--- ## SET UP ACCOUNT KEYS ######################################################################## - block: - name: Generate account keys openssl_privatekey: path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" type: "{{ item.type }}" size: "{{ item.size | default(omit) }}" curve: "{{ item.curve | default(omit) }}" force: true loop: "{{ account_keys }}" vars: account_keys: - name: account-ec256 type: ECC curve: secp256r1 - name: account-ec384 type: ECC curve: secp384r1 - name: account-rsa type: RSA size: "{{ default_rsa_key_size }}" ## CREATE ACCOUNTS AND OBTAIN CERTIFICATES #################################################### - name: Read account key (EC256) slurp: src: '{{ remote_tmp_dir }}/account-ec256.pem' register: slurp_account_key - name: Obtain cert 1 include_tasks: obtain-cert.yml vars: certgen_title: Certificate 1 for revocation certificate_name: cert-1 key_type: rsa rsa_bits: "{{ default_rsa_key_size }}" subject_alt_name: "DNS:example.com" subject_alt_name_critical: no account_key_content: "{{ slurp_account_key.content | b64decode }}" challenge: http-01 modify_account: yes deactivate_authzs: no force: no remaining_days: 10 terms_agreed: yes account_email: "example@example.org" - name: Obtain cert 2 include_tasks: obtain-cert.yml vars: certgen_title: Certificate 2 for revocation certificate_name: cert-2 certificate_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else '' }}" key_type: ec256 subject_alt_name: "DNS:*.example.com" subject_alt_name_critical: yes account_key: account-ec384 challenge: dns-01 modify_account: yes deactivate_authzs: yes force: no remaining_days: 10 terms_agreed: yes account_email: "example@example.org" - name: Obtain cert 3 include_tasks: obtain-cert.yml vars: certgen_title: Certificate 3 for revocation certificate_name: cert-3 key_type: ec384 subject_alt_name: "DNS:t1.example.com" subject_alt_name_critical: no account_key: account-rsa challenge: dns-01 modify_account: yes deactivate_authzs: no force: no remaining_days: 10 terms_agreed: yes account_email: "example@example.org" ## REVOKE CERTIFICATES ######################################################################## - name: Revoke certificate 1 via account key acme_certificate_revoke: select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" certificate: "{{ remote_tmp_dir }}/cert-1.pem" acme_version: 2 acme_directory: https://{{ acme_host }}:14000/dir validate_certs: no ignore_errors: yes register: cert_1_revoke - name: Revoke certificate 2 via certificate private key acme_certificate_revoke: select_crypto_backend: "{{ select_crypto_backend }}" private_key_src: "{{ remote_tmp_dir }}/cert-2.key" private_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}" certificate: "{{ remote_tmp_dir }}/cert-2.pem" acme_version: 2 acme_directory: https://{{ acme_host }}:14000/dir validate_certs: no ignore_errors: yes register: cert_2_revoke - name: Read account key (RSA) slurp: src: '{{ remote_tmp_dir }}/account-rsa.pem' register: slurp_account_key - name: Revoke certificate 3 via account key (fullchain) acme_certificate_revoke: select_crypto_backend: "{{ select_crypto_backend }}" account_key_content: "{{ slurp_account_key.content | b64decode }}" certificate: "{{ remote_tmp_dir }}/cert-3-fullchain.pem" acme_version: 2 acme_directory: https://{{ acme_host }}:14000/dir validate_certs: no ignore_errors: yes register: cert_3_revoke