我真的很难找到一个使用 ACME 协议和 InCommon/Sectigo 外部帐户绑定 (EAB) 以及“无挑战”选项的可用 Ansible 剧本。很多网站(包括供应商)都说它有效,但没有提供有效的示例。
来自 Ansible 文档:
到目前为止,ACME 模块仅由开发人员针对 Let's Encrypt、Buypass、ZeroSSL 和 Pebble 测试服务器进行了测试。 我们收到社区反馈,它们还可以与 Sectigo ACME Service for InCommon 配合使用。 如果您使用另一台 ACME 服务器时遇到问题...
这里有一些页面(我正在尝试使用/理解):
是否有人成功利用 Ansible playbook、community.crypto.acme* 模块,并成功与 Sectigo/InCommon ACME 服务交互以发送 CSR 并生成 SSL 证书?
我当前的障碍是合并 InCommon/Sectigo
external account binding (EAB)
。我不能在“external_account_binding
”调用中使用“community.crypto.acme_certificate
”,它只是显示给定参数无效的错误。
"msg": "Unsupported parameters for (community.crypto.acme_certificate) module: external_account_binding. Supported parameters include: account_email, account_key_content, account_key_passphrase, account_key_src, account_uri, acme_directory, acme_version, agreement, chain_dest, challenge, csr, csr_content, data, deactivate_authzs, dest, force, fullchain_dest, modify_account, remaining_days, request_timeout, retrieve_all_alternates, select_chain, select_crypto_backend, terms_agreed, validate_certs (account_key, cert, chain, fullchain, src).",
唯一支持 EAB 的模块是“
community.crypto.acme_account
”。
在该模块中,它指的是“
account_key_content
”,也就是说“Content of the ACME account RSA or Elliptic Curve key.
”我在哪里可以找到它?它不在 ACME 帐户的 Sectigo GUI 中的任何位置,我找不到任何解释它的内容是或者在哪里找到它或计算它?在下面的代码中,我只是将我尝试生成的证书的私钥提供给它..但我知道这是错误的,当然它这样告诉我..
TASK [Get Account URI] *********************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Account does not exist or is deactivated.", "other": {}}
这是我的非工作代码:
- name: Get Account URI
community.crypto.acme_account:
account_key_content: "{{ cert_privatekey }}"
acme_directory: "{{ acme_url }}"
acme_version: "{{ acme_version }}"
allow_creation: false
state: present
external_account_binding:
alg: HS256
key: "{{ acme_hmac_key }}"
kid: "{{ acme_account_id }}"
register: the_account_uri
# DEBUG: Output the_account_uri?
- name: Output the_account_uri?
ansible.builtin.debug:
msg: "{{ the_account_uri }}"
- name: Create a challenge for sample.com using a account key file
community.crypto.acme_certificate:
account_key_content: "{{ cert_privatekey }}"
csr_content: "{{ cert_csr }}"
account_email: "{{ acme_account_email }}"
acme_version: "{{ acme_version }}"
acme_directory: "{{ acme_url }}"
remaining_days: "{{ cert_term_length }}"
dest: "/var/tmp/{{ cert_filename }}"
challenge: no challenge
register: acme_no_challenge
no_log: false
# DEBUG: Output challenge?
- name: Output challenge?
ansible.builtin.debug:
msg: "{{ acme_no_challenge }}"
- name: Retrieve the cert and intermediate certificate
community.crypto.acme_certificate:
account_key_content: "{{ cert_privatekey }}"
csr_content: "{{ cert_csr }}"
account_email: "{{ acme_account_email }}"
acme_version: "{{ acme_version }}"
challenge: no challenge
data: "{{ acme_no_challenge }}"
acme_directory: "{{ acme_url }}"
remaining_days: "{{ cert_term_length }}"
dest: "/var/tmp/{{ cert_filename }}"
chain_dest: "{{ chain_filename }}"
fullchain_dest: "{{ full_chain_filename }}"
when: acme_no_challenge is changed
no_log: false
我已通过 Ansible 成功实施了 ACME 证书续订。随着时间的推移,在很多不同的人的帮助和大量的 Google foo 的帮助下,我终于弄清楚了。
分解:
创建私钥/公钥组合。
您首先需要调用 acme_account,并使用 Sectigo EAB 凭证注册私钥。
注册私钥后,您现在可以使用 account_key(私钥)和所有其他相关证书生成参数调用 acme_certificate。
生成证书,然后继续保存它或使用其他剧本播放/语句安装它。
工作代码:
- name: Perform Sectigo EAB with private key, get acct URI
community.crypto.acme_account:
account_key_content: "{{ acct_privatekey }}"
acme_directory: "{{ acme_url }}"
state: present
terms_agreed: true
acme_version: "{{ acme_version }}"
contact:
- "mailto:{{ cert_group_email }}"
external_account_binding:
alg: HS256
key: "{{ acme_hmac_key }}"
kid: "{{ acme_account_id }}"
register: acct_registration
# DEBUG: Output the_account_uri?
- name: Output the_account_uri?
ansible.builtin.debug:
msg: "{{ acct_registration }}"
- name: Setup the account "no challenge" using account private key
community.crypto.acme_certificate:
account_key_content: "{{ acct_privatekey }}"
csr_content: "{{ cert_csr }}"
account_email: "{{ acme_account_email }}"
acme_version: "{{ acme_version }}"
account_uri: "{{ acct_registration.account_uri }}"
acme_directory: "{{ acme_url }}"
remaining_days: "{{ cert_term_length }}"
dest: "/var/tmp/{{ cert_filename }}"
terms_agreed: true
validate_certs: true
challenge: no challenge
register: acme_no_challenge
no_log: false
# DEBUG: Output challenge?
- name: Output challenge?
ansible.builtin.debug:
msg: "{{ acme_no_challenge }}"
- name: Retrieve the cert and intermediate certificate
community.crypto.acme_certificate:
account_key_content: "{{ acct_privatekey }}"
csr_content: "{{ cert_csr }}"
account_email: "{{ acme_account_email }}"
acme_version: "{{ acme_version }}"
challenge: no challenge
data: "{{ acme_no_challenge }}"
account_uri: "{{ acct_registration.account_uri }}"
acme_directory: "{{ acme_url }}"
remaining_days: "{{ cert_term_length }}"
dest: "/var/tmp/{{ cert_filename }}"
chain_dest: "{{ chain_filename }}"
fullchain_dest: "{{ full_chain_filename }}"
when: acme_no_challenge is changed
no_log: false