About two years ago I blogged about how to create and renew Let’s Encrypt certificates using Ansible. Back then, the “letsencrypt” module was State of the Art. This changed, and with all the Let’s Encrypt API changes, the Ansible module changed quite a lot, and is now “acme_certificate”. ACME stands for: Automatic Certificate Management Environment, and is the idea that every step along the way of creating and renewing certificates should be automated. No more manual creation of CSR (Certificate Signing Request), sending them per mail or manually uploading them to a CA website, enter your credit card details, and at some point get a mail back with the new signed certificate. All of this (except the credit card - you no longer need one) can be automated, and handled in a matter of seconds.
Time to write an updated blog post for the new module.
Besides the obvious change in the module name, a couple other things changed as well. Let’s Encrypt bumped their API version to v2, and it is no longer possible to create new certificates for websites using the old v1 API. It is however - for the time being - possible to renew certificates. If you are still use the v1 API: now it’s a good time to update to v2. Let’s Encrypt is sending out reminders to the email addresses which still use the v1 API.
So, what changed? For starters, I added a step which verifies beforehand if a certificate must be renewed. That’s documented here. Using this, I don’t need to run through the entire Playbook, and can decide beforehand if a certificate is still OK or needs to be renewed. That saves quite a bit of time.
create challenge step is now using the
acme_certificate module, and a couple different parameters:
The new parameter is:
terms_agreed: yes. The following parameters changed:
create certificate step also changed slightly:
Here as well the
terms_agreed: yes parameter is new, otherwise the same variables are used as in the
create challenge step.
That’s it. All the other Playbook code is still the same as in the previous blog post. After about 90 days, all your certificates are on API v2.