Supports check of wildcard certs

[michaelpporter]

Adds support to check for wildcard certs to not re-make them on subsequent runs

[geerlingguy]

Nice! And if you don't mind my asking, are you able to request/create wildcard certs with this role as well? (Or do you use a different mechanism for the initial generation?)

Reference: https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579

I need to do a wildcard at some point for one of my services, I just haven't gotten around to doing it yet and I don't know if there are any changes to this role that could make it simpler. I'll definitely merge this when I get a chance though!

[michaelpporter]

Yes and no. To use certbot for wildcards you need to install the DNS Plugins.

I built a playbook for Cloudflare and have and article on setup Creating A Let’s Encrypt Wildcard Cert With Ansible.

# Defaults for Cloudflare
certbot_cloudflare_email: "cloudflare@example.com"
# Your Global API Key from your account
# ansible-vault encrypt_string 'cloudflareAPIKey' --name 'certbot_cloudflare_api_key'
certbot_cloudflare_api_key: ''
certbot_create_standalone_stop_services: []
certbot_create_if_missing: yes

# Required vars, change `--dns-cloudflare` to the needed plugin. 
certbot_create_command: "certbot certonly --noninteractive --dns-cloudflare --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"
certbot_create_method: standalone
certbot_install_from_source: yes
certbot_repo: https://github.com/certbot/certbot.git
certbot_version: master
certbot_keep_updated: yes

The the steps are:

1. Add your wildcard domain to the DNS with the IP from the server. I do this manually, though we might be able to use Ansible to create the domain Cloudflare, route 53 or Digital Ocean
2. Install required python packages
3. Run geerlingguy.pip
4. Run geerlingguy.certbot certbot_install_from_source: yes and certbot_certs: []
5. Install the DNS Plugin needed cd {{certbot_dir}}/certbot-dns-cloudflare && python setup.py install
6. Create the ini settings
7. Run geerlingguy.certbot certbot_certs: domain: *.[optional subdomin].example.com

[michaelpporter]

P.S. After building the playbook for Cloudflare, I think it would be better to make one for each of the services. Each service has a distinct plugin and settings file. I could also change /etc/letsencrypt/cli.ini to a base template then use lineinfile to add multiple services based on vars.

The issue I have is how to test them if you are not using them yourself?

[geerlingguy]

@michaelpporter - Hmm, that sounds a little more involved, and might just be a matter of documentation (especially since, as you say, I wouldn't be able to test them all since I don't use them all myself, and Travis CI couldn't do it either!).

Would you consider writing a blog post (or series of posts) on how you use this role in your wildcard playbooks, and I can link to it under a new 'Wildcard Certificates' section in the README? That might be a more reasonable approach, maintenance-wise.

[geerlingguy]

@michaelpporter - I added a section in the README, and would love to make it better for others who wish to request wildcard certs (heck, I may need to at some point for one of my projects!). See commit: a2348fd

[michaelpporter]

@geerlingguy I agree, easier is a goal.

I followed the links and ACME Client Implementations mentions Ansible acme_certificate. I will do some testing. I found an article, Wildcard LetsEncrypt renewal with Ansible and Memset that could serve a guide.

[michaelpporter]

@geerlingguy I have a blog post about the process Creating A Let’s Encrypt Wildcard Cert With Ansible