Re: owncloud and letsencrypt

On sie 25, Damiano Venturin wrote: > I just spent a couple of hours on the owncloud role. My understanding > is that this role does not support acme to automatically produce > letsencrypt certificates. Is this correct? That's correct. An application role does not need to concern itself with X.509 certificates that are used by the frontend webserver. If you haven't noticed, DebOps roles are designed a bit differently than "normal" Ansible roles on Ansible Galaxy. Various roles in the project expose a "public API" in the form of dependent variables and custom Ansible local facts. Other roles can then use these mechanisms to interface with DebOps roles. In this specific case, the 'owncloud' role uses the 'nginx' role to configure the frontend nginx webserver (this is readily apparent in the 'service/owncloud.yml' playbook). In turn, the 'nginx' role configures the nginx server to support ACME authentication challenges issued by Let's Encrypt. Then the 'pki' role, which maintains the X.509 certificate infrastructure in DebOps, can use the configured nginx instance to request Let's Encrypt certificates, which then can be picked up by the 'nginx' role which configures the nginx webserver to use them. You can find more details about this process in the pki[1] and nginx[2] role documentation. As you can see, the whole process does not involve the 'owncloud' role at all.

This also means, that other application roles like 'netbox', 'phpipam', 'librenms', 'gitlab', etc. can also benefit from the same underlying mechanism, and do not require custom repeated solutions to handle Let's Encrypt certificates themselves. Let me know if you have any more questions. Maciej [1]:https://docs.debops.org/en/master/ansible/roles/pki/acme-integration.html [2]:https://docs.debops.org/en/master/ansible/roles/nginx/acme-support.html