Thanks - I'm understanding much better now. The presence of challenge data is not necessarily required for certificate renewal, if previous challenge data is still valid, you can just skip the copy step and the second run will install a new certificate.
If no certificate is needed because remaining_days is lower than cert_days, the first run will return changed=false and the second run doesn't need to run. I will also take your advice and implement creates: and the openssl_privatekey and openssl_csr modules! Thanks for all your help! On Tuesday, January 18, 2022 at 4:00:25 p.m. UTC-5 Felix Fontein wrote: > Hi, > > > It appears that the first example in the docs has this error: > > > https://docs.ansible.com/ansible/latest/collections/community/crypto/acme_certificate_module.html#acme-certificate-module > > oh, indeed! Thanks for spotting that! I've created a PR to fix it > (https://github.com/ansible-collections/community.crypto/pull/382). > > > So with that solved, I'm left with the problem where challenge_data > > is empty even if I specify remaining_days: 91 . I also tried adding > > force: yes or force: true > > > > In the object created by acme_challenge task, I see that cert_days is > > 89 > > > > It works if I delete the /etc/letsencrypt directory, which includes > > the account key, certs, csr, etc (so basically we're starting over > > from scratch). > > That's not how it should be done :) > > > I only really care if it works when it gets to under 30 days. This is > > just for testing. > > > > Here is my play from the top all the way down to the first run of > > acme_certificate > > > > --- > > - hosts: fms > > become: true > > tasks: > > > > - name: "Create required directories in /etc/letsencrypt" > > file: > > path: "/etc/letsencrypt/{{ item }}" > > state: directory > > owner: root > > group: root > > mode: u=rwx,g=x,o=x > > with_items: > > - account > > - certs > > - csrs > > - keys > > > > - name: "Generate a Let's Encrypt account key" > > shell: "if [ ! -f {{ letsencrypt_account_key }} ]; then openssl > > genrsa 4096 | sudo tee {{ letsencrypt_account_key }}; fi" > > BTW, you can use `creates:` to avoid having to use the `if` construct > ( > https://docs.ansible.com/ansible/latest/collections/ansible/builtin/shell_module.html#parameter-creates > ). > > > - name: "Generate Let's Encrypt private key" > > shell: "openssl genrsa 4096 | sudo tee /etc/letsencrypt/keys/{{ > > inventory_hostname }}.key" > > > > - name: "Generate Let's Encrypt CSR" > > shell: "openssl req -new -sha256 -key /etc/letsencrypt/keys/{{ > > inventory_hostname }}.key -subj \"/CN={{ inventory_hostname }}\" | > > sudo tee /etc/letsencrypt/csrs/{{ inventory_hostname }}.csr" > > args: > > executable: /bin/bash > > Also you might be interested in using the openssl_privatekey module to > create the private keys, and the openssl_csr module to create the CSR. > > > - name: "Begin Let's Encrypt challenges" > > acme_certificate: > > acme_directory: "{{ acme_directory }}" > > acme_version: "{{ acme_version }}" > > account_key_src: "{{ letsencrypt_account_key }}" > > account_email: "{{ acme_email }}" > > terms_agreed: 1 > > challenge: "{{ acme_challenge_type }}" > > csr: "{{ letsencrypt_csrs_dir }}/{{ inventory_hostname }}.csr" > > dest: "{{ letsencrypt_certs_dir }}/{{ inventory_hostname }}.crt" > > fullchain_dest: "{{ letsencrypt_certs_dir }}/fullchain_{{ > inventory_hostname }}.crt" > > remaining_days: 91 > > force: yes > > register: acme_challenge_mydomain > > This looks correct so far. > > I guess afterwards you have the copy task, and then another > acme_certificate task. Which `when:` condition are you using for the > latter? I hope only `when: acme_challenge_mydomain is changed` and not > the same condition as for the copy task. > > (The copy task is not always necessary - Let's Encrypt is caching valid > authorizations for some days -, but the other acme_certificate needs to > be run if you want a certificate.) > > Cheers, > Felix > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a5ec4600-41ad-4fee-a8e6-8bd97d1b5576n%40googlegroups.com.
