Ansible 中使用 InCommon/Sectigo CA 的 ACME 证书

问题描述 投票:0回答:1

我真的很难找到一个使用 ACME 协议和 InCommon/Sectigo 外部帐户绑定 (EAB) 以及“无挑战”选项的可用 Ansible 剧本。很多网站(包括供应商)都说它有效,但没有提供有效的示例。

来自 Ansible 文档:

到目前为止,ACME 模块仅由开发人员针对 Let's Encrypt、Buypass、ZeroSSL 和 Pebble 测试服务器进行了测试。 我们收到社区反馈,它们还可以与 Sectigo ACME Service for InCommon 配合使用。 如果您使用另一台 ACME 服务器时遇到问题...

这里有一些页面(我正在尝试使用/理解):

是否有人成功利用 Ansible playbook、community.crypto.acme* 模块,并成功与 Sectigo/InCommon ACME 服务交互以发送 CSR 并生成 SSL 证书?

我当前的障碍是合并 InCommon/Sectigo 

external account binding (EAB)
。我不能在“
external_account_binding
”调用中使用“
community.crypto.acme_certificate
”,它只是显示给定参数无效的错误。

 "msg": "Unsupported parameters for (community.crypto.acme_certificate) module: external_account_binding. Supported parameters include: account_email, account_key_content, account_key_passphrase, account_key_src, account_uri, acme_directory, acme_version, agreement, chain_dest, challenge, csr, csr_content, data, deactivate_authzs, dest, force, fullchain_dest, modify_account, remaining_days, request_timeout, retrieve_all_alternates, select_chain, select_crypto_backend, terms_agreed, validate_certs (account_key, cert, chain, fullchain, src).",

唯一支持 EAB 的模块是“

community.crypto.acme_account
”。

在该模块中,它指的是“

account_key_content
”,也就是说“
Content of the ACME account RSA or Elliptic Curve key.
”我在哪里可以找到它?它不在 ACME 帐户的 Sectigo GUI 中的任何位置,我找不到任何解释它的内容是或者在哪里找到它或计算它?在下面的代码中,我只是将我尝试生成的证书的私钥提供给它..但我知道这是错误的,当然它这样告诉我..

TASK [Get Account URI] *********************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Account does not exist or is deactivated.", "other": {}}

这是我的非工作代码:

- name: Get Account URI
  community.crypto.acme_account:
    account_key_content: "{{ cert_privatekey }}"
    acme_directory: "{{ acme_url }}"
    acme_version: "{{ acme_version }}"
    allow_creation: false
    state: present
    external_account_binding:
      alg: HS256
      key: "{{ acme_hmac_key }}"
      kid: "{{ acme_account_id }}"
  register: the_account_uri

# DEBUG: Output the_account_uri?
- name: Output the_account_uri?
  ansible.builtin.debug:
    msg: "{{ the_account_uri }}"


- name: Create a challenge for sample.com using a account key file
  community.crypto.acme_certificate:
    account_key_content: "{{ cert_privatekey }}"
    csr_content: "{{ cert_csr }}"
    account_email: "{{ acme_account_email }}"
    acme_version: "{{ acme_version }}"
    acme_directory: "{{ acme_url }}"
    remaining_days: "{{ cert_term_length }}"
    dest: "/var/tmp/{{ cert_filename }}"
    challenge: no challenge
  register: acme_no_challenge
  no_log: false

# DEBUG: Output challenge?
- name: Output challenge?
  ansible.builtin.debug:
    msg: "{{ acme_no_challenge }}"

- name: Retrieve the cert and intermediate certificate
  community.crypto.acme_certificate:
    account_key_content: "{{ cert_privatekey }}"
    csr_content: "{{ cert_csr }}"
    account_email: "{{ acme_account_email }}"
    acme_version: "{{ acme_version }}"
    challenge: no challenge
    data: "{{ acme_no_challenge }}"
    acme_directory: "{{ acme_url }}"
    remaining_days: "{{ cert_term_length }}"
    dest: "/var/tmp/{{ cert_filename }}"
    chain_dest: "{{ chain_filename }}"
    fullchain_dest: "{{ full_chain_filename }}"
  when: acme_no_challenge is changed
  no_log: false
ansible certificate acme
1个回答
0
投票

我已通过 Ansible 成功实施了 ACME 证书续订。随着时间的推移,在很多不同的人的帮助和大量的 Google foo 的帮助下,我终于弄清楚了。

分解: 创建私钥/公钥组合。 您首先需要调用 acme_account,并使用 Sectigo EAB 凭证注册私钥。
注册私钥后,您现在可以使用 account_key(私钥)和所有其他相关证书生成参数调用 acme_certificate。 生成证书,然后继续保存它或使用其他剧本播放/语句安装它。

工作代码:

 - name: Perform Sectigo EAB with private key, get acct URI
      community.crypto.acme_account:
        account_key_content: "{{ acct_privatekey }}"
        acme_directory: "{{ acme_url }}"
        state: present
        terms_agreed: true
        acme_version: "{{ acme_version }}"
        contact:
          - "mailto:{{ cert_group_email }}"
        external_account_binding:
          alg: HS256
          key: "{{ acme_hmac_key }}"
          kid: "{{ acme_account_id }}"
      register: acct_registration

    # DEBUG: Output the_account_uri?
    - name: Output the_account_uri?
      ansible.builtin.debug:
        msg: "{{ acct_registration }}"

    - name: Setup the account "no challenge" using account private key
      community.crypto.acme_certificate:
        account_key_content: "{{ acct_privatekey }}"
        csr_content: "{{ cert_csr }}"
        account_email: "{{ acme_account_email }}"
        acme_version: "{{ acme_version }}"
        account_uri: "{{ acct_registration.account_uri }}"
        acme_directory: "{{ acme_url }}"
        remaining_days: "{{ cert_term_length }}"
        dest: "/var/tmp/{{ cert_filename }}"
        terms_agreed: true
        validate_certs: true
        challenge: no challenge
      register: acme_no_challenge
      no_log: false

    # DEBUG: Output challenge?
    - name: Output challenge?
      ansible.builtin.debug:
        msg: "{{ acme_no_challenge }}"

    - name: Retrieve the cert and intermediate certificate
      community.crypto.acme_certificate:
        account_key_content: "{{ acct_privatekey }}"
        csr_content: "{{ cert_csr }}"
        account_email: "{{ acme_account_email }}"
        acme_version: "{{ acme_version }}"
        challenge: no challenge
        data: "{{ acme_no_challenge }}"
        account_uri: "{{ acct_registration.account_uri }}"
        acme_directory: "{{ acme_url }}"
        remaining_days: "{{ cert_term_length }}"
        dest: "/var/tmp/{{ cert_filename }}"
        chain_dest: "{{ chain_filename }}"
        fullchain_dest: "{{ full_chain_filename }}"
      when: acme_no_challenge is changed
      no_log: false
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.