HiveBrain v1.2.0
Get Started
← Back to all entries
principleMinor

What are some reasons for using an Ansible role for Certbot vs. Ansible's native `acme_certificate` module?

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
nativewhatarecertbotacme_certificatemoduleroleforreasonssome

Problem

To get Let's Encrypt HTTPS certificates for their Web sites, I'm aware of quite a few folks using a particular role, which wraps Certbot, a standalone application not native to Ansible.

There is, however, a native Ansible module called acme_certificate, and at least one accompanying role that wraps it.

It seems to me that it would make sense to native Ansible modules whenever possible, but are there reasons for not doing so in this particular case?

Solution

Thanks for linking your question. Here's the github thread for reference: https://github.com/geerlingguy/ansible-role-certbot/issues/87

There are many different ways to get certs from a CA. certbot (what this repo uses) is just one of the ways which uses letsencrypt as a certificate authority. acme_certificate is more generic and if you can't use letsencrypt then it might be a good tool to check out for http-01, dns-01 and tls-alpn-01 challenges.

Certbot is a great way to manage certs from letsencrypt, so if you're needs are fairly standard this is a good choice. It's a higher level package and will also handle auto renewal (assuming you enable it).

it is possible to do renewals with acme_certificate. You could do something similar with letsencrypt https://docs.ansible.com/ansible/2.5/modules/letsencrypt_module.html . certbot just handles a lot of this for you, specifically for letsencrypt.

Personally I think using certbot to help manage certificates is simpler, but that's up to you. certbot is an application that handles the verification process for with the certificate authority, which is very handy. With acme_certificate you'll essentially be doing that yourself. It also automatically can set up automatic renewals which is very nice.

Context

StackExchange DevOps Q#8722, answer score: 6

Revisions (0)

No revisions yet.