trfore.smallstep.step_cert role – Request x509 certificates from the step CA server and automatically renew them

Note

This role is part of the trfore.smallstep collection (version 1.1.2).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it use: ansible-galaxy collection install trfore.smallstep.

To use it in a playbook, specify: trfore.smallstep.step_cert.

Entry point `certs` – Request x509 certificates from the step CA server 

Parameter	Comments
step_cert_list list / elements=dictionary	List of dictionaries, certificates to request from the Step CA server. Default: `[{"name": "{{ ansible_fqdn }}", "path": "/etc/step/certs/", "provisioner": "acme", "subject": "{{ ansible_fqdn }}"}]`
name string	Name for the local files - certificate, key, and systemd timer. Default: `"ansible_fqdn"`
not_after string	Time (RFC 3339) or Duration, i.e. `24h`. Note: This value cannot exceed the provisioners max duration.
path path	Folder to store x509 certificate. Default: `"/etc/step/certs/"`
provisioner string	Name of provisioner to use. Default: `"acme"`
san_0 string	Subject Alternative Name (SAN) for the x509 certificate, useful for setting the host IP in the x509 certificate. Default: `"ansible_fqdn"`
san_1 string	Additional SAN for the x509 certificate.
subject string	Common name, DNS name, or IP address that will be set as the subject for the certificate, e.g. `client01.example.com`. Default: `"ansible_fqdn"`
token string	One-time token used to authenticate with the CA.

Request x509 certificates from the step CA server and automatically renew them.
The systemd renewal timers will attempt to restart the service that matches the `step_cert_list.name`. Thus, it is important to name the certificate after the service, e.g. set `step_cert_list.name = docker` for the `docker.service`.

Parameter	Comments
step_ca_path path	Step CA folder containing the CA configuration and root certificate. Default: `"/etc/step-ca/"`
step_cert_renewal boolean	Enable automatic renewal of certificate. Creates a systemd service and timer template, and configures `cert-renew@[step_cert_list.name].timer`. Choices: `false` `true` ← (default)

This creates two systemd templates, `cert-renewer@.service` and `cert-renewer@.timer`.
For each certificate, a timer is created `cert-renewer@[step_cert_list.name].timer`. On the client server, view all timers with `$ systemctl list-timers | grep cert-renewer`.

Parameter	Comments
step_cert_renewal_restart_svc boolean	Attempt to restart the service that matches the certificate name, `step_cert_list.name`. Choices: `false` `true` ← (default)