search

debops / ansible-pki

Bootstrap and manage internal PKI, Certificate Authorities and OpenSSL/GnuTLS certificates
GNU General Public License v3.0
65 stars 29 forks source link

lets encrypt support #30

Closed danmilon closed 8 years ago

danmilon commented 8 years ago

Is this role appropriate to handle lets encrypt certificates? I mean, to add support to it for lets encrypt.

drybjed commented 8 years ago

Not at the moment. But, I'm currently working on it and I hope to have a working solution before holidays. :-)

What i would like to do is revamp how DebOps PKI manages "realms". Each realm would contain one set of certificates in a known, predictable directory structure, and other Ansible roles and services could easily switch between various realms just by changing the directory name.

Each realm would contain multiple CAs (currently "internal" managed via Ansible and SSH, LE-staging and LE-production), with one CA being active. This would allow to create a private key and certificate request for an internal CA on the first install, and then if/when desired, LE certificate could be obtained via various methods.

All this means that debops.pki role needs to be heavily redesigned to accomodate Let's Encrypt/ACME automatic renewals, so many things will change. But I'll try to keep the external role "interface" that other DebOps roles use as intact as possible to make transition easier.

NB: support for ACME challenges is already present in debops.nginx, so you can easily use that role to obtain Let's Encrypt certificates for multiple domains, as long as your DNS is configured properly. You can find out more about it in this pull request or read documentation.

Pinging @htgoebel since he's interested in the issue as well.

htgoebel commented 8 years ago

Thank for the ping :-) I would help you developing this, but since I never really understood the PKI and the realms, I'm afraid I can't. (Beside that I'm short of spare-time currently.)

drybjed commented 8 years ago

The debops.pki redesign can be followed and tested in https://github.com/debops/ansible-pki/pull/33 PR.

drybjed commented 8 years ago

The new redesigned debops.pki role with ACME support has been merged and tagged as v0.2.0, the DebOps playbook has been updated for new configuration, and new documentation is online. Feel free to try the new ACME support and report any issues. :-)

carlalexander commented 8 years ago

This is working now with the new debops.pki role.

drybjed commented 8 years ago

Closing this issue, since support for Let's Encrypt is now working.