This role obtains HTTPS certificates using the ACME protocol from Let's Encrypt, the utility, and the DNS-01 challenge.
Name |
Required |
Example |
Description |
acme_batch |
no |
<list> |
Supply the below parameters as a list, see examples. |
domain |
yes | |
Domain to obtain certificates for. |
provider |
yes |
cf |
DNS provider to use. See How to use DNS API for details. E.g. if the command is --dns dns_cf , then this argument should be cf . |
credential |
yes |
See in Examples |
Dictionary holding all your export ... variables, as explained on the above link. |
wildcard |
no |
true |
If true , obtains not only the base certificate, but the wildcard certificate too, via SAN. E.g. if the domain is , the certificate will be valid for * as well. Defaults to false . |
cronjob |
no |
true |
If true , deploy cronjob to automatically renew the certificate every month. Defaults to false . |
staging |
no |
true |
If true , uses staging servers instead of production. Use for testing. Defaults to false . |
sleep |
no |
60 |
Wait this many seconds for DNS updates to propagate. Defaults to 20 . |
min_days |
no |
45 |
If the certificate already exists, and expires sooner than this many days, renew it. Defaults to 60 . Since Let's Encrypt certs are valid for 90 days, a value of 60 triggers a renewal if the cert is older than 30 days. This also means that you can effectively disable the renewal by setting this to 0 . Nevertheless, it's useful to leave it on, since it tests whether consecutive renewals in the future will work or not. |
reload_cmd |
no |
/sbin/nginx -s reload |
If specified and cronjob is true , this command is also added to the cronjob, and runs 1 hour after the renewal. Otherwise no reload command is run. |
- include_role:
name: noobient.acme
provider: cf
CF_Key: 'asdf1234'
CF_Email: '[email protected]'
- include_role:
name: noobient.acme
provider: cf
CF_Token: 'asdf1234'
CF_Account_ID: 'qwer5678'
CF_Zone_ID: 'zxcv3456'
staging: true
wildcard: true
cronjob: true
sleep: 60
min_days: 45
reload_cmd: /sbin/nginx -s reload
Key |
Type |
Example |
Description |
acme.changed |
boolean |
false |
true if acme.cert_file has been updated, false if not. |
acme.san |
list |
[*,] |
List of certificate Subject Alternative Names. |
acme.cert_file |
string |
/etc/ |
Path to deployed certificate. |
acme.key_file |
string |
/etc/ |
Path to deployed private key. |
acme.ca_file |
string |
/etc/ |
Path to deployed CA certificate. |
acme.fullchain_file |
string |
/etc/ |
Path to deployed full certificate chain (CA + own). |
Platform |
Support |
Status |
Linter |
✅ |
AlmaLinux 8 |
✅ |
AlmaLinux 9 |
✅ |
Fedora 40 |
✅ |
Fedora 41 |
✅ |
Ubuntu 20.04 |
✅ |
Ubuntu 22.04 |
✅ |
Ubuntu 24.04 |
✅ |