Allow for easily setting the default CA: default to Letsencrypt.org

[robbyoconnor]

A more robust version of #15 -- allows you to choose the CA you wish to use but defaults to LetsEncrypt.org.

[robbyoconnor]

CI failure isn't my fault.

[nickjj]

Thanks, I'll check through this in the morning.

Yep CI needs to be converted over to GitHub Actions at some point in the future.

[robbyoconnor]

I did actually go through and merge in most of the existing PRs -- if you want to manually merge them, they're all in the my-branch branch on my fork. I just didn't merge in #10 because it's not needed by me.

[nickjj]

Thanks. Going by the documentation at https://github.com/acmesh-official/acme.sh/wiki/Server are you 100% sure it works? It mentions using --set-default-ca only when you're not issuing or installing a cert.

Also I think we might run into trouble with using the staging server because the server type is letsencrypt_test instead of potentially using the --staging flag like before?

[robbyoconnor]

Fixed.

[nickjj]

Have you run it with this set of flags successfully?

Edit: What if we used the default flag to avoid having to call it on every issue?

[robbyoconnor]

Will run it shortly -- Don't merge yet.

[robbyoconnor]

(I have to migrate my playbook from another role I was using)

[nickjj]

Thanks, if you can run it on both the staging and live servers for a new certificate and a renew that would be amazing and useful to have as output pasted here.

[robbyoconnor]

Will do

[robbyoconnor]

So I just looked at the actual script for acme.sh and setting the ACME server to letsencrypt_test is the same as passing --staging.

Still going to test this but just wanted to post this comment.

[robbyoconnor]

It did set the CA correctly but didn't run correctly. I wound up not using this role. I'll leave this PR open.

[nickjj]

What ended up happening if you don't mind me asking.

[robbyoconnor]

I was under a time crunch (my LE cert was expiring July 5) and didn't feel like debugging it but the role was failing weirdly. I wound up installing the certbot snap and renewing that way.

[nickjj]

Fair enough, to be honest I haven't used this role in almost 3 years. Happy to hear you resolved it in some way.

[dchimeno]

Should we merge this then? :)

[nickjj]

Based on this:

It did set the CA correctly but didn't run correctly. I wound up not using this role. I'll leave this PR open.

I'm thinking merging it wouldn't be a good idea, although it's quite possible the role didn't work for other reasons.

[robbyoconnor]

I don't have the time to debug it myself...so not quite.

[dchimeno]

no worries, thanks anyway :)

[robbyoconnor]

@dchimeno if you wanna get it working, by all means

[robbyoconnor]

Just make a PR against my fork on this branch

[dchimeno]

@dchimeno if you wanna get it working, by all means

I finally made it with another role, so no special interest here anymore. Thanks anyway.

[robbyoconnor]

I finally made it with another role, so no special interest here anymore. Thanks anyway.

No issue @dchimeno - all is good.

[TonyBostonTB]

I managed to get it working only with adding "--server letsencrypt"

[lionslair]

@dchimeno if you wanna get it working, by all means

I finally made it with another role, so no special interest here anymore. Thanks anyway.

what did you use?

[dchimeno]

@dchimeno if you wanna get it working, by all means

I finally made it with another role, so no special interest here anymore. Thanks anyway.

what did you use?

https://github.com/thermistor/acme_sh

[lionslair]

@dchimeno if you wanna get it working, by all means

I finally made it with another role, so no special interest here anymore. Thanks anyway.

what did you use?

https://github.com/thermistor/acme_sh

Yeah I forked it and made a couple mods for it too. https://github.com/lionslair/ansible-acme-sh