Ansible playbook certificate renewal testing

waqasahmed0 · March 19, 2022, 9:12am

I am using ansible playbook to generate lets encrypt certificate. The certificate is properly generated using staging mode.

Below are the ansible playbook steps:

TASK [Generate a Let's Encrypt account key] ***********************************************************************************************
changed: [idp.bbsul.edu.pk]

TASK [Generate Let's Encrypt private key] *************************************************************************************************
changed: [idp.bbsul.edu.pk]

TASK [Generate Let's Encrypt CSR] *********************************************************************************************************
changed: [idp.bbsul.edu.pk]

TASK [Begin Let's Encrypt challenges] *****************************************************************************************************
changed: [idp.bbsul.edu.pk]

TASK [Create .well-known/acme-challenge directory] ****************************************************************************************
ok: [idp.bbsul.edu.pk]

TASK [Implement http-01 challenge files] **************************************************************************************************
changed: [idp.bbsul.edu.pk] => (item={'key': 'idp.bbsul.edu.pk', 'value': {'http-01': {'resource': '.well-known/acme-challenge/-hdQ4UKMI7oKyJZbO74n34wKW6HqsDfBRxKcHqKsTuA', 'resource_value': '-hdQ4UKMI7oKyJZbO74n34wKW6HqsDfBRxKcHqKsTuA.uqbHjf8YMC2sGlcnMFRRZiMEdM7L_M4sxndwaIX05tI'}, 'dns-01': {'resource': '_acme-challenge', 'resource_value': 'asJ54_0MKXyAmTgd-lrTajEwndwlyKTaN17bK8J3LcU', 'record': '_acme-challenge.idp.bbsul.edu.pk'}, 'tls-alpn-01': {'resource': 'idp.bbsul.edu.pk', 'resource_original': 'dns:idp.bbsul.edu.pk', 'resource_value': 'asJ54/0MKXyAmTgd+lrTajEwndwlyKTaN17bK8J3LcU='}}})

TASK [Complete Let's Encrypt challenges] **************************************************************************************************
changed: [idp.bbsul.edu.pk]

Now i want to test the renewal procedure. If i run the playbook again then ansible SKIPPED the TASK [Implement http-01 challenge files] step. No challenge file is created and no certificate is also generated. If i delete the csr, key and crt from /etc/letsencrypt path then it works and new cert is generated.

Is it because that the certificate is still valid and no renewal is required, so it skipped the TASK [Implement http-01 challenge files] task ?

I want to make sure that after expiration days new certificate will be created. is it possible to generated some cert will limited expiry time, so i can test that playbook will generate new cert or not ? i cannot find any --dry--run feature in ansible.

_az · March 19, 2022, 9:21am

Reading the Ansible module docs, it looks like you'll probably want to use a combination of force and deactivate_authzs.

Make sure to only use force when using the staging server.

waqasahmed0 · March 19, 2022, 5:59pm

I used the force:true and new certificate files are generated , when playing the playbook.

does it mean, that it will also work when certificate will be expired ?

9peppe · March 19, 2022, 6:06pm

If the certificate expires in less than 30 days, it will be renewed even if you do not force it (usually, I don't know about ansible).

If you force a renewal, you only get 5 runs per week.

rg305 · March 20, 2022, 12:10am

Yes, it should work; Staging and production LE systems are supposed to be very similar.

system · April 19, 2022, 12:11am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.