This is an ansible role for transfering the certificate between a host that organizes the signing with Let's Encrypt and the (this) host which hosts the service (mail, jabber, what ever..). This role is to be run on the service side, getting the certificates from the remote end where the signing was requested.

Why we do not use one of the existing roles?

• For the first reason read the section "Promise" below. We need something reliable.
• This role will be used by maestro and must follow the logic used there. (Of course, the role can be used without maestro..)

preSTABLE (Feature-Freeze/RC)

Sure, this role may change in the future, but we will only expand features to not break backwards compatibility.

If radical changes should become necessary, a new role will be created, probably with an 'ng' or version suffix...

• Ansible >2.0
• Python2/3 on target host
• Generic UNIX with FHS

• app__acme__home - optional, default='/var/lib/acme'
• app__acme__config_dir - optional, default='/etc/ssl/acme'
• app__acme__scripts_dir - optional, default='/etc/ssl/acme/scripts'
• app__acme__bin_dir - optional, default='/usr/local/bin'
• app__acme__domain - optional, default=[ {domain='example.com'} ]
• app__acme__letsencrypt_certs - optional, default=[ {url='https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem', file='intermediate.crt'}, {url='https://letsencrypt.org/certs/isrgrootx1.pem', file='ca.crt'} ]
• app__acme__cron_minute - optional, default='55'
• app__acme__cron_hour - optional, default='4'
• app__acme__cron_day - optional, default='*'
• app__acme__cron_month - optional, default='*'
• app__acme__cron_year - optional, default='*'
• fqdn - optional, default={{ ansible_fqdn | d(inventory_hostname ) }}

• inofix.acme-request
• (inofix.acme-setup)

- hosts: servers
  roles:
     - inofix.acme-proxy

(See inofix.acme-setup)

GPLv3

• Michael Lustenberger at inofix.ch