Here's an example of letting ansible provision certificates and test challenges against a dns provider from the stage api and then rolling on to the production api when it's successful. This ensures you don't hit an api limit with LE and that dns and challenge funcationality is working properly.
Note the task file is being reused and vars: are passed like a function signature.
flags is used in the pull.sh and server/quiet are used in the cli.ini. There's a cron element not shown here which would use a renewal script once the initial pull is issued by ansible.
# ansible-playbook -i inventory le.yaml --tags test-letsencrypt-challenge
---
- import_tasks: issue-certificates.yml
vars:
environ: staging (dry-run)
flags: "--dry-run -v --debug-challenges"
server: https://acme-staging-v02.api.letsencrypt.org/directory
quiet: False
tags: ["issue-certificates"]
- import_tasks: issue-certificates.yml
vars:
environ: production
flags: ""
server: https://acme-v02.api.letsencrypt.org/directory
quiet: True
tags: ["issue-certificates"]---
# issue-certificates.yml
- name: Install letsencrypt "pull" wrapper scripts
template:
src: wrappers/dns-01_pull.sh
dest: "{{ some_path }}/dns-01_pull.sh"
mode: 0700
- name: Install letsencrypt cli.ini for {{ environ }}
template:
src: cli.ini
dest: /etc/letsencrypt/
owner: root
group: root
mode: 0644
- name: Issue newly added certificates from {{ environ }}
command: sh "{{ some_path }}/dns-01_pull.sh"