Skip to content
Snippets Groups Projects

WIP: add acmebot role

Closed Lars Beckers requested to merge acmebot into master
66 files
+ 1176
178
Compare changes
  • Side-by-side
  • Inline
Files
66
+ 223
0
---
acmebot_account_mail: "{{ adminaddr }}"
acmebot_after_nginx_proxy: true
acmebot_settings: {}
acmebot_default_settings:
log_level: "detail"
color_output: true
acme_directory_url: "https://acme-v02.api.letsencrypt.org/directory"
public_suffix_list_url: "https://publicsuffix.org/list/public_suffix_list.dat"
ocsp_responder_urls:
- "http://ocsp.int-x3.letsencrypt.org"
reload_zone_command: null
nsupdate_command: null
hpkp_report_uri: null
ct_submit_logs:
- "google_icarus"
- "google_pilot"
file_user: root
file_group: ssl-cert
# TODO default to both key types or single one? default to non-/custom params?
key_size: 4096 # null to turn off RSA certificates
key_curve: "secp384r1" # null to turn off ECDSA certificates
key_cipher: null
key_passphrase: null # null to turn off private key encryption
dhparam_size: 2048 # null to turn off custom dhparams
ecparam_curve: "secp384r1" # null to turn off custom EC params
follower_mode: false
ocsp_must_staple: false # application support isn't good enough
auto_rollover: true # must be false on followers
pin_subdomains: false
verify: null # e.g. [443]
services: null # e.g. [nginx-proxy]
hpkp_days: 60
renewal_days: 30
expiration_days: 730
max_dns_lookup_attempts: 60
dns_lookup_delay: 10
max_domains_per_order: 100
max_authorization_attempts: 30
authorization_delay: 10
cert_poll_time: 30
max_ocsp_verify_attempts: 10
ocsp_verify_retry_delay: 5
min_run_delay: 300
max_run_delay: 3600
# can be empty string, e.g. when using only one key type
acmebot_key_suffixes: {}
acmebot_default_key_suffixes:
rsa: ".rsa"
ecdsa: ".ecdsa"
# format strings with: name (of privkey or cert), key_type, suffix, server
# http_challenge uses: zone, host (without zone, "." if fqdn == zone), fqdn
# if http_challenge is set, defaults to http-01
# set to null for specified certs to use dns-01 for those
acmebot_directories: {}
acmebot_default_directories:
pid: "/run"
log: "/var/log/acmebot"
resource: "/var/lib/acmebot"
temp: null
# TODO layout equivalent to acmetool
private_key: /etc/ssl/acmebot/privkey
backup_key: /etc/ssl/acmebot/backup_privkey
previous_key: null
full_key: /etc/ssl/acmebot/full_privkey # maybe null to turn off
certificate: /etc/ssl/acmebot/cert
full_certificate: /etc/ssl/acmebot/full_cert # maybe null
chain: /etc/ssl/acmebot/chain # maybe null
param: /etc/ssl/acmebot/params # maybe null
challenge: /etc/ssl/acmebot/challenges # for dns-01 only
http_challenge: /var/www/acme-challenge # maybe null
hpkp: /etc/ssl/acmebot/hpkp # maybe null
ocsp: /etc/ssl/acmebot/ocsp # maybe null
sct: "/etc/ssl/acmebot/scts/{name}/{key_type}" # maybe null
update_key: /etc/ssl/acmebot/update_keys
archive: /etc/ssl/acmebot/archive
# format strings with: name (of privkey or cert), key_type, suffix, server
acmebot_file_names: {}
acmebot_default_file_names:
log: "acmebot.log"
# TODO layout equivalent to acmetool
private_key: "{name}{suffix}.key"
backup_key: "{name}_backup{suffix}.key"
previous_key: "{name}_previous{suffix}.key"
full_key: "{name}_full{suffix}.key"
certificate: "{name}{suffix}.pem"
full_certificate: "{name}+root{suffix}.pem"
chain: "{name}_chain{suffix}.pem"
param: "{name}_param.pem"
challenge: "{name}"
hpkp: "{name}.{server}"
ocsp: "{name}{suffix}.ocsp"
sct: "{ct_log_name}.sct"
# override with null
acmebot_hpkp_headers: {}
acmebot_default_hpkp_headers:
apache: "Header always set Public-Key-Pins \"{header}\"\n"
nginx: "add_header Public-Key-Pins \"{header}\" always;\n"
acmebot_services: {}
acmebot_default_services:
dovecot: "systemctl restart dovecot"
mysql: "systemctl reload mysql"
nginx: "systemctl reload nginx"
nginx-proxy: "systemctl reload nginx-proxy"
postfix: "systemctl reload postfix"
postgresql: "systemctl reload postgresql"
prosody: "systemctl restart prosody"
# authorizations to maintain without certficates (e.g. for master/follower)
acmebot_authorizations: {}
# <zone-name>:
# - <host-name>
# - <host-name>
# when global http_challenges directory set: use null to revert back to dns-01
# else: override dns-01 default with http-01 per domain
acmebot_http_challenges: {}
# <domain-name>: <challenge-directory>
# for doing DNSSEC manually, specify TSIG keys
acmebot_zone_update_keys: {}
# when using HPKP it may be beneficial to share private keys between certs
# this dict contains multiple certificate sections per private key,
# all key-specific config moved up
acmebot_private_keys: {}
acmebot_certificates: {}
# <certificate-name>:
# common_name: <common-name>
# alt_names:
# <zone-name>:
# - "@",
# - <host-name>
# services:
# - <service-name>
# tlsa_records:
# <zone-name>:
# - <host-name>
# - host: <host-name>
# port: <port-number>
# usage: pkix-ee
# selector: spki
# protocol: tcp
# ttl: 300
# dhparam_size: 2048
# ecparam_curve: secp384r1
# key_types:
# - rsa
# - ecdsa
# key_size: 4096
# key_curve: secp384r1
# key_cipher: blowfish
# key_passphrase:
# expiration_days: 730
# auto_rollover: false
# hpkp_days: 30
# pin_subdomains: true
# hpkp_report_uri:
# ocsp_must_staple: false
# ocsp_responder_urls:
# - "http://ocsp.int-x3.letsencrypt.org"
# ct_submit_logs:
# - google_icarus
# - google_pilot
# verify:
# - 443,
# - port: 25
# hosts:
# - <domain-name>
# - <domain-name>
# starttls: smtp
# key_types:
# - rsa
# - ecdsa
# all empty per default, see README for possible hook names
acmebot_hooks: {}
# see also: https://www.certificate-transparency.org/known-logs
acmebot_ct_logs: {}
acmebot_default_ct_logs:
google_pilot:
url: "https://ct.googleapis.com/pilot"
id: "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA="
google_icarus:
url: "https://ct.googleapis.com/icarus"
id: "KTxRllTIOWW6qlD8WAfUt2+/WHopctykwwz05UVH9Hg="
google_rocketeer:
url: "https://ct.googleapis.com/rocketeer"
id: "7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/cs="
google_skydiver:
url: "https://ct.googleapis.com/skydiver"
id: "u9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YU="
google_argon2018:
url: "https://ct.googleapis.com/logs/argon2018"
id: "pFASaQVaFVReYhGrN7wQP2KuVXakXksXFEU+GyIQaiU="
digicert:
url: "https://ct1.digicert-ct.com/log"
id: "VhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0="
symantec_ct:
url: "https://ct.ws.symantec.com"
id: "3esdK3oNT6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvsw="
symantec_vega:
url: "https://vega.ws.symantec.com"
id: "vHjh38X2PGhGSTNNoQ+hXwl5aSAJwIG08/aRfz7ZuKU="
cloudflare_nimbus2018:
url: "https://ct.cloudflare.com/logs/nimbus2018"
id: "23Sv7ssp7LH+yj5xbSzluaq7NveEcYPHXZ1PN7Yfv2Q="
Loading