ansible-acme-sh icon indicating copy to clipboard operation
ansible-acme-sh copied to clipboard

Published 20 hours ago verified publisher icon nickjj

Stay on letsencrypt

Open ulfrenman opened this issue 4 years ago • 4 comments

acme.sh has switched from LetsEncrypt to ZeroSSL as default CA. But documentation and possibly some options of this role expects letsencrypt. According to my tests and https://github.com/acmesh-official/acme.sh the default is already set to ZeroSSL. But according to this it shouldn't happen until august 1st: https://community.letsencrypt.org/t/the-acme-sh-will-change-default-ca-to-zerossl-on-august-1st-2021/144052

ulfrenman avatar Jun 18 '21 08:06 ulfrenman

Hi,

Thanks for the PR. I'm guessing there's a side effect of running that command where it might write a config option somewhere? If so we should make that task idempotent by only changing if that config changes.

nickjj avatar Jun 18 '21 10:06 nickjj

I'm not so sure about the problem with config option somewhere.

As I initially wrote, the documentation (and code I suspect) about this role expects LetsEncrypt to be the used CA. But if the underlying system (acme.sh in this case) changes its defaults that needs to be addressed here as well I think. Either update the docs and code for the new default or add something like acme_sh_default_ca: letsencrypt to defaults/main.yml.

As far as I understand acme.sh it has always saved what CA was used to issue the cert initially and will continue to use that until explicitly told to change CA. So if letsencrypt is was used while issuing the certs initially (as would be the default case up until recently), the --set-default-ca --server letsencrypt would not change anything when renewing. And for issuing new certs there needs to be adjustment to either docs or defaults to reflect the new reality.

Would you go for keeping letsencrypt as the default for this role or do you want it to follow the defaults set by acme.sh?

I'm currently fairly newbie to roles so I cant say I know how to make it idempotent just yet. Will you address this or do you want me to look further into it?

ulfrenman avatar Jun 18 '21 11:06 ulfrenman

I'd prefer to stick with Let's Encrypt because it's tried and true. I've never heard of ZeroSSL today.

Ideally we'd want a solution that would renew the cert with whatever CA you used when issuing it. I guess this will depend on figuring out more information from acme.sh to see how it all works before merging anything.

nickjj avatar Jun 18 '21 11:06 nickjj

@nickjj I went ahead and made a more robust version allowing users to choose the CA they wish to use, defaulting to letsencrypt, but allowing users to choose in #16.

Also documented it as well.

robbyoconnor avatar Jun 22 '21 22:06 robbyoconnor