This role automates placing the account files for Sectigo on your host, so that certbot can request Sectigo/Incommon certs instead of LetsEncrypt.
You'll need to get setup with Sectigo before you can use this role. Email sslcerts@umn.edu to get started. They'll provide you with credentials - an EAB KID and EAD HMAC.
In your playbook, include this role before including geerlingguy.certbot
. Below is an example of the full configuration which uses the shared Apache role, certbot, and Sectigo.
sectigo_eab_kid: YOUR-KID
sectigo_eab_hmac: YOUR-HMAC
apache_vhost_ssl_certs_dir: "/etc/letsencrypt/live/{{ hostname }}"
apache_vhost_ssl_keys_dir: "/etc/letsencrypt/live/{{ hostname }}"
apache_deploy_ssl_certs: false
certbot_auto_renew_user: root
certbot_auto_renew: true
certbot_auto_renew_options: "--agree-tos --email=latistecharch@umn.edu --quiet --no-self-upgrade --pre-hook 'service httpd24-httpd stop' --post-hook 'service httpd24-httpd start'"
certbot_admin_email: your-email
certbot_install_from_source: false
certbot_create_if_missing: true
certbot_create_standalone_stop_services: [httpd24-httpd]
certbot_certs:
- domains:
- "{{ hostname }}"
apache_vhosts:
- server_name: "{{ hostname }}"
use_ssl: true
document_root: "/swadm/var/www/html/current/public"
ssl_certificate_cer_file: "cert.pem"
ssl_certificate_interm_cer_file: "chain.pem"
ssl_certificate_key_file: "privkey.pem"
sectigo_eab_kid:
provided by sslcerts@umn.edu
sectigo_eab_hmac
provided by sslcerts@umn.edu
geerlingguy.cerbot
BSD