telekom-mms / ansible-collection-acme Goto Github PK

Requirements definition missing e.g. needed pip install versions

The naming of variables is not consistent. Some contain the name of the role and some do not. Some variables could also be already used in context of other roles (dns_user dns_password ).

I think we should unify the variable names coresponding to the rolename.
E.g. acme_collection_dns_user acme_collection_dns_password acme_collection_conf_dir ...

Maybe this could be done together with the renaming of the role in #43

What do you think?

possibility to chose between delete and purge challenge entries needed
e.g. management locks are set that delete is not allowed

The release tar-ball contains file that do not need to be inside the installed collection. That contains tests, linting, coverage, github action workflows, the test-generation scripts, requirements-files.

I propose that we add the following files to the build-ignore list:

-rw-r----- 1 root root    70 Oct 20 08:08 codecov.yml
drwxr-x--- 1 root root  4096 Sep 30 19:43 .github/
drwxr-x--- 1 root root  4096 Oct 22 09:13 hacking/
-rw-r----- 1 root root     8 Sep 30 19:43 requirements.txt
-rw-r----- 1 root root    62 Sep 30 19:43 test-requirements.txt
drwxr-x--- 1 root root  4096 Oct 22 09:49 tests/
drwxr-x--- 1 root root  4096 Oct 20 10:43 .tox/
-rw-r----- 1 root root   878 Sep 30 19:43 tox.ini
-rw-r----- 1 root root   298 Oct 22 09:13 .yamllint

The push to galaxy action fails because during creation of the release draft a new commit is done for the changelog but during execution the action is working on the commit id of the "before state". This leads to a race condition which the changelog task cannot win.

As discussed with @rndmh3ro we should ad another checkout after the changelog commit in the release.yml workflow.

Question

hello,

if i would like to use your collection i became the following error:

failed: [localhost] (item=*.example.org) => {"ansible_loop_var": "item", "changed": false, "item": "*.example.org", "msg": "Incompatible openstacksdk library found: Version MUST be >=0.36 and <=0.98.999, but 0.103.0 is larger than maximum version 0.98.999."}

Why newer version are not supported?

With version 0.0.5 the creation of wildcard certificates with autodns challenge is not possible.

Please provide a patch.

I add the playbook and the error message anoymized below:

Playbook:

- name: create the certificate for example.com
  hosts: localhost
  collections:
    - t_systems_mms.letsencrypt
  roles:
    - letsencrypt
  vars:
    domain:
      certificate_name: "wildcard.example.com"
      zone: "example.com"
      email_address: "[email protected]"
      subject_alt_name:
        - "*.example.com"
        - "example.com"
    letsencrypt_do_http_challenge: false
    letsencrypt_do_dns_challenge: true
    letsencrypt_use_acme_live_directory: true
    account_email: "[email protected]"

Error:

TASK [letsencrypt : add a new TXT record to the SAN domains] *******************
failed: [localhost] (item=*.example.com) => {"ansible_loop_var": "item", "changed": false, "connection": "close", "content": "{\"stid\":\"20201214-app2-96806\",\"messages\":[{\"text\":\"Der Resource-Record enthält ungültige Zeichen.\",\"objects\":[{\"type\":\"rr[30]/name\",\"value\":\"_acme-challenge.*\"}],\"code\":\"EF02063\",\"status\":\"ERROR\"}],\"status\":{\"code\":\"E0202\",\"text\":\"Zone konnte nicht auf dem Nameserver aktualisiert werden.\",\"type\":\"ERROR\"},\"object\":{\"type\":\"Zone\",\"value\":\"example.com\"}}", "content_language": "de", "content_length": "359", "content_type": "application/json", "date": "Mon, 14 Dec 2020 09:47:08 GMT", "elapsed": 0, "item": "*.example.com", "json": {"messages": [{"code": "EF02063", "objects": [{"type": "rr[30]/name", "value": "_acme-challenge.*"}], "status": "ERROR", "text": "Der Resource-Record enthält ungültige Zeichen."}], "object": {"type": "Zone", "value": "example.com"}, "status": {"code": "E0202", "text": "Zone konnte nicht auf dem Nameserver aktualisiert werden.", "type": "ERROR"}, "stid": "20201214-app2-96806"}, "msg": "Status code was 400 and not [200]: HTTP Error 400: Bad Request", "redirected": false, "server": "nginx", "status": 400, "url": "https://api.autodns.com/v1/zone/example.com/a.ns14.net", "x_domainrobot_stid": "20201214-app2-96806"}

Ansible Version:

ansible 2.7.7
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/crgr/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Aug  4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)]

When creating a CSR I have to add a subject_alt_name even if I don't need one. This should be changed.

TASK [t_systems_mms.letsencrypt.letsencrypt : Create CSR for certificate] *****************************************************************************************************************************************
fatal: [localhost]: FAILED! =>
  msg: |-
    The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'subject_alt_name'

    The error appears to be in 'collections/ansible_collections/t_systems_mms/letsencrypt/roles/letsencrypt/tasks/dns-challenge.yml': line 2, column 3, but may
    be elsewhere in the file depending on the exact syntax problem.

    The offending line appears to be:

    ---
    - name: Create CSR for certificate
      ^ here

Add Integration Tests as workflow for role.

Need to Test http- and dns-challenge certificate issuing for release process.

Required:

• Test LE CA Server
  • to issue certificate
• DNS-01
  • DNS Server to create txt records
• HTTP-01
  • Webserver which serves hash files
    • Apache/Nginx Container

Could maybe all done via:

• https://github.com/letsencrypt/challtestsrv or
• https://github.com/letsencrypt/pebble

Right now we have to choose if we use a dns provider or http provider and then additionally choose which provider should be used. This seems redundant.

We could simplify this by only using one variable and infer from that what provider should be used, e.g.

challenge_provider: dns_autodns
challenge_provider: http_local

If the names between dns and http providers do not overlap, we could even omit the dns_ or http_ part, though keeping it for readability is probably a good idea, too.

What do you think?

It should be possible to revoke certificates in case the key got compromised or it is not longer needed.

Maybe it is possible via some kind of list which gets looped.
Also we should try to make it idempotent.

Description

Currently we create a RSA 4096 bit key by default. It seems we also provide the possibility to inport an external key. I think we should also support creating ECC keys directly.

Arguably ECC keys are "better" in many regards so maybe we should even change the default.

Additional information

https://github.com/T-Systems-MMS/ansible-collection-acme/blob/6f8124eb085260aba2f63cbeb64643ecc8c62199/roles/acme/tasks/create-keys.yml#L2-L8

Right now the home-directory is used for storage of the certificates: https://github.com/T-Systems-MMS/ansible-collection-letsencrypt/blob/001b54862ce6ec34258cd019479e59c8e4c4a370/roles/letsencrypt/defaults/main.yml#L8

letsencrypt_conf_dir: "{{ lookup('env','HOME') }}/letsencrypt"
letsencrypt_cert_dir: "{{ letsencrypt_conf_dir }}/certs"

Since people may not like (I don't) polluting their home-directory, I suggest we create and use a temporary directory to store the files in: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/tempfile_module.html

What do you think?

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Tbd

sometimes the dns challenge hangs due timeouts
DNS problem: SERVFAIL looking up TXT for _acme-challenge.bloxxter.in - the domain''s nameservers may be malfunctioning"

a rerun of the playbook recovers from the problem
this is a problem if the playbook runs in a pipeline, a manual interaction is needed every time

So we need an option to check if the validation succeeded, if not the check should be run a second time bevor the state becomes invalid.

There's a new Ansible collection (https://github.com/ansible-collections/community.dns) that includes hetzner modules to create and modify dns-records. We should use these in the hetzner dns-challenge.

Description

For DNS-validation we could add support for the ACME-CAA record.

;; Only allow Let's Encrypt to issue certificates for this domain with this account
example.com. IN CAA 0 issue "letsencrypt.org; accounturi=https://some/lets-encrypt/account-id"

Additional information

See:

• https://www.devever.net/~hl/acme-caa-live
• https://ietf-wg-acme.github.io/acme-caa/
• https://pacroy.com/lets-encrypt-acme-caa-limitation-97411ea6ebf5

There are other acme providers besides Lets Encrypt:

• https://zerossl.com/
• https://www.buypass.com/ssl/products/acme

We should check if we support these providers, too.
Maybe integrate a (manual) test.

Currently we use the "Let' Encrypt" name. However we're not officially affiliated with the Internet Security Research Group that provides LE.

This could potentially be a trademark issue: https://letsencrypt.org/trademarks/

All other tools and libraries avoid this issue as they are acme-implementations, not Let's Encrypt implementations.
And so is this collection: we implement the acme-protocol and are not tied to issuing LE-certificates only.

So I propose to rename the collection to "ansible-collection-acme" / Ansible Acme Collection.

As we potentialy will support more and more providers in the future the current documentation structure does not fit our needs anymore and we want to restructure it. This will allow us and others to easier implement documentation for new providers and should make it easier to find the needed documentation.

We want to move all READMEs for specific providers into a folder of their corresponding challenge type. The structure could look something like:

├── docs
│   ├── dns-challenge
│   │   ├── provider1-README.md
│   │   └── provider2-README.md
│   ├── http-challenge
│   │   ├── provider1-README.md
│   │   └── provider2-README.md
│   └── README.md
├── examples
├── meta
├── roles
│   └── letsencrypt
├── tests
├── .someconfig.yml
└── README.md

The main README (the one in the root folder) contains a short description of the collection and a link to another general README (the one under docs/) which contains links to the different providers and the globally used variables and usage

ca cert is missing after convert with fullchain