search

telekom-mms / ansible-collection-acme

An Ansible collection for issuing certificates via the ACME protocol.
GNU General Public License v3.0
50 stars 9 forks source link

Use temp-dir for creation of certificates? #5

Closed rndmh3ro closed 3 years ago

rndmh3ro commented 4 years ago

Right now the home-directory is used for storage of the certificates: https://github.com/T-Systems-MMS/ansible-collection-letsencrypt/blob/001b54862ce6ec34258cd019479e59c8e4c4a370/roles/letsencrypt/defaults/main.yml#L8

letsencrypt_conf_dir: "{{ lookup('env','HOME') }}/letsencrypt"
letsencrypt_cert_dir: "{{ letsencrypt_conf_dir }}/certs"

Since people may not like (I don't) polluting their home-directory, I suggest we create and use a temporary directory to store the files in: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/tempfile_module.html

What do you think?

avalor1 commented 4 years ago

I'am also not happy with the current solution. Is this temp directory persistant through restarts or does it get deleted after a successfull run? Asking because the account key should be persistant. Documentation does not exactly tell if it is deleted or not but i asume it is persistant.

I think your suggestion would be a good solution for this. Will add it

rndmh3ro commented 4 years ago

Well, as the name implies, a tempdir is not persisent. Are you sure that the account key needs to be persistent?

schurzi commented 4 years ago

I read up on this a few weeks ago. Historically they planned the accout_key as something important to keep and to trigger things like revocation. But this was never fully implemented and now it is optional to keep the account_key for normal operations.

see: https://community.letsencrypt.org/t/why-backup-my-account-key/104761

avalor1 commented 4 years ago

I also found this one and i agree that it is not necessary in most circumstances but this also means that you would create a new account at least every 90 days for n certificates 🤔 If you have more than 10 customers for which you want to automatically create certficates and trigger this via a cron at the same time you would hit the rate limit relatively fast.

I think we will not hit the rate limit and it should be okay for the first implementation but i can imagine that some people would use it at a larger scale (https://letsencrypt.org/docs/rate-limits/)

avalor1 commented 4 years ago

Maybe we should make it a choice. I can see some situations where a persistent directory would be good

rndmh3ro commented 4 years ago

You can use a persistent directory, but default to /tmp so it does not interfere with other stuff from the user.