|
|
|
@ -23,14 +23,13 @@ description:
|
|
|
|
- "Create and renew SSL certificates with Let's Encrypt. Let's Encrypt is a
|
|
|
|
- "Create and renew SSL certificates with Let's Encrypt. Let's Encrypt is a
|
|
|
|
free, automated, and open certificate authority (CA), run for the
|
|
|
|
free, automated, and open certificate authority (CA), run for the
|
|
|
|
public's benefit. For details see U(https://letsencrypt.org). The current
|
|
|
|
public's benefit. For details see U(https://letsencrypt.org). The current
|
|
|
|
implementation supports the http-01, tls-sni-02 and dns-01 challenges."
|
|
|
|
implementation supports the http-01 and dns-01 challenges."
|
|
|
|
- "To use this module, it has to be executed at least twice. Either as two
|
|
|
|
- "To use this module, it has to be executed at least twice. Either as two
|
|
|
|
different tasks in the same run or during multiple runs."
|
|
|
|
different tasks in the same run or during multiple runs."
|
|
|
|
- "Between these two tasks you have to fulfill the required steps for the
|
|
|
|
- "Between these two tasks you have to fulfill the required steps for the
|
|
|
|
chosen challenge by whatever means necessary. For http-01 that means
|
|
|
|
chosen challenge by whatever means necessary. For http-01 that means
|
|
|
|
creating the necessary challenge file on the destination webserver. For
|
|
|
|
creating the necessary challenge file on the destination webserver. For
|
|
|
|
dns-01 the necessary dns record has to be created. tls-sni-02 requires
|
|
|
|
dns-01 the necessary dns record has to be created.
|
|
|
|
you to create a SSL certificate with the appropriate subjectAlternativeNames.
|
|
|
|
|
|
|
|
It is I(not) the responsibility of this module to perform these steps."
|
|
|
|
It is I(not) the responsibility of this module to perform these steps."
|
|
|
|
- "For details on how to fulfill these challenges, you might have to read through
|
|
|
|
- "For details on how to fulfill these challenges, you might have to read through
|
|
|
|
U(https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8)"
|
|
|
|
U(https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8)"
|
|
|
|
@ -109,7 +108,7 @@ options:
|
|
|
|
version_added: "2.5"
|
|
|
|
version_added: "2.5"
|
|
|
|
challenge:
|
|
|
|
challenge:
|
|
|
|
description: The challenge to be performed.
|
|
|
|
description: The challenge to be performed.
|
|
|
|
choices: [ 'http-01', 'dns-01', 'tls-sni-02']
|
|
|
|
choices: [ 'http-01', 'dns-01']
|
|
|
|
default: 'http-01'
|
|
|
|
default: 'http-01'
|
|
|
|
csr:
|
|
|
|
csr:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
@ -937,25 +936,10 @@ class ACMEClient(object):
|
|
|
|
token = re.sub(r"[^A-Za-z0-9_\-]", "_", challenge['token'])
|
|
|
|
token = re.sub(r"[^A-Za-z0-9_\-]", "_", challenge['token'])
|
|
|
|
keyauthorization = self.account.get_keyauthorization(token)
|
|
|
|
keyauthorization = self.account.get_keyauthorization(token)
|
|
|
|
|
|
|
|
|
|
|
|
# NOTE: tls-sni-01 is not supported by choice
|
|
|
|
|
|
|
|
# too complex to be useful and tls-sni-02 is an alternative
|
|
|
|
|
|
|
|
# as soon as it is implemented server side
|
|
|
|
|
|
|
|
if type == 'http-01':
|
|
|
|
if type == 'http-01':
|
|
|
|
# https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8.3
|
|
|
|
# https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8.3
|
|
|
|
resource = '.well-known/acme-challenge/' + token
|
|
|
|
resource = '.well-known/acme-challenge/' + token
|
|
|
|
data[type] = {'resource': resource, 'resource_value': keyauthorization}
|
|
|
|
data[type] = {'resource': resource, 'resource_value': keyauthorization}
|
|
|
|
elif type == 'tls-sni-02':
|
|
|
|
|
|
|
|
# https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8.4
|
|
|
|
|
|
|
|
token_digest = hashlib.sha256(token.encode('utf8')).hexdigest()
|
|
|
|
|
|
|
|
ka_digest = hashlib.sha256(keyauthorization.encode('utf8')).hexdigest()
|
|
|
|
|
|
|
|
len_token_digest = len(token_digest)
|
|
|
|
|
|
|
|
len_ka_digest = len(ka_digest)
|
|
|
|
|
|
|
|
resource = 'subjectAlternativeNames'
|
|
|
|
|
|
|
|
value = [
|
|
|
|
|
|
|
|
"{0}.{1}.token.acme.invalid".format(token_digest[:len_token_digest // 2], token_digest[len_token_digest // 2:]),
|
|
|
|
|
|
|
|
"{0}.{1}.ka.acme.invalid".format(ka_digest[:len_ka_digest // 2], ka_digest[len_ka_digest // 2:]),
|
|
|
|
|
|
|
|
]
|
|
|
|
|
|
|
|
data[type] = {'resource': resource, 'resource_value': value}
|
|
|
|
|
|
|
|
elif type == 'dns-01':
|
|
|
|
elif type == 'dns-01':
|
|
|
|
# https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8.5
|
|
|
|
# https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8.5
|
|
|
|
resource = '_acme-challenge'
|
|
|
|
resource = '_acme-challenge'
|
|
|
|
@ -1296,7 +1280,7 @@ def main():
|
|
|
|
acme_version=dict(required=False, default=1, choices=[1, 2], type='int'),
|
|
|
|
acme_version=dict(required=False, default=1, choices=[1, 2], type='int'),
|
|
|
|
agreement=dict(required=False, type='str'),
|
|
|
|
agreement=dict(required=False, type='str'),
|
|
|
|
terms_agreed=dict(required=False, default=False, type='bool'),
|
|
|
|
terms_agreed=dict(required=False, default=False, type='bool'),
|
|
|
|
challenge=dict(required=False, default='http-01', choices=['http-01', 'dns-01', 'tls-sni-02'], type='str'),
|
|
|
|
challenge=dict(required=False, default='http-01', choices=['http-01', 'dns-01'], type='str'),
|
|
|
|
csr=dict(required=True, aliases=['src'], type='path'),
|
|
|
|
csr=dict(required=True, aliases=['src'], type='path'),
|
|
|
|
data=dict(required=False, default=None, type='dict'),
|
|
|
|
data=dict(required=False, default=None, type='dict'),
|
|
|
|
dest=dict(aliases=['cert'], type='path'),
|
|
|
|
dest=dict(aliases=['cert'], type='path'),
|
|
|
|
|
Felix Fontein
6 years ago
committed by