Hi, > It appears that the first example in the docs has this error: > https://docs.ansible.com/ansible/latest/collections/community/crypto/acme_certificate_module.html#acme-certificate-module
oh, indeed! Thanks for spotting that! I've created a PR to fix it (https://github.com/ansible-collections/community.crypto/pull/382). > So with that solved, I'm left with the problem where challenge_data > is empty even if I specify remaining_days: 91 . I also tried adding > force: yes or force: true > > In the object created by acme_challenge task, I see that cert_days is > 89 > > It works if I delete the /etc/letsencrypt directory, which includes > the account key, certs, csr, etc (so basically we're starting over > from scratch). That's not how it should be done :) > I only really care if it works when it gets to under 30 days. This is > just for testing. > > Here is my play from the top all the way down to the first run of > acme_certificate > > --- > - hosts: fms > become: true > tasks: > > - name: "Create required directories in /etc/letsencrypt" > file: > path: "/etc/letsencrypt/{{ item }}" > state: directory > owner: root > group: root > mode: u=rwx,g=x,o=x > with_items: > - account > - certs > - csrs > - keys > > - name: "Generate a Let's Encrypt account key" > shell: "if [ ! -f {{ letsencrypt_account_key }} ]; then openssl > genrsa 4096 | sudo tee {{ letsencrypt_account_key }}; fi" BTW, you can use `creates:` to avoid having to use the `if` construct (https://docs.ansible.com/ansible/latest/collections/ansible/builtin/shell_module.html#parameter-creates). > - name: "Generate Let's Encrypt private key" > shell: "openssl genrsa 4096 | sudo tee /etc/letsencrypt/keys/{{ > inventory_hostname }}.key" > > - name: "Generate Let's Encrypt CSR" > shell: "openssl req -new -sha256 -key /etc/letsencrypt/keys/{{ > inventory_hostname }}.key -subj \"/CN={{ inventory_hostname }}\" | > sudo tee /etc/letsencrypt/csrs/{{ inventory_hostname }}.csr" > args: > executable: /bin/bash Also you might be interested in using the openssl_privatekey module to create the private keys, and the openssl_csr module to create the CSR. > - name: "Begin Let's Encrypt challenges" > acme_certificate: > acme_directory: "{{ acme_directory }}" > acme_version: "{{ acme_version }}" > account_key_src: "{{ letsencrypt_account_key }}" > account_email: "{{ acme_email }}" > terms_agreed: 1 > challenge: "{{ acme_challenge_type }}" > csr: "{{ letsencrypt_csrs_dir }}/{{ inventory_hostname }}.csr" > dest: "{{ letsencrypt_certs_dir }}/{{ inventory_hostname }}.crt" > fullchain_dest: "{{ letsencrypt_certs_dir }}/fullchain_{{ > inventory_hostname }}.crt" > remaining_days: 91 > force: yes > register: acme_challenge_mydomain This looks correct so far. I guess afterwards you have the copy task, and then another acme_certificate task. Which `when:` condition are you using for the latter? I hope only `when: acme_challenge_mydomain is changed` and not the same condition as for the copy task. (The copy task is not always necessary - Let's Encrypt is caching valid authorizations for some days -, but the other acme_certificate needs to be run if you want a certificate.) Cheers, Felix -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/20220118220008.1ce8db5d%40rovaniemi.
