The author selected the Electronic Frontier Foundation to receive a donation as part of the Write for DOnations program.
作者选择了电子前沿基金会来接受捐款,这是Write for DOnations计划的一部分。
介绍 (Introduction)
Modern infrastructure management is best done using automated processes and tools. Acquiring a Let’s Encrypt certificate using the standard Certbot client is quick and easy, but is generally a task that has to be done manually when commissioning servers. This is manageable for an individual server setup, but can become tedious when deploying a larger fleet.
最好使用自动化流程和工具来完成现代基础架构管理。 使用标准的Certbot客户端获取Let's Encrypt证书很容易,但是通常是在调试服务器时必须手动完成的任务。 这对于单个服务器设置是可管理的,但是在部署更大的机队时可能变得乏味。
Using a configuration management tool such as Ansible to acquire a certificate makes this task completely automatic and reproducible. If you ever have to rebuild or update your server, you can just run your Ansible playbook, rather than having to manually carry out the steps again.
使用诸如Ansible之类的配置管理工具来获取证书,使该任务完全自动化且可重复。 如果您必须重建或更新服务器,则只需运行Ansible剧本 ,而不必再次手动执行这些步骤。
In this tutorial, you’ll write an Ansible playbook to acquire a Let’s Encrypt certificate automatically for an Ansible host machine.
在本教程中,您将编写一本Ansible剧本,以为Ansible主机自动获取Let's Encrypt证书。
先决条件 (Prerequisites)
To complete this tutorial, you will need:
要完成本教程,您将需要:
Two Ubuntu 18.04 servers set up by following the Initial Server Setup with Ubuntu 18.04, including a sudo non-root user.
通过对Ubuntu 18.04进行初始服务器设置来设置两个Ubuntu 18.04服务器,包括sudo非root用户。
The first server will be used as your Ansible server, which we will call Ansible server throughout this tutorial. This is where Ansible will run to send the commands to the host machine. Alternatively, you can use your local machine or any other machine that has your Ansible inventory configured as your Ansible server.
第一个服务器将用作您的Ansible服务器,在本教程中,我们将其称为Ansible服务器 。 Ansible将在此处运行以将命令发送到主机。 或者,您可以使用本地计算机或将Ansible清单配置为Ansible服务器的任何其他计算机。
On your Ansible server, you’ll need:
在您的Ansible服务器上 ,您需要:
A correctly configured Ansible installation that is able to connect to your Ansible hosts by following How To Install and Configure Ansible on Ubuntu 18.04.
一个正确配置的Ansible安装程序,可以通过遵循如何在Ubuntu 18.04上安装和配置Ansible的方法来连接到您的Ansible主机。
The second server will be used as your Ansible host, which we will call the host machine throughout this tutorial. This is the machine that you wish to configure and issue certificates on. This machine will also run a web server to serve the certificate issuance validation files.
第二台服务器将用作您的Ansible主机,在本教程中,我们将其称为主机 。 这是您要在其上配置和颁发证书的机器。 这台机器还将运行一个Web服务器来提供证书颁发验证文件。
On your host machine, you’ll need:
在您的主机上 ,您需要:
A domain name that you are eligible to acquire a TLS certificate for, with the required DNS records configured to point to your Ansible host machine. In this particular example, the playbook will acquire a certificate valid for
your-domainandwww.your-domain, however it can be adjusted for other domains or subdomains if required.您有资格获得TLS证书的域名,其必需的DNS记录配置为指向您的Ansible 主机 。 在此特定示例中,剧本将获取对
your-domain和www. your-domain有效的证书www. your-domainwww. your-domain,但是可以根据需要将其调整为其他域或子域。A web server that is accessible from the internet over port
80(HTTP), for example by following steps 1, 2, and 3 of How To Install the Apache Web Server on Ubuntu 18.04. This could also be an Nginx server, or any other suitable web server software.可通过端口
80(HTTP)从Internet访问的Web服务器,例如,按照“ 如何在Ubuntu 18.04上安装Apache Web服务器”中的步骤1、2和3进行操作。 这也可以是Nginx服务器或任何其他合适的Web服务器软件。
Once you have these ready, log in to your Ansible server as your non-root user to begin.
准备好这些之后,以非root用户身份登录到Ansible服务器开始。
步骤1 —配置“让我们加密Ansible”模块的设置 (Step 1 — Configuring the Settings for the Let’s Encrypt Ansible Module)
Ansible has a built-in module named letsencrypt, which allows you to acquire valid TLS certificates using the ACME (Automated Certificate Management Environment) protocol.
Ansible具有一个名为letsencrypt的内置模块,该模块允许您使用ACME( 自动证书管理环境 )协议获取有效的TLS证书。
In this first step, you will add a host variables configuration file to define the configuration variables that are required to use the module.
在第一步中,您将添加一个主机变量配置文件,以定义使用该模块所需的配置变量。
Note: The letsencrypt module has been renamed to acme_certificate as of Ansible 2.6. The letsencrypt name is now an alias of acme_certificate, so will still work, but you way wish to use acme_certificate instead, to ensure future-proofness of your playbooks. You can check your Ansible version using ansible --version. As of the writing of this tutorial, the Ubuntu 18.04 Apt repositories don’t support acme_certificate yet.
注意:从Ansible 2.6起, letsencrypt模块已重命名为acme_certificate 。 letsencrypt名称现在是acme_certificate的别名,因此仍然可以使用,但是您还是希望使用acme_certificate来确保您的剧本的acme_certificate性。 您可以使用ansible ansible --version检查您的Ansible版本。 在撰写本教程时,Ubuntu 18.04 Apt存储库尚不支持acme_certificate 。
Firstly, create the host_vars Ansible directory on your Ansible server:
首先,在您的Ansible服务器上创建host_vars Ansible目录:
- sudo mkdir /etc/ansible/host_vars 须藤mkdir / etc / ansible / host_vars
Next, create a new file in the /etc/ansible/host_vars directory with the name of your Ansible host machine. In this example, you’ll use host1 as the name of the host:
接下来,在/etc/ansible/host_vars目录中使用您的Ansible主机名创建一个新文件。 在此示例中,将使用host1作为主机的名称:
sudo nano /etc/ansible/host_vars/host1
须藤纳米/ etc / ansible / host_vars / host1
The following sample configuration includes everything you need to get started, including: the validation method and server address, an email address to receive certificate expiry reminders to, and the directories where your Let’s Encrypt keys and certificates will be saved.
以下示例配置包括您需要入门的所有内容,包括:验证方法和服务器地址,用于接收证书到期提醒的电子邮件地址,以及将保存我们的加密密钥和证书的目录。
Copy the sample configuration into the file:
将样本配置复制到文件中:
---
acme_challenge_type: http-01
acme_directory: https://acme-v02.api.letsencrypt.org/directory
acme_version: 2
acme_email: certificate-reminders@your-domain
letsencrypt_dir: /etc/letsencrypt
letsencrypt_keys_dir: /etc/letsencrypt/keys
letsencrypt_csrs_dir: /etc/letsencrypt/csrs
letsencrypt_certs_dir: /etc/letsencrypt/certs
letsencrypt_account_key: /etc/letsencrypt/account/account.key
domain_name: your-domainSave and close the file when you’ve finished.
完成后,保存并关闭文件。
Adjust the domain name and email address as required. You can use any email address—it doesn’t have to be the one on your-domain.
根据需要调整域名和电子邮件地址。 您可以使用任何电子邮件地址-不必是your-domain电子邮件地址。
Some of the directory/file paths defined may not actually exist on your server yet. This is OK; the first part of the playbook will be to create these directories and assign the relevant permissions.
定义的某些目录/文件路径可能在您的服务器上实际上不存在。 还行吧; 手册的第一部分将是创建这些目录并分配相关权限。
You’ve added the required configuration variables to your Ansible inventory file. Next, you will begin writing the playbook to acquire a certificate.
您已将所需的配置变量添加到Ansible库存文件中。 接下来,您将开始编写剧本以获取证书。
第2步-创建“让我们加密目录和帐户密钥” (Step 2 — Creating the Let’s Encrypt Directories and Account Key)
In this step, you’ll write the Ansible tasks that you’ll use to create the required Let’s Encrypt directories, assign the correct permissions, and generate a Let’s Encrypt account key.
在此步骤中,您将编写Ansible任务,这些任务将用于创建所需的Let's Encrypt目录,分配正确的权限并生成Let's Encrypt帐户密钥。
Firstly, create a new playbook named letsencrypt-issue.yml on your Ansible server in a new directory of your choice, for example /home/user/ansible-playbooks:
首先,在您选择的新目录中的Ansible服务器上创建一个名为letsencrypt-issue.yml的新剧本,例如/home/user/ansible-playbooks :
- cd ~ 光盘〜
mkdir ansible-playbooks
mkdir ansible-playbooks
cd ansible-playbooks
cd ansible-playbooks
- nano letsencrypt-issue.yml 纳米letsencrypt-issue.yml
Before you can start writing Ansible tasks, you’ll need to specify the hosts and associated settings. Adjust the following according to how you referred to your hosts in the prerequisite tutorial. Then add the following to the top of the file:
在开始编写Ansible任务之前,您需要指定主机和相关设置。 根据您在必备教程中对主机的引用方式,调整以下内容。 然后将以下内容添加到文件顶部:
---
- hosts: "host1"
tasks:Now you can begin writing the required tasks, the first of which is to create the file system directories required to store the Let’s Encrypt files. Add the following Ansible task to the file after the previous content:
现在,您可以开始编写所需的任务,第一个任务是创建存储Let's Encrypt文件所需的文件系统目录。 在前面的内容之后,将以下Ansible任务添加到文件中:
...
- name: "Create required directories in /etc/letsencrypt"
file:
path: "/etc/letsencrypt/{{ item }}"
state: directory
owner: root
group: root
mode: u=rwx,g=x,o=x
with_items:
- account
- certs
- csrs
- keysThis Ansible task will create the account, certs, csrs, and keys directories in /etc/letsencrypt, which is where the files required for acquiring certificates will be stored.
此Ansible任务将在/etc/letsencrypt创建account , certs , csrs和keys目录,该目录将存储获取证书所需的文件。
You set the owner of the directories to root and apply the permissions u=rwx,g=x,o=x so that only root has read and write access to them. This is recommended as the directories will contain private keys, certificate signing requests (CSRs), and signed certificates, which should be kept confidential.
您将目录的所有者设置为root并应用权限u=rwx,g=x,o=x以便只有root拥有对它们的读写访问权限。 推荐这样做,因为目录将包含私钥, 证书签名请求(CSR)和签名证书,应对其保密。
Next, the Let’s Encrypt account key needs to be created. You’ll use this to identify yourself to the Let’s Encrypt service.
接下来,需要创建“加密我们的帐户”密钥。 您将使用它来识别“加密”服务。
Add the following task to your playbook:
将以下任务添加到您的剧本:
...
- name: "Generate a Let's Encrypt account key"
shell: "if [ ! -f {{ letsencrypt_account_key }} ]; then openssl genrsa 4096 | sudo tee {{ letsencrypt_account_key }}; fi"The account key doesn’t need to be re-created every time you renew the certificates, so you also add a check for an existing key if [ ! -f {{ letsencrypt_account_key }} ];, to make sure that it isn’t overwritten.
不需要在每次续订证书时都重新创建帐户密钥,因此, if [ ! -f {{ letsencrypt_account_key }} ]; if [ ! -f {{ letsencrypt_account_key }} ]; ,以确保它不会被覆盖。
You’ll continue to work in letsencrypt-issue.yml in the next step, so don’t close this file yet.
下一步,您将继续在letsencrypt-issue.yml中工作,因此请不要关闭此文件。
You’ve created your playbook and set up the initial configuration and tasks in order to prepare for acquiring your Let’s Encrypt certificate. Next, you will add further tasks for the private key and CSR generation.
您已经创建了剧本并设置了初始配置和任务,以便为获取Let's Encrypt证书做准备。 接下来,您将为私钥和CSR生成添加更多任务。
步骤3 —生成您的私钥和证书签名请求 (Step 3 — Generating Your Private Key and Certificate Signing Request)
In this step, you’ll write the playbook tasks to generate the required private key and certificate signing request.
在此步骤中,您将编写剧本任务以生成所需的私钥和证书签名请求。
The first task in this section will generate the required private key for your certificate. Add the following to the end of your playbook that you started writing in Step 2:
本部分中的第一个任务将为您的证书生成所需的私钥。 将以下内容添加到您在第2步中开始编写的剧本的末尾:
...
- name: "Generate Let's Encrypt private key"
shell: "openssl genrsa 4096 | sudo tee /etc/letsencrypt/keys/{{ domain_name }}.key"Subdomains on the same domain will all be added to the same certificate through the use of Subject Alternate Names (SANs), so you only need to generate one private key for now.
通过使用主题备用名称(SAN) ,同一域上的子域都将被添加到同一证书中,因此您现在只需要生成一个私钥即可。
You’ll use the next task to generate a Certificate Signing Request (CSR) for the certificate that you want to acquire. This is submitted to Let’s Encrypt in order for them to validate and issue each certificate.
您将使用下一个任务为要获取的证书生成证书签名请求(CSR)。 这将提交给“让我们加密”,以便他们验证并颁发每个证书。
Add the following to the end of the playbook:
将以下内容添加到剧本的末尾:
...
- name: "Generate Let's Encrypt CSR"
shell: "openssl req -new -sha256 -key /etc/letsencrypt/keys/{{ domain_name }}.key -subj \"/CN={{ domain_name }}\" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf \"\n[SAN]\nsubjectAltName=DNS:{{ domain_name }},DNS:www.{{ domain_name }}\")) | sudo tee /etc/letsencrypt/csrs/{{ domain_name }}.csr"
args:
executable: /bin/bashThis task generates a CSR for your domain, with the www subdomain added to the certificate as a SAN.
此任务将为您的域生成CSR,并将www子域作为SAN添加到证书中。
You’ll continue to work in letsencrypt-issue.yml in the next step, so don’t close this file yet.
下一步,您将继续在letsencrypt-issue.yml中工作,因此请不要关闭此文件。
You’ve written the Ansible tasks to generate the private key and CSR for your certificate. Next, you’ll work on the tasks that will begin the validation and issuance process.
您已经编写了Ansible任务来为证书生成私钥和CSR。 接下来,您将处理将开始验证和发行过程的任务。
步骤4 —开始ACME验证过程 (Step 4 — Starting the ACME Validation Process)
In this step, you’ll write a task to submit the Certificate Signing Request to Let’s Encrypt using the outputted files from the task documented in Step 3. This will return some challenge files, which you’ll need to serve on your web server in order to prove ownership of the domain name and subdomain for which you’re requesting a certificate.
在此步骤中,您将编写一个任务,以使用步骤3中记录的任务中的输出文件将证书签名请求提交给Let's Encrypt。这将返回一些challenge文件,您需要将其提供给Web服务器。为了证明您要申请证书的域名和子域的所有权。
The following task will submit the CSR for your-domain. Add it to the end of your playbook:
以下任务将为your-domain提交CSR。 将其添加到剧本的末尾:
...
- name: "Begin Let's Encrypt challenges"
letsencrypt:
acme_directory: "{{ acme_directory }}"
acme_version: "{{ acme_version }}"
account_key_src: "{{ letsencrypt_account_key }}"
account_email: "{{ acme_email }}"
terms_agreed: 1
challenge: "{{ acme_challenge_type }}"
csr: "{{ letsencrypt_csrs_dir }}/{{ domain_name }}.csr"
dest: "{{ letsencrypt_certs_dir }}/{{ domain_name }}.crt"
fullchain_dest: "{{ letsencrypt_certs_dir }}/fullchain_{{ domain_name }}.crt"
remaining_days: 91
register: acme_challenge_your_domainThis task makes wide usage of the variables that you configured in Step 1. It registers a variable containing the ACME challenge files that you’ll use in the next step. You’ll need to manually adjust the name of the variable to contain your-domain, but with all . characters replaced with a _, as dots cannot be used in a variable name. For example, the variable for example.com would become acme_challenge_example_com.
该任务广泛使用了在步骤1中配置的变量。它注册了一个变量,其中包含您将在下一步中使用的ACME挑战文件。 您需要手动调整变量名称以包含your-domain ,但包含all . 用_代替的字符,因为不能在变量名称中使用点。 例如, example.com的变量将变为acme_challenge_example_com 。
You’ll continue to work in letsencrypt-issue.yml in the next step, so don’t close this file yet.
下一步,您将继续在letsencrypt-issue.yml中工作,因此请不要关闭此文件。
You’ve written a task to submit your CSR to Let’s Encrypt. Next, you will add a task to implement the ACME challenge files for finalization of the certificate validation process.
您已经编写了一个任务,将您的CSR提交给“加密”。 接下来,您将添加一个任务以实施ACME挑战文件,以最终完成证书验证过程。
步骤5 —实施ACME挑战文件 (Step 5 — Implementing the ACME Challenge Files)
In this step, you will write an Ansible task to read and implement the ACME challenge files. These files prove that you’re eligible to acquire a certificate for the requested domains and subdomains.
在此步骤中,您将编写Ansible任务以读取和实施ACME挑战文件。 这些文件证明您有资格为所请求的域和子域获取证书。
The ACME challenge files must be served on a web server listening on port 80, at the /.well-known/acme-challenge/ path for the domain or subdomain that you’re requesting a certificate for. For example, in order to validate the certificate request for www.your-domain, the ACME challenge file will need to be accessible over the internet at the following path: http://www.your-domain/.well-known/acme-challenge.
ACME质询文件必须在侦听端口80的Web服务器上提供,该服务器位于您要为其申请证书的域或子域的/.well-known/acme-challenge/路径中。 例如,为了验证www. your-domain的证书请求www. your-domain www. your-domain ,需要通过以下路径通过Internet访问ACME质询文件http://www. your-domain /.well-known/acme-challenge http://www. your-domain /.well-known/acme-challenge 。
The method for serving these files at the required destinations will vary significantly depending on your current web server setup. However, in this guide, we will assume that you have a web server (as per the prerequisite tutorial) configured to serve files out of the /var/www/html directory. Therefore you may need to adjust the task accordingly in order to be compatible with your own web server setup.
根据所需的当前Web服务器设置,在所需目标位置提供这些文件的方法将有很大不同。 但是,在本指南中,我们将假定您已将Web服务器(按照先决条件教程)配置为提供/var/www/html目录中的文件。 因此,您可能需要相应地调整任务,以便与自己的Web服务器设置兼容。
Firstly, add the following task that creates the .well-known/acme-challenge/ directory structure required to serve the files to the end of your playbook:
首先,添加以下任务,以创建将文件提供给您的剧本末尾所需的.well-known/acme-challenge/目录结构:
...
- name: "Create .well-known/acme-challenge directory"
file:
path: /var/www/html/.well-known/acme-challenge
state: directory
owner: root
group: root
mode: u=rwx,g=rx,o=rxMake sure to adjust the path accordingly if you are using a directory other than /var/www/html to serve files with your web server.
如果使用/var/www/html以外的目录通过Web服务器提供文件,请确保相应地调整路径。
Next, you’ll implement the ACME challenge files that were saved into the acme_challenge_your-domain variable in Step 4 with the following task:
接下来,您将通过以下任务实现在步骤4中保存到acme_challenge_ your-domain变量中的ACME挑战文件:
...
- name: "Implement http-01 challenge files"
copy:
content: "{{ acme_challenge_your_domain['challenge_data'][item]['http-01']['resource_value'] }}"
dest: "/var/www/html/{{ acme_challenge_your_domain['challenge_data'][item]['http-01']['resource'] }}"
owner: root
group: root
mode: u=rw,g=r,o=r
with_items:
- "{{ domain_name }}"
- "www.{{ domain_name }}"Note that you need to manually adjust the acme_challenge_your_domain variable name in the task to be set to the name of your ACME challenge variable, which is acme_challenge_ followed by your domain name, but with all . characters replaced with _. This Ansible task copies the ACME validation files from the variable into the .well-known/acme-challenge path on your web server. This will allow Let’s Encrypt to retrieve them in order to verify the ownership of the domain and your eligibility to acquire a certificate.
请注意,您需要在任务中手动调整acme_challenge_ your_domain变量名称,以将其设置为ACME质询变量的名称,即acme_challenge_后跟您的域名,但使用all . 字符替换为_ 。 此Ansible任务将ACME验证文件从变量复制到Web服务器上的.well-known/acme-challenge路径。 这将允许我们加密来检索它们,以验证域的所有权和您获得证书的资格。
You’ll continue to work in letsencrypt-issue.yml in the next step, so don’t close this file yet.
下一步,您将继续在letsencrypt-issue.yml中工作,因此请不要关闭此文件。
You’ve written the Ansible tasks required to create the ACME validation directory and files. Next, you will complete the ACME verification process and acquire the signed certificate.
您已编写了创建ACME验证目录和文件所需的Ansible任务。 接下来,您将完成ACME验证过程并获取签名证书。
第6步-获取证书 (Step 6 — Acquiring Your Certificate)
In this step, you’ll write a task to trigger Let’s Encrypt to verify the ACME challenge files that you submitted, which will allow you to acquire your signed certificate(s).
在此步骤中,您将编写一个任务来触发“让我们加密”以验证提交的ACME挑战文件,这将使您能够获取已签名的证书。
The following task validates the ACME challenge files that you implemented in Step 5 and saves your signed certificates to the specified paths. Add it to the end of your playbook:
以下任务将验证您在步骤5中实现的ACME质询文件,并将签名的证书保存到指定的路径。 将其添加到剧本的末尾:
...
- name: "Complete Let's Encrypt challenges"
letsencrypt:
acme_directory: "{{ acme_directory }}"
acme_version: "{{ acme_version }}"
account_key_src: "{{ letsencrypt_account_key }}"
account_email: "{{ acme_email }}"
challenge: "{{ acme_challenge_type }}"
csr: "{{ letsencrypt_csrs_dir }}/{{ domain_name }}.csr"
dest: "{{ letsencrypt_certs_dir }}/{{ domain_name }}.crt"
chain_dest: "{{ letsencrypt_certs_dir }}/chain_{{ domain_name }}.crt"
fullchain_dest: "{{ letsencrypt_certs_dir }}/fullchain_{{ domain_name }}"
data: "{{ acme_challenge_your_domain }}"Similarly to Step 4, this task makes use of the variables that you configured in Step 1. Once the task has completed, it will save the signed certificate to the specified paths, allowing you to begin using it for your application or service.
与步骤4相似,此任务使用在步骤1中配置的变量。任务完成后,它将签名证书保存到指定的路径,从而使您可以开始将其用于应用程序或服务。
Note that you’ll need to manually adjust the data value in the task to be set to the name of your ACME challenge variable, similarly to Step 5.
请注意,您需要手动调整任务中的data值以将其设置为ACME质询变量的名称,类似于步骤5。
Following is the full playbook showing each of the tasks you’ve added:
以下是完整的剧本,显示了您添加的每个任务:
- hosts: "host1"
tasks:
- name: "Create required directories in /etc/letsencrypt"
file:
path: "/etc/letsencrypt/{{ item }}"
state: directory
owner: root
group: root
mode: u=rwx,g=x,o=x
with_items:
- account
- certs
- csrs
- keys
- name: "Generate a Let's Encrypt account key"
shell: "if [ ! -f {{ letsencrypt_account_key }} ]; then openssl genrsa 4096 | sudo tee {{ letsencrypt_account_key }}; fi"
- name: "Generate Let's Encrypt private key"
shell: "openssl genrsa 4096 | sudo tee /etc/letsencrypt/keys/{{ domain_name }}.key"
- name: "Generate Let's Encrypt CSR"
shell: "openssl req -new -sha256 -key /etc/letsencrypt/keys/{{ domain_name }}.key -subj \"/CN={{ domain_name }}\" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf \"\n[SAN]\nsubjectAltName=DNS:{{ domain_name }},DNS:www.{{ domain_name }}\")) | sudo tee /etc/letsencrypt/csrs/{{ domain_name }}.csr"
args:
executable: /bin/bash
- name: "Begin Let's Encrypt challenges"
letsencrypt:
acme_directory: "{{ acme_directory }}"
acme_version: "{{ acme_version }}"
account_key_src: "{{ letsencrypt_account_key }}"
account_email: "{{ acme_email }}"
terms_agreed: 1
challenge: "{{ acme_challenge_type }}"
csr: "{{ letsencrypt_csrs_dir }}/{{ domain_name }}.csr"
dest: "{{ letsencrypt_certs_dir }}/{{ domain_name }}.crt"
fullchain_dest: "{{ letsencrypt_certs_dir }}/fullchain_{{ domain_name }}.crt"
remaining_days: 91
register: acme_challenge_your_domain
- name: "Create .well-known/acme-challenge directory"
file:
path: /var/www/html/.well-known/acme-challenge
state: directory
owner: root
group: root
mode: u=rwx,g=rx,o=rx
- name: "Implement http-01 challenge files"
copy:
content: "{{ acme_challenge_your_domain['challenge_data'][item]['http-01']['resource_value'] }}"
dest: "/var/www/html/{{ acme_challenge_your_domain['challenge_data'][item]['http-01']['resource'] }}"
owner: root
group: root
mode: u=rw,g=r,o=r
with_items:
- "{{ domain_name }}"
- "www.{{ domain_name }}"
- name: "Complete Let's Encrypt challenges"
letsencrypt:
acme_directory: "{{ acme_directory }}"
acme_version: "{{ acme_version }}"
account_key_src: "{{ letsencrypt_account_key }}"
account_email: "{{ acme_email }}"
challenge: "{{ acme_challenge_type }}"
csr: "{{ letsencrypt_csrs_dir }}/{{ domain_name }}.csr"
dest: "{{ letsencrypt_certs_dir }}/{{ domain_name }}.crt"
chain_dest: "{{ letsencrypt_certs_dir }}/chain_{{ domain_name }}.crt"
fullchain_dest: "{{ letsencrypt_certs_dir }}/fullchain_{{ domain_name }}"
data: "{{ acme_challenge_your_domain }}"Save and close your file when you’re finished.
完成后保存并关闭文件。
You’ve added the task to complete the ACME challenges and acquire your signed certificate. Next, you’ll run the playbook against your Ansible host machine in order to run all of the actions.
您已添加任务以完成ACME挑战并获得您的签名证书。 接下来,您将在Ansible 主机上运行该剧本,以运行所有操作。
步骤7 —运行您的剧本 (Step 7 — Running Your Playbook)
Now that you’ve written the playbook and all of the required tasks, you can run it against your Ansible host machine to issue the certificate.
既然您已经编写了剧本和所有必需的任务,就可以在Ansible 主机上运行它来颁发证书。
From your Ansible server, you can run the playbook using the ansible-playbook command:
在Ansible服务器上 ,可以使用ansible-playbook命令运行该剧本:
- ansible-playbook letsencrypt-issue.yml ansible-playbook letsencrypt-issue.yml
This will run the playbook, one task at a time. You’ll see output similar to the following:
这将运行剧本,一次只执行一项任务。 您将看到类似于以下内容的输出:
Output
PLAY [host1] **********************************************************************************
TASK [Gathering Facts] ************************************************************************
ok: [host1]
TASK [Create required directories in /etc/letsencrypt] ****************************************
changed: [host1] => (item=account)
changed: [host1] => (item=certs)
changed: [host1] => (item=csrs)
changed: [host1] => (item=keys)
TASK [Generate a Let's Encrypt account key] ***************************************************
changed: [host1]
TASK [Generate Let's Encrypt private key] *****************************************************
changed: [host1]
TASK [Generate Let's Encrypt CSR] *************************************************************
changed: [host1]
TASK [Begin Let's Encrypt challenges] *********************************************************
changed: [host1]
TASK [Create .well-known/acme-challenge directory] ********************************************
changed: [host1]
TASK [Implement http-01 challenge files] ******************************************************
changed: [host1] => (item=your-domain)
changed: [host1] => (item=www.your-domain)
TASK [Complete Let's Encrypt challenges] ******************************************************
changed: [host1]
PLAY RECAP ************************************************************************************
host1 : ok=9 changed=8 unreachable=0 failed=0
If any errors are encountered while the playbook is running, these will be outputted for your review.
如果在运行手册时遇到任何错误,则将输出这些错误以供您检查。
Once the playbook has finished, your valid Let’s Encrypt certificate will be saved to the /etc/letsencrypt/certs directory on your host machine. You can then use this, along with the private key in /etc/letsencrypt/keys, to secure connections to your web server, mail server, etc.
剧本制作完成后,有效的Let's Encrypt证书将保存到主机上的/etc/letsencrypt/certs目录中。 然后,您可以将其与/etc/letsencrypt/keys的私钥一起使用,以保护与Web服务器,邮件服务器等的连接。
Let’s Encrypt certificates are valid for 90 days by default. You will receive renewal reminders via email to the address that you specified in Step 1. To renew your certificate, you can run the playbook again. Make sure to double check that any services using your certificate have picked up the new one, as sometimes you may need to manually install it, move it to a particular directory, or restart the service for it to properly adopt the new certificate.
默认情况下,让我们加密证书有效期为90天。 您将通过电子邮件收到到第1步中指定的地址的续订提醒。要续订证书,可以再次运行该剧本。 确保仔细检查使用证书的所有服务是否都选择了新证书,因为有时您可能需要手动安装证书,将其移动到特定目录或重新启动服务以使其正确采用新证书。
In this step, you ran your playbook which issued your valid Let’s Encrypt certificate.
在此步骤中,您运行了您的剧本,该剧本发行了有效的Let's Encrypt证书。
结论 (Conclusion)
In this article you wrote an Ansible playbook to request and acquire a valid Let’s Encrypt certificate.
在本文中,您编写了Ansible剧本,以请求和获取有效的Let's Encrypt证书。
As a next step, you can look into using your new playbook to issue certificates for a large fleet of servers. You could even create a central ACME validation server that can issue certificates centrally and distribute them out to web servers.
下一步,您可以考虑使用新的剧本为大量服务器颁发证书。 您甚至可以创建一个中央ACME验证服务器,该服务器可以集中颁发证书并将其分发到Web服务器。
Finally, if you’d like to learn more about the ACME specification and Let’s Encrypt project, you may wish to review the following links:
最后,如果您想了解有关ACME规范和Let's Encrypt项目的更多信息,则不妨查看以下链接:
Let’s Encrypt website and documentation.
让我们加密网站和文档。
Ansible acme_certificate Module.
可用的acme_certificate模块 。
RFC8555 - Automated Certificate Management Environment (ACME).
RFC8555-自动证书管理环境(ACME) 。
You may also like to view some other relevant Ansible tutorials:
您可能还想查看其他一些相关的Ansible教程:
How To Use Ansible: A Reference Guide.
如何使用Ansible:参考指南 。
How To Automate Server Setup with Ansible on Ubuntu 18.04.
如何在Ubuntu 18.04上使用Ansible自动化服务器设置 。
How To Use Vault to Protect Sensitive Ansible Data on Ubuntu 16.04.
如何在Ubuntu 16.04上使用Vault保护敏感的Ansible数据 。
翻译自: https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-ansible-on-ubuntu-18-04
![[Java]Axis需要高版本的J2sdk:j2sdk-1_4_2_08](/images/no-images.jpg)