Add ECC key creation support (#95)

* Trigger tests

* Trigger more tests

* Add ecc key support and set as default

* Linting: var-naming[no-role-prefix]

- Prefix variable names with role_name

- Make registered variables naming more clear with the result suffix

* Adjust challenge variable naming for every challenge provider

* Add key curve variable to documentation

* Apply suggestions from code review

Set 4096bit default keysize in case RSA is used

Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>

* Fix "intendation" for pipes

* Remove unused variable registration

* Fix variable naming

---------

Co-authored-by: Andreas Hering <andreas.hering@t-systems.com>
Co-authored-by: Andreas Hering <andreas.hering@telekom.de>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>

Author: 5 people

docs/role-acme.md

@@ -71,11 +71,17 @@ If you are running this role in a temporary environment such as a CI runner and
 | acme_staging_directory            | no       | acme-staging-v02.api.letsencrypt.org | Acme directory which will be used for certificate challenge
 | acme_live_directory               | no       | acme-v02.api.letsencrypt.org         | Acme directory which will be used for certificate challenge
 | acme_account_key_path             | no       | $acme_conf_dir                       | Path for account key
+| acme_account_key_size             | no       | 4096                                 | Account key size
+| acme_account_key_type             | no       | ECC                                  | Account key type
+| acme_account_key_curve            | no       | secp384r1                            | Account key curve used
 | acme_csr_path                     | no       | $acme_conf_dir/certs                 | Path for csr which is created for challenge
 | acme_cert_path                    | no       | $acme_conf_dir/certs                 | Path for issued certificate
 | acme_intermediate_path            | no       | $acme_conf_dir/certs                 | Path for intermediate chain
 | acme_fullchain_path               | no       | $acme_conf_dir/certs                 | Path for full chain file (certificate + intermediate)
 | acme_private_key_path             | no       | $acme_conf_dir/certs                 | Path for private key
+| acme_private_key_size             | no       | 4096                                 | Private key size
+| acme_private_key_type             | no       | ECC                                  | Private key type
+| acme_private_key_curve            | no       | secp384r1                            | Private key curve used
 | acme_remaining_days               | no       | 30                                   | Min days remaining before certificate will be renewed
 | acme_convert_cert_to              | no       |                                      | Format to convert the certificate to: `pfx`
 | acme_validate_certs               | no       |                                      | Only used in integration tests with pebble server

roles/acme/defaults/main.yml

@@ -9,12 +9,18 @@ acme_staging_directory: https://acme-staging-v02.api.letsencrypt.org/directory
 acme_live_directory: https://acme-v02.api.letsencrypt.org/directory
 acme_use_live_directory: false
 acme_account_key_path: "{{ acme_conf_dir }}/letsencrypt_account.pem"
+acme_account_key_size: "4096"
+acme_account_key_type: "ECC"
+acme_account_key_curve: "secp384r1"
 acme_csr_path: "{{ acme_cert_dir }}/{{ acme_domain.certificate_name }}.csr"
 acme_cert_path: "{{ acme_cert_dir }}/{{ acme_domain.certificate_name }}.pem"
 acme_pfx_cert_path: "{{ acme_cert_dir }}/{{ acme_domain.certificate_name }}.pfx"
 acme_intermediate_path: "{{ acme_cert_dir }}/{{ acme_domain.certificate_name }}_intermediate.pem"
 acme_fullchain_path: "{{ acme_cert_dir }}/{{ acme_domain.certificate_name }}_fullchain.pem"
 acme_private_key_path: "{{ acme_cert_dir }}/{{ acme_domain.certificate_name }}.key"
+acme_private_key_size: "4096"
+acme_private_key_type: "ECC"
+acme_private_key_curve: "secp384r1"
 acme_remaining_days: "30"
 
 ### provider specific config

roles/acme/tasks/challenge/dns-01/autodns.yml

@@ -9,7 +9,7 @@
         method: POST
         body_format: json
         body: { context: "4", user: "{{ acme_dns_user }}", password: "{{ acme_dns_password }}" }
-      register: login
+      register: acme_login
 
     - name: Add a new TXT record to the SAN domains
       ansible.builtin.uri:
@@ -33,7 +33,7 @@
             ]
           }
         headers:
-          Cookie: "{{ login.set_cookie }}"
+          Cookie: "{{ acme_login.set_cookie }}"
       loop: "{{ acme_domain.subject_alt_name }}"
       when:
         - acme_domain.subject_alt_name is defined
@@ -75,7 +75,7 @@
             ]
           }
         headers:
-          Cookie: "{{ login.set_cookie }}"
+          Cookie: "{{ acme_login.set_cookie }}"
       loop: "{{ acme_domain.subject_alt_name }}"
       when:
         - acme_domain.subject_alt_name is defined

roles/acme/tasks/challenge/dns-01/hetzner.yml

@@ -8,7 +8,7 @@
         url: https://dns.hetzner.com/api/v1/zones?name={{ acme_domain.zone }}
         headers:
           Auth-API-Token: "{{ acme_hetzner_auth_token }}"
-      register: lookup_zone_id
+      register: acme_lookup_zone_id
 
     - name: Add a new TXT record to the SAN domains
       ansible.builtin.uri:
@@ -22,12 +22,12 @@
             "ttl": 60,
             "type": "TXT",
             "value": "{{ acme_challenge['challenge_data'][item]['dns-01']['resource_value'] }}",
-            "zone_id": "{{ lookup_zone_id.json.zones[0].id }}",
+            "zone_id": "{{ acme_lookup_zone_id.json.zones[0].id }}",
           }
         headers:
           Auth-API-Token: "{{ acme_hetzner_auth_token }}"
       loop: "{{ acme_domain.subject_alt_name }}"
-      register: records
+      register: acme_records
       when:
         - acme_domain.subject_alt_name is defined
         # only runs if the challenge is run the first time, because then there is challenge_data
@@ -59,7 +59,7 @@
         method: DELETE
         headers:
           Auth-API-Token: "{{ acme_hetzner_auth_token }}"
-      loop: "{{ records | json_query('results[*].json.record.id') }}"
+      loop: "{{ acme_records | json_query('results[*].json.record.id') }}"
       when:
         - acme_domain.subject_alt_name is defined
         # only runs if the challenge is run the first time, because then there is challenge_data

roles/acme/tasks/challenge/dns-01/openstack.yml

@@ -14,7 +14,6 @@
     name: _acme-challenge.{{ item | replace('*.', '') }}.
     zone: "{{ acme_domain.zone }}."
   loop: "{{ acme_domain.subject_alt_name }}"
-  register: records
   when:
     - acme_domain.subject_alt_name is defined
     - acme_challenge['challenge_data'][item] is defined

roles/acme/tasks/create-keys.yml

@@ -1,9 +1,10 @@
 ---
-- name: Create RSA key to be used for acme account
+- name: Create key to be used for acme account
   community.crypto.openssl_privatekey:
     path: "{{ acme_account_key_path }}"
-    size: 4096
-    type: RSA
+    size: "{{ acme_account_key_size }}"
+    type: "{{ acme_account_key_type }}"
+    curve: "{{ acme_account_key_curve }}"
   when:
     - acme_account_key_content is not defined
   no_log: true
@@ -17,9 +18,12 @@
     - acme_account_key_content is defined
   no_log: true
 
-- name: Create RSA key to be used for certificate
+- name: Create key to be used for certificate
   community.crypto.openssl_privatekey:
     path: "{{ acme_private_key_path }}"
+    size: "{{ acme_private_key_size }}"
+    type: "{{ acme_private_key_type }}"
+    curve: "{{ acme_private_key_curve }}"
   when:
     - acme_private_key_content is not defined
   no_log: true