Topics
Feature release.
- Support Hetzner's new DNS API (#109).
- Avoid deprecated import (in ansible-core 2.20) in private filter plugin used by the
acme_certificaterole (https://github.com/felixfontein/ansible-acme/pull/104).
Bugfix release.
- Avoid deprecation message with ansible-core 2.19 when creating or removing DNS entries (#100).
- acme_certificate role - if
acme_certificate_dns_provider=cloudflare, DNS entries were created on all targets instead of only on localhost (#97).
Feature release.
- The collection now depends on community.crypto 2.24.0 or newer (#86).
- acme_certificate role - add support for Hetzner's DNS (#87).
- acme_certificate role - now uses the new
community.crypto.acme_account_order_*modules added in community.crypto 2.24.0 (#86). - acme_certificate role - support ACME profile selection with the
acme_certificate_profileparameter (#86). - acme_certificate role - support determining whether to renew by remaining percentage of the validity period (
acme_certificate_renewal_on_remaining_percentageoption) or ARI information (acme_certificate_use_arioption) (#86).
- acme_certificate role - the role no longer supports
acme_certificate_acme_version == 1. ACME v2 must always be used (#86).
- acme_certificate role - properly apply
no_log: trueto task that reads private key file for backup. When not using SOPS encrypted private keys, the private key was visible in verbose mode or in the logs in plain text (#86).
Feature release.
- The dependency on community.dns has been bumped to >= 2.9.0 to be able to use the
community.dns.quote_txtfilter when using the Route53 module (#76). - acme_certificate role - allow to configure the timeout and the DNS servers to use for validating DNS entry propagation for
dns-01challenges (#79, #80).
Maintenance release with slightly updated documentation and no functional changes.
Feature release with improved creation of DNS records for Route53 and Hosttech.
- The collection now depends on community.aws >= 6.3.0 and amazon.aws >= 6.3.0 to improve stability of the acme_certificate role with Amazon's Route 53 DNS (#62).
- acme_certificate role - increase maximum wait for Hosttech DNS records from 2 to 5 minutes (#64).
- acme_certificate role - use community.aws.route53_wait instead of community.dns.wait_for_txt when using Amazon's Route 53 DNS to improve stability (#57, #62).
New major release dropping compatibility with old Ansible versions, namely Ansible 2.9 and ansible-base 2.10.
- acme_certificate role - add Cloudflare DNS support (#55).
- Drop compatibility for Ansible 2.9 and ansible-base 2.10. These versions of Ansible/ansible-base have been End of Life for some time now. If you are still using them, either stick to an older version of this collection, or upgrade to a newer version of ansible-core/Ansible (#54).
Collection dependency update with bugfixes and new features.
- acme_certificate role - add new option
acme_certificate_dns_substitutionto allow substituting DNS names during DNS record creation for use with CNAMEs (#41). - acme_certificate role - added new option
acme_certificate_verify_authwhich allows to turn of validation that credentials for DNS modules are passed as role arguments. When disabled, you are responsible to pass credentials with module defaults or in other ways supported by the specific modules (#40, #42).
- The collection no longer depends on community.aws >= 1.0.0, but on amazon.aws >= 5.0.0. The community.aws.route53 module was migrated to amazon.aws, which allows us to depend on one collection less. Note that if you use this collection with Ansible, you need Ansible 7.0.0 or newer; also note that Ansible 6.x.0 and before are End of Life by now (#39).
- Avoid double failure of acme_certificate rescue task when first task in block fails (#38).
- felixfontein.acme._substitute_dns - [INTERNAL] Adjust DNS name according to a CNAME substitution map
Maintenance release.
Bugfix release.
- When cleaning up after failures in the
acme_certificaterole, make sure that an undefinedansible_failed_taskdoes not cause another error (#32).
Feature release dropping support for some specific old Ansible/ansible-base versions.
- In case an error happens before a certificate is issued, restore private key, and remove certificate and key backups if these were made (
acme_certificate_keys_old_storeoption) (#30). - The collection repository conforms to the REUSE specification (#30).
- Use FQCN for builtin actions and lookup plugins (#23).
- acme_certificate role - add
acme_certificate_renewal_on_remaining_daysoption which allows to only renew certificates that expire in a certain amount of days (#28).
- Officially drop support for Ansible 2.9.10 to 2.9.16, and ansible-base 2.10.0 to 2.10.3. These versions did not work with the
felixfontein.acme.acme_certificaterole for some time now, so this should not really affect any regular user of this collection (#23).
This release bumps some requirements and adds some features.
- The collection now requires community.dns >= 2.0.0 for Hosttech DNS support.
- The collection now requires community.general >= 4.0.0.
- acme_certificate role - an alternative root certificate URL can be specified in
acme_certificate_root_certificate_for_verificationthat is only used for validating the retrieved chain (#22). - acme_certificate role - the role can now handle the DNS provider INWX (#19).
Update dependencies.
- Hosttech DNS support: restrict required version of community.dns to < 2.0.0. A later version will bump the requirement to >= 2.0.0 and switch to the new API.
Major revamp of the collection with new dependencies, better documentation, and several features and bugfixes.
- Add documentation for the roles to the collection's docsite (#9).
- Adding support for ansible-core's new role argument spec feature. This makes ansible-core 2.11.1 or newer validate the parameters passed to the roles in this collection (#13).
- Use
community.dns.wait_for_txtto speed up waiting for DNS challenges to propagate. - acme_certificate - add
acme_certificate_hosttech_tokenoption to use HostTech's new JSON API instead of old WSDL API (#12). - acme_certificate - check whether credentials for DNS provider are set before starting certificate retrieval (#12).
- Replace
felixfontein.hosttech_dnsandfelixfontein.toolscollection dependencies bycommunity.dns >= 1.0.0andcommunity.general >= 2.5.0. - acme_certificate role - remove usage of tags
issue-tls-certs,issue-tls-certs-newkeyandverify-tls-certs. By default, new private keys are generated. This can be disabled by settingacme_certificate_regenerate_private_keystofalse(#15).
- account_key_rollover role - when using sops-encrypted keys,
community.sops.sops_encryptwas run on the remote node and not the controller node (#7).
Feature and repository maintenance release.
- revoke_old_certificates role - allow to revoke by ACME account key instead of certificate private key by setting
acme_certificate_revoke_with_acme_accounttotrue. This allows to revoke certificates with BuyPass, which does not support revocation by certificate private key.
Initial release of my acme_certificate role converted to a collection, with two new roles revoke_old_certificates and account_key_rollover.
- felixfontein.acme.account_key_rollover - Rollover for the ACME account key
- felixfontein.acme.acme_certificate - Retrieve a certificate for a set of domains and/or IP addresses
- felixfontein.acme.revoke_old_certificates - Revoke old certificates copied aside by acme_certificate