Fix letsencrypt challenge, using different account privkey

2023-01-20 09:26:42 +01:00 · 2023-01-20 09:26:42 +01:00 · 68eb6e331d
commit 68eb6e331d
parent b918e48ca3
1 changed files with 13 additions and 8 deletions
--- a/roles/tunuifranken/tasks/letsencrypt.yml
+++ b/roles/tunuifranken/tasks/letsencrypt.yml
@ -21,11 +21,16 @@
    - {path: '/etc/letsencrypt/live', mode: '0700'}
    - {path: '/etc/letsencrypt/live/tunuifranken.info', mode: '0755'}

- name: Create privkey for letsencrypt
+- name: Create private key for account
+  become: true
+  community.crypto.openssl_privatekey_pipe:
+  register: account_privkey
+
+- name: Create private key for challenge
  become: true
  community.crypto.openssl_privatekey:
    path: /etc/letsencrypt/live/tunuifranken.info/privkey.pem
-  register: privkey
+  register: challenge_privkey

 - name: Create csr for letsencrypt
  become: true
@ -33,7 +38,7 @@
    privatekey_path: /etc/letsencrypt/live/tunuifranken.info/privkey.pem
    common_name: tunuifranken.info
  register: csr
-  changed_when: privkey is changed
+  changed_when: challenge_privkey is changed

 - name: Do http-01 challenge
  become: true
@ -43,7 +48,7 @@
      community.crypto.acme_certificate:
        acme_version: 2
        acme_directory: https://acme-v02.api.letsencrypt.org/directory
-        account_key_src: /etc/letsencrypt/live/tunuifranken.info/privkey.pem
+        account_key_content: "{{ account_privkey.privatekey }}"
        terms_agreed: true
        csr_content: "{{ csr.csr }}"
        challenge: http-01
@ -59,7 +64,7 @@
      community.crypto.acme_certificate:
        acme_version: 2
        acme_directory: https://acme-v02.api.letsencrypt.org/directory
-        account_key_src: /etc/letsencrypt/live/tunuifranken.info/privkey.pem
+        account_key_content: "{{ account_privkey.privatekey }}"
        csr_content: "{{ csr.csr }}"
        challenge: http-01
        fullchain_dest: /etc/letsencrypt/live/tunuifranken.info/fullchain.pem
@ -78,7 +83,7 @@
      community.crypto.acme_certificate:
        acme_version: 2
        acme_directory: https://acme-v02.api.letsencrypt.org/directory
-        account_key_src: /etc/letsencrypt/live/tunuifranken.info/privkey.pem
+        account_key_content: "{{ account_privkey.privatekey }}"
        terms_agreed: true
        csr_content: "{{ csr.csr }}"
        challenge: dns-01
@ -102,7 +107,7 @@
      community.crypto.acme_certificate:
        acme_version: 2
        acme_directory: https://acme-v02.api.letsencrypt.org/directory
-        account_key_src: /etc/letsencrypt/live/tunuifranken.info/privkey.pem
+        account_key_content: "{{ account_privkey.privatekey }}"
        csr_content: "{{ csr.csr }}"
        challenge: dns-01
        fullchain_dest: /etc/letsencrypt/live/tunuifranken.info/fullchain.pem
@ -112,6 +117,6 @@
      community.general.gandi_livedns:
        api_key: "{{ gandi_livedns_api_key }}"
        domain: tunuifranken.info
-        record: "{{ letsencrypt_challenge.challenge_data['tunuifranken.info']['dns-01'].record }}"
+        record: "{{ letsencrypt_challenge.challenge_data['tunuifranken.info']['dns-01'].resource }}"
        type: TXT
        state: absent