felixfontein.acme.account_key_rollover role – Do account key rollover

Note

This role is part of the felixfontein.acme collection (version 0.8.1).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it use: ansible-galaxy collection install felixfontein.acme.

To use it in a playbook, specify: felixfontein.acme.account_key_rollover.

Entry point main – Do account key rollover

New in felixfontein.acme 0.1.0

Synopsis

  • This is a role which can use any CA supporting the ACME protocol, such as Let’s Encrypt, Buypass or ZeroSSL, to rekey ACME account keys.

  • This role will create a backup copy of the existing account key if requested to do so, re-create the account key, and then roll over the ACME account to the new key.

Parameters

Parameter

Comments

acme_certificate_account_algorithm

string

The algorithm used for creating the account key.

The default is rsa for an RSA key.

Other choices are p-256, p-384 or p-521 for the NIST elliptic curves prime256v1, secp384r1 and secp521r1, respectively.

Choices:

  • "rsa" ← (default)

  • "p-256"

  • "p-384"

  • "p-521"

acme_certificate_account_key_backup

boolean

Whether to create a backup of the old account key before rolling over.

Choices:

  • false

  • true ← (default)

acme_certificate_account_key_length

integer

The bit-size to use for RSA private keys.

Should not be less than 2048. Also values above 4096 might not be supported by every ACME CA.

Default: 4096

acme_certificate_account_key_sops_encrypted

boolean

Use Mozilla sops to encrypt private key. Needs .sops.yaml file inside the directory containing the account key or somewhere up the directory chain.

Choices:

  • false ← (default)

  • true

acme_certificate_acme_account

string

Path to the private ACME account key.

acme_certificate_acme_account_uri

string

Instead of determining the account URI from the account key, assumes the given account URI.

acme_certificate_acme_directory

string

The ACME directory to use.

Default is https://acme-v02.api.letsencrypt.org/directory, which is the current production ACME v2 endpoint of Let’s Encrypt.

Default: "https://acme-v02.api.letsencrypt.org/directory"

acme_certificate_acme_version

integer

The ACME directory’s version.

Default: 2

Authors

  • Felix Fontein (@felixfontein)