opendev/system-config
Code Issues Proposed changes
ac5acbca92
system-config/playbooks/roles/letsencrypt-install-txt-record
History
Ian Wienand 93bb1d549e letsencrypt : use date call for serial number 
Per [1] ansible_date_time is NOT actually the date/time -- it is the
time cached from the facts.  It seems this can not be changed because,
of course, things have started depending on this behaviour.

This is particuarly incorrect if you're using this as a serial number
for DNS and it is not incrementing across runs, and thus bind is
refusing to load the new entries in the acme.opendev.org zone during
letsencrypt runs, and the TXT authentication fails.

Use the suggested work-around in the issue which is an external call
to date.

[1] https://github.com/ansible/ansible/issues/22561

Change-Id: Ic3f12f52e8fbb87a7cd673c37c6c4280c56c2b0f
2019-05-22 16:41:51 +10:00
..
tasks letsencrypt support 2019-04-02 15:31:41 +11:00
templates letsencrypt : use date call for serial number 2019-05-22 16:41:51 +10:00
README.rst letsencrypt support 2019-04-02 15:31:41 +11:00

README.rst

Install authentication records for letsencrypt

Install TXT records to the acme.opendev.org domain. This role runs only the adns server, and assumes ownership of the /var/lib/bind/zones/acme.opendev.org/zone.db file. After installation the nameserver is refreshed.

After this, letsencrypt-create-certs can run on each host to provision the certificates.

Role Variables

A global dictionary of TXT records to be installed. This is generated in a prior step on each host by the letsencrypt-request-certs role.