std-ref"><span class="pre">challenge_data</span></span></a></code>.</p>
<p>To make sure that the certificate is renewed in any case, you can use the <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-force"><span class="std std-ref"><span class="pre">force</span></span></a></strong></code> option.</p>
<p class="ansible-option-line"><span class="ansible-option-default-bold">Default:</span> <code class="ansible-option-default docutils literal notranslate"><span class="pre">10</span></code></p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-request_timeout"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-request-timeout"><strong>request_timeout</strong></p>
<a class="ansibleOptionLink" href="#parameter-request_timeout" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">integer</span></p>
<p><span class="ansible-option-versionadded">added in community.crypto 2.3.0</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>The time Ansible should wait for a response from the ACME API.</p>
<p>This timeout is applied to all HTTP(S) requests (HEAD, GET, POST).</p>
<p class="ansible-option-line"><span class="ansible-option-default-bold">Default:</span> <code class="ansible-option-default docutils literal notranslate"><span class="pre">10</span></code></p>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-retrieve_all_alternates"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-retrieve-all-alternates"><strong>retrieve_all_alternates</strong></p>
<a class="ansibleOptionLink" href="#parameter-retrieve_all_alternates" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>When set to <code class="ansible-value docutils literal notranslate"><span class="pre">true</span></code>, will retrieve all alternate trust chains offered by the ACME CA. These will not be written to disk, but will be returned together with the main chain as <code class="ansible-return-value docutils literal notranslate"><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-return-all-chains"><span class="std std-ref"><span class="pre">all_chains</span></span></a></code>. See the documentation for the <code class="ansible-return-value docutils literal notranslate"><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-return-all-chains"><span class="std std-ref"><span class="pre">all_chains</span></span></a></code> return value for details.</p>
<p class="ansible-option-line"><span class="ansible-option-choices">Choices:</span></p>
<ul class="simple">
<li><p><code class="ansible-option-default-bold docutils literal notranslate"><span class="pre">false</span></code> <span class="ansible-option-choices-default-mark">← (default)</span></p></li>
<li><p><code class="ansible-option-choices-entry docutils literal notranslate"><span class="pre">true</span></code></p></li>
</ul>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-select_chain"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-select-chain"><strong>select_chain</strong></p>
<a class="ansibleOptionLink" href="#parameter-select_chain" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">list</span> / <span class="ansible-option-elements">elements=dictionary</span></p>
<p><span class="ansible-option-versionadded">added in community.crypto 1.0.0</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Allows to specify criteria by which an (alternate) trust chain can be selected.</p>
<p>The list of criteria will be processed one by one until a chain is found matching a criterium. If such a chain is found, it will be used by the module instead of the default chain.</p>
<p>If a criterium matches multiple chains, the first one matching will be returned. The order is determined by the ordering of the <code class="docutils literal notranslate"><span class="pre">Link</span></code> headers returned by the ACME server and might not be deterministic.</p>
<p>Every criterium can consist of multiple different conditions, like <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-select-chain-issuer"><span class="std std-ref"><span class="pre">select_chain[].issuer</span></span></a></strong></code> and <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-select-chain-subject"><span class="std std-ref"><span class="pre">select_chain[].subject</span></span></a></strong></code>. For the criterium to match a chain, all conditions must apply to the same certificate in the chain.</p>
<p>This option can only be used with the <code class="docutils literal notranslate"><span class="pre">cryptography</span></code> backend.</p>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-select_chain/authority_key_identifier"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-select-chain-authority-key-identifier"><strong>authority_key_identifier</strong></p>
<a class="ansibleOptionLink" href="#parameter-select_chain/authority_key_identifier" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>Checks for the AuthorityKeyIdentifier extension. This is an identifier based on the private key of the issuer of the intermediate certificate.</p>
<p>The identifier must be of the form <code class="ansible-value docutils literal notranslate"><span class="pre">C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10</span></code>.</p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-select_chain/issuer"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-select-chain-issuer"><strong>issuer</strong></p>
<a class="ansibleOptionLink" href="#parameter-select_chain/issuer" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">dictionary</span></p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>Allows to specify parts of the issuer of a certificate in the chain must have to be selected.</p>
<p>If <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-select-chain-issuer"><span class="std std-ref"><span class="pre">select_chain[].issuer</span></span></a></strong></code> is empty, any certificate will match.</p>
<p>An example value would be <code class="ansible-value docutils literal notranslate"><span class="pre">{&quot;commonName&quot;:</span> <span class="pre">&quot;My</span> <span class="pre">Preferred</span> <span class="pre">CA</span> <span class="pre">Root&quot;}</span></code>.</p>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-select_chain/subject"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-select-chain-subject"><strong>subject</strong></p>
<a class="ansibleOptionLink" href="#parameter-select_chain/subject" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">dictionary</span></p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>Allows to specify parts of the subject of a certificate in the chain must have to be selected.</p>
<p>If <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-select-chain-subject"><span class="std std-ref"><span class="pre">select_chain[].subject</span></span></a></strong></code> is empty, any certificate will match.</p>
<p>An example value would be <code class="ansible-value docutils literal notranslate"><span class="pre">{&quot;CN&quot;:</span> <span class="pre">&quot;My</span> <span class="pre">Preferred</span> <span class="pre">CA</span> <span class="pre">Intermediate&quot;}</span></code></p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-select_chain/subject_key_identifier"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-select-chain-subject-key-identifier"><strong>subject_key_identifier</strong></p>
<a class="ansibleOptionLink" href="#parameter-select_chain/subject_key_identifier" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>Checks for the SubjectKeyIdentifier extension. This is an identifier based on the private key of the intermediate certificate.</p>
<p>The identifier must be of the form <code class="ansible-value docutils literal notranslate"><span class="pre">A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1</span></code>.</p>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-select_chain/test_certificates"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-select-chain-test-certificates"><strong>test_certificates</strong></p>
<a class="ansibleOptionLink" href="#parameter-select_chain/test_certificates" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>Determines which certificates in the chain will be tested.</p>
<p><code class="ansible-value docutils literal notranslate"><span class="pre">all</span></code> tests all certificates in the chain (excluding the leaf, which is identical in all chains).</p>
<p><code class="ansible-value docutils literal notranslate"><span class="pre">first</span></code> only tests the first certificate in the chain, that is the one which signed the leaf.</p>
<p><code class="ansible-value docutils literal notranslate"><span class="pre">last</span></code> only tests the last certificate in the chain, that is the one furthest away from the leaf. Its issuer is the root certificate of this chain.</p>
<p class="ansible-option-line"><span class="ansible-option-choices">Choices:</span></p>
<ul class="simple">
<li><p><code class="ansible-option-choices-entry docutils literal notranslate"><span class="pre">&quot;first&quot;</span></code></p></li>
<li><p><code class="ansible-option-choices-entry docutils literal notranslate"><span class="pre">&quot;last&quot;</span></code></p></li>
<li><p><code class="ansible-option-default-bold docutils literal notranslate"><span class="pre">&quot;all&quot;</span></code> <span class="ansible-option-choices-default-mark">← (default)</span></p></li>
</ul>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-select_crypto_backend"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-select-crypto-backend"><strong>select_crypto_backend</strong></p>
<a class="ansibleOptionLink" href="#parameter-select_crypto_backend" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Determines which crypto backend to use.</p>
<p>The default choice is <code class="ansible-value docutils literal notranslate"><span class="pre">auto</span></code>, which tries to use <code class="docutils literal notranslate"><span class="pre">cryptography</span></code> if available, and falls back to <code class="docutils literal notranslate"><span class="pre">openssl</span></code>.</p>
<p>If set to <code class="ansible-value docutils literal notranslate"><span class="pre">openssl</span></code>, will try to use the <code class="docutils literal notranslate"><span class="pre">openssl</span></code> binary.</p>
<p>If set to <code class="ansible-value docutils literal notranslate"><span class="pre">cryptography</span></code>, will try to use the <a class="reference external" href="https://cryptography.io/">cryptography</a> library.</p>
<p class="ansible-option-line"><span class="ansible-option-choices">Choices:</span></p>
<ul class="simple">
<li><p><code class="ansible-option-default-bold docutils literal notranslate"><span class="pre">&quot;auto&quot;</span></code> <span class="ansible-option-choices-default-mark">← (default)</span></p></li>
<li><p><code class="ansible-option-choices-entry docutils literal notranslate"><span class="pre">&quot;cryptography&quot;</span></code></p></li>
<li><p><code class="ansible-option-choices-entry docutils literal notranslate"><span class="pre">&quot;openssl&quot;</span></code></p></li>
</ul>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-terms_agreed"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-terms-agreed"><strong>terms_agreed</strong></p>
<a class="ansibleOptionLink" href="#parameter-terms_agreed" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Boolean indicating whether you agree to the terms of service document.</p>
<p>ACME servers can require this to be true.</p>
<p>This option will only be used when <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-acme-version"><span class="std std-ref"><span class="pre">acme_version</span></span></a></strong></code> is not 1.</p>
<p class="ansible-option-line"><span class="ansible-option-choices">Choices:</span></p>
<ul class="simple">
<li><p><code class="ansible-option-default-bold docutils literal notranslate"><span class="pre">false</span></code> <span class="ansible-option-choices-default-mark">← (default)</span></p></li>
<li><p><code class="ansible-option-choices-entry docutils literal notranslate"><span class="pre">true</span></code></p></li>
</ul>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-validate_certs"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-parameter-validate-certs"><strong>validate_certs</strong></p>
<a class="ansibleOptionLink" href="#parameter-validate_certs" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Whether calls to the ACME directory will validate TLS certificates.</p>
<p><strong>Warning:</strong> Should <strong>only ever</strong> be set to <code class="ansible-value docutils literal notranslate"><span class="pre">false</span></code> for testing purposes, for example when testing against a local Pebble server.</p>
<p class="ansible-option-line"><span class="ansible-option-choices">Choices:</span></p>
<ul class="simple">
<li><p><code class="ansible-option-choices-entry docutils literal notranslate"><span class="pre">false</span></code></p></li>
<li><p><code class="ansible-option-default-bold docutils literal notranslate"><span class="pre">true</span></code> <span class="ansible-option-choices-default-mark">← (default)</span></p></li>
</ul>
</div></td>
</tr>
</tbody>
</table>
</section>
<section id="attributes">
<h2><a class="toc-backref" href="#id4" role="doc-backlink">Attributes</a><a class="headerlink" href="#attributes" title="Permalink to this heading"></a></h2>
<table class="ansible-option-table docutils align-default" style="width: 100%">
<thead>
<tr class="row-odd"><th class="head"><p>Attribute</p></th>
<th class="head"><p>Support</p></th>
<th class="head"><p>Description</p></th>
</tr>
</thead>
<tbody>
<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="attribute-action_group"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-attribute-action-group"><strong>action_group</strong></p>
<a class="ansibleOptionLink" href="#attribute-action_group" title="Permalink to this attribute"></a></div></td>
<td><div class="ansible-option-cell"><p><span class="ansible-attribute-support-property">Action groups:</span> <span class="ansible-attribute-support-full">community.crypto.acme</span>, <span class="ansible-attribute-support-full">acme</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Use <code class="docutils literal notranslate"><span class="pre">group/acme</span></code> or <code class="docutils literal notranslate"><span class="pre">group/community.crypto.acme</span></code> in <code class="docutils literal notranslate"><span class="pre">module_defaults</span></code> to set defaults for this module.</p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="attribute-check_mode"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-attribute-check-mode"><strong>check_mode</strong></p>
<a class="ansibleOptionLink" href="#attribute-check_mode" title="Permalink to this attribute"></a></div></td>
<td><div class="ansible-option-cell"><p><span class="ansible-attribute-support-label">Support: </span><span class="ansible-attribute-support-full">full</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Can run in <code class="docutils literal notranslate"><span class="pre">check_mode</span></code> and return changed status prediction without modifying target.</p>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="attribute-diff_mode"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-attribute-diff-mode"><strong>diff_mode</strong></p>
<a class="ansibleOptionLink" href="#attribute-diff_mode" title="Permalink to this attribute"></a></div></td>
<td><div class="ansible-option-cell"><p><span class="ansible-attribute-support-label">Support: </span><span class="ansible-attribute-support-none">none</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Will return details on what has changed (or possibly needs changing in <code class="docutils literal notranslate"><span class="pre">check_mode</span></code>), when in diff mode.</p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="attribute-safe_file_operations"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-attribute-safe-file-operations"><strong>safe_file_operations</strong></p>
<a class="ansibleOptionLink" href="#attribute-safe_file_operations" title="Permalink to this attribute"></a></div></td>
<td><div class="ansible-option-cell"><p><span class="ansible-attribute-support-label">Support: </span><span class="ansible-attribute-support-full">full</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Uses Ansibles strict file operation functions to ensure proper permissions and avoid data corruption.</p>
</div></td>
</tr>
</tbody>
</table>
</section>
<section id="notes">
<h2><a class="toc-backref" href="#id5" role="doc-backlink">Notes</a><a class="headerlink" href="#notes" title="Permalink to this heading"></a></h2>
<div class="admonition note">
<p class="admonition-title">Note</p>
<ul class="simple">
<li><p>At least one of <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-dest"><span class="std std-ref"><span class="pre">dest</span></span></a></strong></code> and <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-fullchain-dest"><span class="std std-ref"><span class="pre">fullchain_dest</span></span></a></strong></code> must be specified.</p></li>
<li><p>This module includes basic account management functionality. If you want to have more control over your ACME account, use the <a class="reference internal" href="acme_account_module.html#ansible-collections-community-crypto-acme-account-module"><span class="std std-ref">community.crypto.acme_account</span></a> module and disable account management for this module using the <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-modify-account"><span class="std std-ref"><span class="pre">modify_account</span></span></a></strong></code> option.</p></li>
<li><p>This module was called <code class="docutils literal notranslate"><span class="pre">letsencrypt</span></code> before Ansible 2.6. The usage did not change.</p></li>
<li><p>If a new enough version of the <code class="docutils literal notranslate"><span class="pre">cryptography</span></code> library is available (see Requirements for details), it will be used instead of the <code class="docutils literal notranslate"><span class="pre">openssl</span></code> binary. This can be explicitly disabled or enabled with the <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-select-crypto-backend"><span class="std std-ref"><span class="pre">select_crypto_backend</span></span></a></strong></code> option. Note that using the <code class="docutils literal notranslate"><span class="pre">openssl</span></code> binary will be slower and less secure, as private key contents always have to be stored on disk (see <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-account-key-content"><span class="std std-ref"><span class="pre">account_key_content</span></span></a></strong></code>).</p></li>
<li><p>Although the defaults are chosen so that the module can be used with the <a class="reference external" href="https://letsencrypt.org/">Lets Encrypt</a> CA, the module can in principle be used with any CA providing an ACME endpoint, such as <a class="reference external" href="https://www.buypass.com/ssl/products/acme">Buypass Go SSL</a>.</p></li>
<li><p>So far, the ACME modules have only been tested by the developers against Lets Encrypt (staging and production), Buypass (staging and production), ZeroSSL (production), and <a class="reference external" href="https://github.com/letsencrypt/Pebble">Pebble testing server</a>. We have got community feedback that they also work with Sectigo ACME Service for InCommon. If you experience problems with another ACME server, please <a class="reference external" href="https://github.com/ansible-collections/community.crypto/issues/new/choose">create an issue</a> to help us supporting it. Feedback that an ACME server not mentioned does work is also appreciated.</p></li>
</ul>
</div>
</section>
<section id="see-also">
<h2><a class="toc-backref" href="#id6" role="doc-backlink">See Also</a><a class="headerlink" href="#see-also" title="Permalink to this heading"></a></h2>
<div class="admonition seealso">
<p class="admonition-title">See also</p>
<dl class="simple">
<dt><a class="reference external" href="https://letsencrypt.org/docs/">The Lets Encrypt documentation</a></dt><dd><p>Documentation for the Lets Encrypt Certification Authority. Provides useful information for example on rate limits.</p>
</dd>
<dt><a class="reference external" href="https://www.buypass.com/ssl/products/acme">Buypass Go SSL</a></dt><dd><p>Documentation for the Buypass Certification Authority. Provides useful information for example on rate limits.</p>
</dd>
<dt><a class="reference external" href="https://tools.ietf.org/html/rfc8555">Automatic Certificate Management Environment (ACME)</a></dt><dd><p>The specification of the ACME protocol (RFC 8555).</p>
</dd>
<dt><a class="reference external" href="https://www.rfc-editor.org/rfc/rfc8737.html-05">ACME TLS ALPN Challenge Extension</a></dt><dd><p>The specification of the <code class="ansible-value docutils literal notranslate"><span class="pre">tls-alpn-01</span></code> challenge (RFC 8737).</p>
</dd>
<dt><a class="reference internal" href="acme_challenge_cert_helper_module.html#ansible-collections-community-crypto-acme-challenge-cert-helper-module"><span class="std std-ref">community.crypto.acme_challenge_cert_helper</span></a></dt><dd><p>Helps preparing <code class="ansible-value docutils literal notranslate"><span class="pre">tls-alpn-01</span></code> challenges.</p>
</dd>
<dt><a class="reference internal" href="openssl_privatekey_module.html#ansible-collections-community-crypto-openssl-privatekey-module"><span class="std std-ref">community.crypto.openssl_privatekey</span></a></dt><dd><p>Can be used to create private keys (both for certificates and accounts).</p>
</dd>
<dt><a class="reference internal" href="openssl_privatekey_pipe_module.html#ansible-collections-community-crypto-openssl-privatekey-pipe-module"><span class="std std-ref">community.crypto.openssl_privatekey_pipe</span></a></dt><dd><p>Can be used to create private keys without writing it to disk (both for certificates and accounts).</p>
</dd>
<dt><a class="reference internal" href="openssl_csr_module.html#ansible-collections-community-crypto-openssl-csr-module"><span class="std std-ref">community.crypto.openssl_csr</span></a></dt><dd><p>Can be used to create a Certificate Signing Request (CSR).</p>
</dd>
<dt><a class="reference internal" href="openssl_csr_pipe_module.html#ansible-collections-community-crypto-openssl-csr-pipe-module"><span class="std std-ref">community.crypto.openssl_csr_pipe</span></a></dt><dd><p>Can be used to create a Certificate Signing Request (CSR) without writing it to disk.</p>
</dd>
<dt><a class="reference internal" href="certificate_complete_chain_module.html#ansible-collections-community-crypto-certificate-complete-chain-module"><span class="std std-ref">community.crypto.certificate_complete_chain</span></a></dt><dd><p>Allows to find the root certificate for the returned fullchain.</p>
</dd>
<dt><a class="reference internal" href="acme_certificate_revoke_module.html#ansible-collections-community-crypto-acme-certificate-revoke-module"><span class="std std-ref">community.crypto.acme_certificate_revoke</span></a></dt><dd><p>Allows to revoke certificates.</p>
</dd>
<dt><a class="reference internal" href="acme_account_module.html#ansible-collections-community-crypto-acme-account-module"><span class="std std-ref">community.crypto.acme_account</span></a></dt><dd><p>Allows to create, modify or delete an ACME account.</p>
</dd>
<dt><a class="reference internal" href="acme_inspect_module.html#ansible-collections-community-crypto-acme-inspect-module"><span class="std std-ref">community.crypto.acme_inspect</span></a></dt><dd><p>Allows to debug problems.</p>
</dd>
</dl>
</div>
</section>
<section id="examples">
<h2><a class="toc-backref" href="#id7" role="doc-backlink">Examples</a><a class="headerlink" href="#examples" title="Permalink to this heading"></a></h2>
<div class="highlight-yaml+jinja notranslate"><div class="highlight"><pre><span></span><span class="c1">### Example with HTTP challenge ###</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Create a challenge for sample.com using a account key from a variable.</span>
<span class="w"> </span><span class="nt">community.crypto.acme_certificate</span><span class="p">:</span>
<span class="w"> </span><span class="nt">account_key_content</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">account_private_key</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w"> </span><span class="nt">csr</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/pki/cert/csr/sample.com.csr</span>
<span class="w"> </span><span class="nt">dest</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/httpd/ssl/sample.com.crt</span>
<span class="w"> </span><span class="nt">register</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">sample_com_challenge</span>
<span class="c1"># Alternative first step:</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Create a challenge for sample.com using a account key from hashi vault.</span>
<span class="w"> </span><span class="nt">community.crypto.acme_certificate</span><span class="p">:</span>
<span class="w"> </span><span class="nt">account_key_content</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">lookup</span><span class="o">(</span><span class="s1">&#39;hashi_vault&#39;</span><span class="o">,</span> <span class="s1">&#39;secret=secret/account_private_key:value&#39;</span><span class="o">)</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w"> </span><span class="nt">csr</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/pki/cert/csr/sample.com.csr</span>
<span class="w"> </span><span class="nt">fullchain_dest</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/httpd/ssl/sample.com-fullchain.crt</span>
<span class="w"> </span><span class="nt">register</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">sample_com_challenge</span>
<span class="c1"># Alternative first step:</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Create a challenge for sample.com using a account key file.</span>
<span class="w"> </span><span class="nt">community.crypto.acme_certificate</span><span class="p">:</span>
<span class="w"> </span><span class="nt">account_key_src</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/pki/cert/private/account.key</span>
<span class="w"> </span><span class="nt">csr_content</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">lookup</span><span class="o">(</span><span class="s1">&#39;file&#39;</span><span class="o">,</span> <span class="s1">&#39;/etc/pki/cert/csr/sample.com.csr&#39;</span><span class="o">)</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w"> </span><span class="nt">dest</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/httpd/ssl/sample.com.crt</span>
<span class="w"> </span><span class="nt">fullchain_dest</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/httpd/ssl/sample.com-fullchain.crt</span>
<span class="w"> </span><span class="nt">register</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">sample_com_challenge</span>
<span class="c1"># perform the necessary steps to fulfill the challenge</span>
<span class="c1"># for example:</span>
<span class="c1">#</span>
<span class="c1"># - name: Copy http-01 challenge for sample.com</span>
<span class="c1"># ansible.builtin.copy:</span>
<span class="c1"># dest: /var/www/html/</span><span class="cp">{{</span> <span class="nv">sample_com_challenge</span><span class="o">[</span><span class="s1">&#39;challenge_data&#39;</span><span class="o">][</span><span class="s1">&#39;sample.com&#39;</span><span class="o">][</span><span class="s1">&#39;http-01&#39;</span><span class="o">][</span><span class="s1">&#39;resource&#39;</span><span class="o">]</span> <span class="cp">}}</span>
<span class="c1"># content: &quot;</span><span class="cp">{{</span> <span class="nv">sample_com_challenge</span><span class="o">[</span><span class="s1">&#39;challenge_data&#39;</span><span class="o">][</span><span class="s1">&#39;sample.com&#39;</span><span class="o">][</span><span class="s1">&#39;http-01&#39;</span><span class="o">][</span><span class="s1">&#39;resource_value&#39;</span><span class="o">]</span> <span class="cp">}}</span><span class="c1">&quot;</span>
<span class="c1"># when: sample_com_challenge is changed and &#39;sample.com&#39; in sample_com_challenge[&#39;challenge_data&#39;]</span>
<span class="c1">#</span>
<span class="c1"># Alternative way:</span>
<span class="c1">#</span>
<span class="c1"># - name: Copy http-01 challenges</span>
<span class="c1"># ansible.builtin.copy:</span>
<span class="c1"># dest: /var/www/</span><span class="cp">{{</span> <span class="nv">item.key</span> <span class="cp">}}</span><span class="c1">/</span><span class="cp">{{</span> <span class="nv">item.value</span><span class="o">[</span><span class="s1">&#39;http-01&#39;</span><span class="o">][</span><span class="s1">&#39;resource&#39;</span><span class="o">]</span> <span class="cp">}}</span>
<span class="c1"># content: &quot;</span><span class="cp">{{</span> <span class="nv">item.value</span><span class="o">[</span><span class="s1">&#39;http-01&#39;</span><span class="o">][</span><span class="s1">&#39;resource_value&#39;</span><span class="o">]</span> <span class="cp">}}</span><span class="c1">&quot;</span>
<span class="c1"># loop: &quot;</span><span class="cp">{{</span> <span class="nv">sample_com_challenge.challenge_data</span> <span class="o">|</span> <span class="nf">dict2items</span> <span class="cp">}}</span><span class="c1">&quot;</span>
<span class="c1"># when: sample_com_challenge is changed</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Let the challenge be validated and retrieve the cert and intermediate certificate</span>
<span class="w"> </span><span class="nt">community.crypto.acme_certificate</span><span class="p">:</span>
<span class="w"> </span><span class="nt">account_key_src</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/pki/cert/private/account.key</span>
<span class="w"> </span><span class="nt">csr</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/pki/cert/csr/sample.com.csr</span>
<span class="w"> </span><span class="nt">dest</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/httpd/ssl/sample.com.crt</span>
<span class="w"> </span><span class="nt">fullchain_dest</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/httpd/ssl/sample.com-fullchain.crt</span>
<span class="w"> </span><span class="nt">chain_dest</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/httpd/ssl/sample.com-intermediate.crt</span>
<span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">sample_com_challenge</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="c1">### Example with DNS challenge against production ACME server ###</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Create a challenge for sample.com using a account key file.</span>
<span class="w"> </span><span class="nt">community.crypto.acme_certificate</span><span class="p">:</span>
<span class="w"> </span><span class="nt">account_key_src</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/pki/cert/private/account.key</span>
<span class="w"> </span><span class="nt">account_email</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">myself@sample.com</span>
<span class="w"> </span><span class="nt">src</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/pki/cert/csr/sample.com.csr</span>
<span class="w"> </span><span class="nt">cert</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/httpd/ssl/sample.com.crt</span>
<span class="w"> </span><span class="nt">challenge</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">dns-01</span>
<span class="w"> </span><span class="nt">acme_directory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://acme-v01.api.letsencrypt.org/directory</span>
<span class="w"> </span><span class="c1"># Renew if the certificate is at least 30 days old</span>
<span class="w"> </span><span class="nt">remaining_days</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">60</span>
<span class="w"> </span><span class="nt">register</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">sample_com_challenge</span>
<span class="c1"># perform the necessary steps to fulfill the challenge</span>
<span class="c1"># for example:</span>
<span class="c1">#</span>
<span class="c1"># - name: Create DNS record for sample.com dns-01 challenge</span>
<span class="c1"># community.aws.route53:</span>
<span class="c1"># zone: sample.com</span>
<span class="c1"># record: &quot;</span><span class="cp">{{</span> <span class="nv">sample_com_challenge.challenge_data</span><span class="o">[</span><span class="s1">&#39;sample.com&#39;</span><span class="o">][</span><span class="s1">&#39;dns-01&#39;</span><span class="o">]</span><span class="nv">.record</span> <span class="cp">}}</span><span class="c1">&quot;</span>
<span class="c1"># type: TXT</span>
<span class="c1"># ttl: 60</span>
<span class="c1"># state: present</span>
<span class="c1"># wait: true</span>
<span class="c1"># # Note: route53 requires TXT entries to be enclosed in quotes</span>
<span class="c1"># value: &quot;</span><span class="cp">{{</span> <span class="nv">sample_com_challenge.challenge_data</span><span class="o">[</span><span class="s1">&#39;sample.com&#39;</span><span class="o">][</span><span class="s1">&#39;dns-01&#39;</span><span class="o">]</span><span class="nv">.resource_value</span> <span class="o">|</span> <span class="nf">regex_replace</span><span class="o">(</span><span class="s1">&#39;^(.*)$&#39;</span><span class="o">,</span> <span class="s1">&#39;\&quot;\\1\&quot;&#39;</span><span class="o">)</span> <span class="cp">}}</span><span class="c1">&quot;</span>
<span class="c1"># when: sample_com_challenge is changed and &#39;sample.com&#39; in sample_com_challenge.challenge_data</span>
<span class="c1">#</span>
<span class="c1"># Alternative way:</span>
<span class="c1">#</span>
<span class="c1"># - name: Create DNS records for dns-01 challenges</span>
<span class="c1"># community.aws.route53:</span>
<span class="c1"># zone: sample.com</span>
<span class="c1"># record: &quot;</span><span class="cp">{{</span> <span class="nv">item.key</span> <span class="cp">}}</span><span class="c1">&quot;</span>
<span class="c1"># type: TXT</span>
<span class="c1"># ttl: 60</span>
<span class="c1"># state: present</span>
<span class="c1"># wait: true</span>
<span class="c1"># # Note: item.value is a list of TXT entries, and route53</span>
<span class="c1"># # requires every entry to be enclosed in quotes</span>
<span class="c1"># value: &quot;</span><span class="cp">{{</span> <span class="nv">item.value</span> <span class="o">|</span> <span class="nf">map</span><span class="o">(</span><span class="s1">&#39;regex_replace&#39;</span><span class="o">,</span> <span class="s1">&#39;^(.*)$&#39;</span><span class="o">,</span> <span class="s1">&#39;\&quot;\\1\&quot;&#39;</span> <span class="o">)</span> <span class="o">|</span> <span class="nf">list</span> <span class="cp">}}</span><span class="c1">&quot;</span>
<span class="c1"># loop: &quot;</span><span class="cp">{{</span> <span class="nv">sample_com_challenge.challenge_data_dns</span> <span class="o">|</span> <span class="nf">dict2items</span> <span class="cp">}}</span><span class="c1">&quot;</span>
<span class="c1"># when: sample_com_challenge is changed</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Let the challenge be validated and retrieve the cert and intermediate certificate</span>
<span class="w"> </span><span class="nt">community.crypto.acme_certificate</span><span class="p">:</span>
<span class="w"> </span><span class="nt">account_key_src</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/pki/cert/private/account.key</span>
<span class="w"> </span><span class="nt">account_email</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">myself@sample.com</span>
<span class="w"> </span><span class="nt">src</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/pki/cert/csr/sample.com.csr</span>
<span class="w"> </span><span class="nt">cert</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/httpd/ssl/sample.com.crt</span>
<span class="w"> </span><span class="nt">fullchain</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/httpd/ssl/sample.com-fullchain.crt</span>
<span class="w"> </span><span class="nt">chain</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/httpd/ssl/sample.com-intermediate.crt</span>
<span class="w"> </span><span class="nt">challenge</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">dns-01</span>
<span class="w"> </span><span class="nt">acme_directory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://acme-v01.api.letsencrypt.org/directory</span>
<span class="w"> </span><span class="nt">remaining_days</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">60</span>
<span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">sample_com_challenge</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">sample_com_challenge is changed</span>
<span class="c1"># Alternative second step:</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Let the challenge be validated and retrieve the cert and intermediate certificate</span>
<span class="w"> </span><span class="nt">community.crypto.acme_certificate</span><span class="p">:</span>
<span class="w"> </span><span class="nt">account_key_src</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/pki/cert/private/account.key</span>
<span class="w"> </span><span class="nt">account_email</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">myself@sample.com</span>
<span class="w"> </span><span class="nt">src</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/pki/cert/csr/sample.com.csr</span>
<span class="w"> </span><span class="nt">cert</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/httpd/ssl/sample.com.crt</span>
<span class="w"> </span><span class="nt">fullchain</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/httpd/ssl/sample.com-fullchain.crt</span>
<span class="w"> </span><span class="nt">chain</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/httpd/ssl/sample.com-intermediate.crt</span>
<span class="w"> </span><span class="nt">challenge</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tls-alpn-01</span>
<span class="w"> </span><span class="nt">remaining_days</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">60</span>
<span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">sample_com_challenge</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w"> </span><span class="c1"># We use Let&#39;s Encrypt&#39;s ACME v2 endpoint</span>
<span class="w"> </span><span class="nt">acme_directory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://acme-v02.api.letsencrypt.org/directory</span>
<span class="w"> </span><span class="nt">acme_version</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">2</span>
<span class="w"> </span><span class="c1"># The following makes sure that if a chain with /CN=DST Root CA X3 in its issuer is provided</span>
<span class="w"> </span><span class="c1"># as an alternative, it will be selected. These are the roots cross-signed by IdenTrust.</span>
<span class="w"> </span><span class="c1"># As long as Let&#39;s Encrypt provides alternate chains with the cross-signed root(s) when</span>
<span class="w"> </span><span class="c1"># switching to their own ISRG Root X1 root, this will use the chain ending with a cross-signed</span>
<span class="w"> </span><span class="c1"># root. This chain is more compatible with older TLS clients.</span>
<span class="w"> </span><span class="nt">select_chain</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">test_certificates</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">last</span>
<span class="w"> </span><span class="nt">issuer</span><span class="p">:</span>
<span class="w"> </span><span class="nt">CN</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">DST Root CA X3</span>
<span class="w"> </span><span class="nt">O</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Digital Signature Trust Co.</span>
<span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">sample_com_challenge is changed</span>
</pre></div>
</div>
</section>
<section id="return-values">
<h2><a class="toc-backref" href="#id8" role="doc-backlink">Return Values</a><a class="headerlink" href="#return-values" title="Permalink to this heading"></a></h2>
<p>Common return values are documented <a class="reference external" href="https://docs.ansible.com/ansible/devel/reference_appendices/common_return_values.html#common-return-values" title="(in Ansible vdevel)"><span class="xref std std-ref">here</span></a>, the following are the fields unique to this module:</p>
<table class="ansible-option-table docutils align-default" style="width: 100%">
<thead>
<tr class="row-odd"><th class="head"><p>Key</p></th>
<th class="head"><p>Description</p></th>
</tr>
</thead>
<tbody>
<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="return-account_uri"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-account-uri"><strong>account_uri</strong></p>
<a class="ansibleOptionLink" href="#return-account_uri" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>ACME account URI.</p>
<p class="ansible-option-line"><span class="ansible-option-returned-bold">Returned:</span> changed</p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="return-all_chains"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-all-chains"><strong>all_chains</strong></p>
<a class="ansibleOptionLink" href="#return-all_chains" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">list</span> / <span class="ansible-option-elements">elements=dictionary</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>When <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-retrieve-all-alternates"><span class="std std-ref"><span class="pre">retrieve_all_alternates</span></span></a></strong></code> is set to <code class="ansible-value docutils literal notranslate"><span class="pre">true</span></code>, the module will query the ACME server for alternate chains. This return value will contain a list of all chains returned, the first entry being the main chain returned by the server.</p>
<p>See <a class="reference external" href="https://tools.ietf.org/html/rfc8555#section-7.4.2">Section 7.4.2 of RFC8555</a> for details.</p>
<p class="ansible-option-line"><span class="ansible-option-returned-bold">Returned:</span> when certificate was retrieved and <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-retrieve-all-alternates"><span class="std std-ref"><span class="pre">retrieve_all_alternates</span></span></a></strong></code> is set to <code class="ansible-value docutils literal notranslate"><span class="pre">true</span></code></p>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="return-all_chains/cert"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-all-chains-cert"><strong>cert</strong></p>
<a class="ansibleOptionLink" href="#return-all_chains/cert" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The leaf certificate itself, in PEM format.</p>
<p class="ansible-option-line"><span class="ansible-option-returned-bold">Returned:</span> always</p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="return-all_chains/chain"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-all-chains-chain"><strong>chain</strong></p>
<a class="ansibleOptionLink" href="#return-all_chains/chain" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The certificate chain, excluding the root, as concatenated PEM certificates.</p>
<p class="ansible-option-line"><span class="ansible-option-returned-bold">Returned:</span> always</p>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="return-all_chains/full_chain"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-all-chains-full-chain"><strong>full_chain</strong></p>
<a class="ansibleOptionLink" href="#return-all_chains/full_chain" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The certificate chain, excluding the root, but including the leaf certificate, as concatenated PEM certificates.</p>
<p class="ansible-option-line"><span class="ansible-option-returned-bold">Returned:</span> always</p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="return-authorizations"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-authorizations"><strong>authorizations</strong></p>
<a class="ansibleOptionLink" href="#return-authorizations" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">dictionary</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>ACME authorization data.</p>
<p>Maps an identifier to ACME authorization objects. See <a class="reference external" href="https://tools.ietf.org/html/rfc8555#section-7.1.4">https://tools.ietf.org/html/rfc8555#section-7.1.4</a>.</p>
<p class="ansible-option-line"><span class="ansible-option-returned-bold">Returned:</span> changed</p>
<p class="ansible-option-line ansible-option-sample"><span class="ansible-option-sample-bold">Sample:</span> <code class="ansible-option-sample docutils literal notranslate"><span class="pre">{&quot;example.com&quot;:</span> <span class="pre">{&quot;challenges&quot;:</span> <span class="pre">[{&quot;status&quot;:</span> <span class="pre">&quot;valid&quot;,</span> <span class="pre">&quot;token&quot;:</span> <span class="pre">&quot;A5b1C3d2E9f8G7h6&quot;,</span> <span class="pre">&quot;type&quot;:</span> <span class="pre">&quot;http-01&quot;,</span> <span class="pre">&quot;url&quot;:</span> <span class="pre">&quot;https://example.org/acme/challenge/12345&quot;,</span> <span class="pre">&quot;validated&quot;:</span> <span class="pre">&quot;2022-08-01T01:01:02.34Z&quot;}],</span> <span class="pre">&quot;expires&quot;:</span> <span class="pre">&quot;2022-08-04T01:02:03.45Z&quot;,</span> <span class="pre">&quot;identifier&quot;:</span> <span class="pre">{&quot;type&quot;:</span> <span class="pre">&quot;dns&quot;,</span> <span class="pre">&quot;value&quot;:</span> <span class="pre">&quot;example.com&quot;},</span> <span class="pre">&quot;status&quot;:</span> <span class="pre">&quot;valid&quot;,</span> <span class="pre">&quot;wildcard&quot;:</span> <span class="pre">false}}</span></code></p>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="return-cert_days"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-cert-days"><strong>cert_days</strong></p>
<a class="ansibleOptionLink" href="#return-cert_days" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">integer</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>The number of days the certificate remains valid.</p>
<p class="ansible-option-line"><span class="ansible-option-returned-bold">Returned:</span> success</p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="return-challenge_data"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-challenge-data"><strong>challenge_data</strong></p>
<a class="ansibleOptionLink" href="#return-challenge_data" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">list</span> / <span class="ansible-option-elements">elements=dictionary</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>Per identifier / challenge type challenge data.</p>
<p>Since Ansible 2.8.5, only challenges which are not yet valid are returned.</p>
<p class="ansible-option-line"><span class="ansible-option-returned-bold">Returned:</span> changed</p>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="return-challenge_data/record"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-challenge-data-record"><strong>record</strong></p>
<a class="ansibleOptionLink" href="#return-challenge_data/record" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The full DNS records name for the challenge.</p>
<p class="ansible-option-line"><span class="ansible-option-returned-bold">Returned:</span> changed and challenge is <code class="ansible-value docutils literal notranslate"><span class="pre">dns-01</span></code></p>
<p class="ansible-option-line ansible-option-sample"><span class="ansible-option-sample-bold">Sample:</span> <code class="ansible-option-sample docutils literal notranslate"><span class="pre">&quot;_acme-challenge.example.com&quot;</span></code></p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="return-challenge_data/resource"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-challenge-data-resource"><strong>resource</strong></p>
<a class="ansibleOptionLink" href="#return-challenge_data/resource" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The challenge resource that must be created for validation.</p>
<p class="ansible-option-line"><span class="ansible-option-returned-bold">Returned:</span> changed</p>
<p class="ansible-option-line ansible-option-sample"><span class="ansible-option-sample-bold">Sample:</span> <code class="ansible-option-sample docutils literal notranslate"><span class="pre">&quot;.well-known/acme-challenge/evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA&quot;</span></code></p>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="return-challenge_data/resource_original"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-challenge-data-resource-original"><strong>resource_original</strong></p>
<a class="ansibleOptionLink" href="#return-challenge_data/resource_original" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The original challenge resource including type identifier for <code class="ansible-value docutils literal notranslate"><span class="pre">tls-alpn-01</span></code> challenges.</p>
<p class="ansible-option-line"><span class="ansible-option-returned-bold">Returned:</span> changed and <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-challenge"><span class="std std-ref"><span class="pre">challenge</span></span></a></strong></code> is <code class="ansible-value docutils literal notranslate"><span class="pre">tls-alpn-01</span></code></p>
<p class="ansible-option-line ansible-option-sample"><span class="ansible-option-sample-bold">Sample:</span> <code class="ansible-option-sample docutils literal notranslate"><span class="pre">&quot;DNS:example.com&quot;</span></code></p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="return-challenge_data/resource_value"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-challenge-data-resource-value"><strong>resource_value</strong></p>
<a class="ansibleOptionLink" href="#return-challenge_data/resource_value" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The value the resource has to produce for the validation.</p>
<p>For <code class="ansible-value docutils literal notranslate"><span class="pre">http-01</span></code> and <code class="ansible-value docutils literal notranslate"><span class="pre">dns-01</span></code> challenges, the value can be used as-is.</p>
<p>For <code class="ansible-value docutils literal notranslate"><span class="pre">tls-alpn-01</span></code> challenges, note that this return value contains a Base64 encoded version of the correct binary blob which has to be put into the acmeValidation x509 extension; see <a class="reference external" href="https://www.rfc-editor.org/rfc/rfc8737.html#section-3">https://www.rfc-editor.org/rfc/rfc8737.html#section-3</a> for details. To do this, you might need the <a class="reference external" href="https://docs.ansible.com/ansible/devel/collections/ansible/builtin/b64decode_filter.html#ansible-collections-ansible-builtin-b64decode-filter" title="(in Ansible vdevel)"><span class="xref std std-ref">ansible.builtin.b64decode</span></a> Jinja filter to extract the binary blob from this return value.</p>
<p class="ansible-option-line"><span class="ansible-option-returned-bold">Returned:</span> changed</p>
<p class="ansible-option-line ansible-option-sample"><span class="ansible-option-sample-bold">Sample:</span> <code class="ansible-option-sample docutils literal notranslate"><span class="pre">&quot;IlirfxKKXA...17Dt3juxGJ-PCt92wr-oA&quot;</span></code></p>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="return-challenge_data_dns"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-challenge-data-dns"><strong>challenge_data_dns</strong></p>
<a class="ansibleOptionLink" href="#return-challenge_data_dns" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">dictionary</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>List of TXT values per DNS record, in case challenge is <code class="ansible-value docutils literal notranslate"><span class="pre">dns-01</span></code>.</p>
<p>Since Ansible 2.8.5, only challenges which are not yet valid are returned.</p>
<p class="ansible-option-line"><span class="ansible-option-returned-bold">Returned:</span> changed</p>
</div></td>
</tr>
<tr class="row-odd"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="return-finalization_uri"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-finalization-uri"><strong>finalization_uri</strong></p>
<a class="ansibleOptionLink" href="#return-finalization_uri" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>ACME finalization URI.</p>
<p class="ansible-option-line"><span class="ansible-option-returned-bold">Returned:</span> changed</p>
</div></td>
</tr>
<tr class="row-even"><td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="return-order_uri"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-order-uri"><strong>order_uri</strong></p>
<a class="ansibleOptionLink" href="#return-order_uri" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
</div></td>
<td><div class="ansible-option-cell"><p>ACME order URI.</p>
<p class="ansible-option-line"><span class="ansible-option-returned-bold">Returned:</span> changed</p>
</div></td>
</tr>
</tbody>
</table>
<section id="authors">
<h3>Authors<a class="headerlink" href="#authors" title="Permalink to this heading"></a></h3>
<ul class="simple">
<li><p>Michael Gruener (&#64;mgruener)</p></li>
</ul>
</section>
<section id="collection-links">
<h3>Collection links<a class="headerlink" href="#collection-links" title="Permalink to this heading"></a></h3>
<p class="ansible-links">
<a href="https://github.com/ansible-collections/community.crypto/issues" aria-role="button" target="_blank" rel="noopener external">Issue Tracker</a>
<a href="https://github.com/ansible-collections/community.crypto" aria-role="button" target="_blank" rel="noopener external">Repository (Sources)</a>
<a href="https://github.com/ansible-collections/community.crypto/issues/new?assignees=&amp;labels=&amp;template=bug_report.md" aria-role="button" target="_blank" rel="noopener external">Submit a bug report</a>
<a href="https://github.com/ansible-collections/community.crypto/issues/new?assignees=&amp;labels=&amp;template=feature_request.md" aria-role="button" target="_blank" rel="noopener external">Request a feature</a>
<a href="./#communication-for-community-crypto" aria-role="button" target="_blank">Communication</a>
</p></section>
</section>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="acme_account_info_module.html" class="btn btn-neutral float-left" title="community.crypto.acme_account_info module Retrieves information on ACME accounts" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="acme_certificate_revoke_module.html" class="btn btn-neutral float-right" title="community.crypto.acme_certificate_revoke module Revoke certificates with the ACME protocol" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>&#169; Copyright Community.Crypto Contributors.</p>
</div>
</footer>
</div>
</div>
</section>
</div>
<script>
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script><!-- extra footer elements for Ansible beyond RTD Sphinx Theme -->
</body>
</html>