system-config

System configuration for OpenStack Infrastructure

History

Ian Wienand 733122f0df Use handlers for letsencrypt cert updates This change proposes calling a handler each time a certificate is created/updated. The handler name is based on the name of the certificate given in the letsencrypt_certs variable, as described in the role documentation. Because Ansible considers calling a handler with no listeners an error this means each letsencrypt user will need to provide a handler. One simple option illustrated here is just to produce a stamp file. This can facilitate cross-playbook and even cross-orchestration-tool communication. For example, puppet or other ansible playbooks can detect this stamp file and schedule their reloads, etc. then remove the stamp file. It is conceivable more complex listeners could be setup via other roles, etc. should the need arise. A test is added to make sure the stamp file is created for the letsencrypt test hosts, which are always generating a new certificate in the gate test. Change-Id: I4e0609c4751643d6e0c8d9eaa38f184e0ce5452e		7 months ago
..
defaults	letsencrypt: split staging and self-signed generation	7 months ago
tasks	letsencrypt: split staging and self-signed generation	7 months ago
README.rst	Use handlers for letsencrypt cert updates	6 months ago

Request certificates from letsencrypt

The role requests certificates (or renews expiring certificates, which is fundamentally the same thing) from letsencrypt for a host. This requires the acme.sh tool and driver which should have been installed by the letsencrypt-acme-sh-install role.

This role does not create the certificates. It will request the certificates from letsencrypt and populate the authentication data into the acme_txt_required variable. These values need to be installed and activated on the DNS server by the letsencrypt-install-txt-record role; the letsencrypt-create-certs will then finish the certificate provision process.

Role Variables

README.rst