principleMinor
What are some reasons for using an Ansible role for Certbot vs. Ansible's native `acme_certificate` module?
Viewed 0 times
nativewhatarecertbotacme_certificatemoduleroleforreasonssome
Problem
To get Let's Encrypt HTTPS certificates for their Web sites, I'm aware of quite a few folks using a particular role, which wraps Certbot, a standalone application not native to Ansible.
There is, however, a native Ansible module called acme_certificate, and at least one accompanying role that wraps it.
It seems to me that it would make sense to native Ansible modules whenever possible, but are there reasons for not doing so in this particular case?
There is, however, a native Ansible module called acme_certificate, and at least one accompanying role that wraps it.
It seems to me that it would make sense to native Ansible modules whenever possible, but are there reasons for not doing so in this particular case?
Solution
Thanks for linking your question. Here's the github thread for reference: https://github.com/geerlingguy/ansible-role-certbot/issues/87
There are many different ways to get certs from a CA. certbot (what this repo uses) is just one of the ways which uses letsencrypt as a certificate authority. acme_certificate is more generic and if you can't use letsencrypt then it might be a good tool to check out for http-01, dns-01 and tls-alpn-01 challenges.
Certbot is a great way to manage certs from letsencrypt, so if you're needs are fairly standard this is a good choice. It's a higher level package and will also handle auto renewal (assuming you enable it).
it is possible to do renewals with acme_certificate. You could do something similar with letsencrypt https://docs.ansible.com/ansible/2.5/modules/letsencrypt_module.html . certbot just handles a lot of this for you, specifically for letsencrypt.
Personally I think using certbot to help manage certificates is simpler, but that's up to you. certbot is an application that handles the verification process for with the certificate authority, which is very handy. With acme_certificate you'll essentially be doing that yourself. It also automatically can set up automatic renewals which is very nice.
There are many different ways to get certs from a CA. certbot (what this repo uses) is just one of the ways which uses letsencrypt as a certificate authority. acme_certificate is more generic and if you can't use letsencrypt then it might be a good tool to check out for http-01, dns-01 and tls-alpn-01 challenges.
Certbot is a great way to manage certs from letsencrypt, so if you're needs are fairly standard this is a good choice. It's a higher level package and will also handle auto renewal (assuming you enable it).
it is possible to do renewals with acme_certificate. You could do something similar with letsencrypt https://docs.ansible.com/ansible/2.5/modules/letsencrypt_module.html . certbot just handles a lot of this for you, specifically for letsencrypt.
Personally I think using certbot to help manage certificates is simpler, but that's up to you. certbot is an application that handles the verification process for with the certificate authority, which is very handy. With acme_certificate you'll essentially be doing that yourself. It also automatically can set up automatic renewals which is very nice.
Context
StackExchange DevOps Q#8722, answer score: 6
Revisions (0)
No revisions yet.