Add certbot_staging option

hi-liang · Jun 5, 2020 · 796e6bb · 796e6bb
1 parent ab5cab6
commit 796e6bb
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 1 deletion.
diff --git a/ansible/certbot/tasks/request_certificates.yml b/ansible/certbot/tasks/request_certificates.yml
@@ -7,6 +7,7 @@
     --agree-tos 
     -m {{certbot_email}}
     -d {{certbot_domain}}
+    {% if certbot_staging %} --staging {% endif %}
   register: certonly
   args:
     creates: "/etc/letsencrypt/live/{{certbot_domain}}/fullchain.pem"
diff --git a/ansible/pico-web/defaults/main.yml b/ansible/pico-web/defaults/main.yml
@@ -77,7 +77,8 @@ enable_basic_auth: false
 htpasswd_accounts: []
 
 # SSL with Let's Encrypt
-enable_certbot: False
+enable_certbot  : False
+certbot_staging : False
 
 # SSL with out-of-band cert and vault-encrypted key
 enable_web_ssl : False

diff --git a/env_prod/inventory.yml b/env_prod/inventory.yml
@@ -65,6 +65,13 @@ all:
       # `ansible_host` for both `web` and `shell` should be domain names.
       enable_certbot : True
 
+      # NOTE: if you plan on creating/destroying your infrastructure many times
+      # you might want to consider running in staging mode to prevent hitting a
+      # rate limit. Switching from live/staging requires some manual administration.
+      #  https://letsencrypt.org/docs/rate-limits/
+      # https://letsencrypt.org/docs/staging-environment/
+      certbot_staging: True
+
       # Set whether `ansible_host` is an IP address or a domain name (DNS) In a
       # production environment we recommend DNS so that you can easily use SSL/TLS
       host_type : "DNS"  # valid options 'IP' or 'DNS'