我想使用 ansible 处理 nginx let's encrypt certifs 的更新。所以我尝试使用模块 acme_certificate 和 acme_account。我很难理解如何创建 acme 帐户。在 ansible 文档的示例中,我看到 4096 位 rsa 密钥足以创建密钥,但我认为这是针对 acme v1 的。这是我在剧本中得到的内容:
- name: "Generate Let's Encrypt private key"
openssl_privatekey:
path: "{{ letsencrypt_account_key }}"
state: present
- name: "Create acme account key"
acme_account:
account_key_src: "{{ letsencrypt_account_key }}"
state: present
terms_agreed: yes
acme_version: 2
contact:
- "mailto:{{ acme_email }}"
显然我遇到了一个错误:
TASK [Create acme account key] ***************************************************************************************************************************************************
fatal: [kb2front1]: FAILED! => {"changed": false, "msg": "error while parsing account key: error while loading key: Could not deserialize key data.", "other": {}}
当我检查 certbot 创建的帐户时,我注意到了 json 文件,但我不知道它们的生成方式。有没有人已经成功使用此 acme_account 和 acme_certificate 来处理 let's encrypt certif?
谢谢,
费萨尔
答案1
我遇到了同样的问题,直到我发现了你的问题,感谢你,我才明白我错过了密钥生成步骤(openssl_privatekey)。我刚刚添加了这个步骤,错误消息就消失了;)
这是我在我的角色中所拥有的:
- name: "Generate Let's Encrypt private key"
openssl_privatekey:
path: "{{ role_path + '/files/key/le-account.key' }}"
state: present
delegate_to: localhost
- name: Make sure account exists and has given contacts. We agree to TOS.
acme_account:
account_key_src: "{{ role_path + '/files/key/le-account.key' }}"
state: present
terms_agreed: yes
acme_version: 2
acme_directory: https://acme-v02.api.letsencrypt.org/directory
contact:
- mailto:[email protected]
- mailto:[email protected]
delegate_to: localhost
become: no
对于您的问题,您是否检查过{{ letsencrypt_account_key }}文件内容?当我的文件为空时,我收到了您给出的错误消息。
您也可以尝试自己生成密钥,文档状态RSA keys can be created with openssl genrsa .... Elliptic curve keys can be created with openssl ecparam -genkey .... Any other tool creating private keys in PEM format can be used as well.