certbot-external-auth icon indicating copy to clipboard operation
certbot-external-auth copied to clipboard
verified publisher icon EnigmaBridge

Question regarding usage with Ansible

Open thokari opened this issue 8 years ago • 3 comments

This post mentions using Ansible together with JSON mode. But afaik Ansible can't talk to stdin like that, let alone in an asynchronous way. The problem I see is that the DNS TXT record creation (which Ansible has many modules for) needs to happen after the call to certbot, but while certbot is still running. Is it maybe simply possible to execute the certbot command in multiple steps, i.e. first generate the token to stdout. Then run the validatation in a second step, after the DNS update has been made, and waited for?

thokari avatar Feb 25 '17 16:02 thokari

Hi thokari. A great feedback, thanks. We have briefly discussed it and we should be able to introduce separate steps.

Our thinking is that as part of the JSON, we'd return a sessionID. Adding this to cmd line parameters, you'd be able to resume, once you update DNS. Potentially multiple times, if the DNS verification fails.

dancvrcek avatar Feb 26 '17 11:02 dancvrcek

That sounds nice. I am thinking that using two steps, one could automate it using Ansible like this:

- shell: certbot -d example.com <more args>
  register: result
  set_fact:
      certbot_out_json: "{{ result.stdout | from_json }}"

- your_cloudprovider:
      dns:
          domain: _certbot-challenge.example.com
          type: txt
          value: "{{ certbot_out_json.token }}"

- shell: dig -t txt _certbot-challenge.example.com
  retry: 5
  delay: 60

- shell: certbot --resume --session-id {{ certbot_out_json.session_id }} <more args>

thokari avatar Feb 27 '17 10:02 thokari

We have now submitted a small pull request to certbot to make it work. https://github.com/certbot/certbot/pull/4322

fingers crossed it will get to the main branch.

dancvrcek avatar Mar 10 '17 14:03 dancvrcek