added support to override backend values on a per certificate basis

README.md

@@ -56,6 +56,12 @@ san: []
 
 # services to restart if this certificate changes
 depending_services: []
+
+# which backend to use, can be 'selfsigned' or 'letsencrypt'
+backend: 'selfsigned'
+
+# overwrite a backend setting for this certificate
+backend_override: {}
 ```
 
 ### Backends

defaults/main.yml

@@ -15,4 +15,5 @@ certificates:
     cn: ~
     san: []
     depending_services: []
+    backend: 'letsencrypt'
   certs: {}

tasks/common_cert.yml

@@ -8,11 +8,16 @@
       chainpath: "{{ basepath + '/' + certname + '.chain.crt' }}"
       fullpath: "{{ basepath + '/private/' + certname + '.complete.pem' }}"
 - set_fact:
-    cert: "{{ {}|combine(certificates.defaults, cert_paths, certificates.certs[certname]|d({}), {'name': certname} ) }}"
+    cert: "{{ {}|combine(certificates.defaults, cert_paths, certificates.certs[certname]|d({}), {'name': certname}, recursive=True ) }}"
+- set_fact:
+    cert_backend: "{{ {}|combine(certificates.backends[cert.backend], cert.backend_override|d({}), recursive=True) }}"
 
 - debug:
     verbosity: 1
     var: cert
+- debug:
+    verbosity: 1
+    var: cert_backend
 
 - name: "generate key for {{ certname }}"
   openssl_privatekey:

tasks/letsencrypt_cert.yml

@@ -1,7 +1,7 @@
 - include_tasks: common_cert.yml
 
 - set_fact:
-    external_challange_type: "{{ map_challange_type_letsencrypt[certificates.backends.letsencrypt.challange]|d(certificates.backends.letsencrypt.challange) }}"
+    external_challange_type: "{{ map_challange_type_letsencrypt[cert_backend.challange]|d(cert_backend.challange) }}"
 
 - name: "get challange for {{ certname }}"
   acme_certificate: &acmetask
@@ -13,7 +13,7 @@
     csr: "{{ cert.csrpath }}"
     dest: "{{ cert.certpath }}"
     fullchain_dest: "{{ cert.chainpath }}"
-    remaining_days: "{{ certificates.backends.letsencrypt.remainingdays }}"
+    remaining_days: "{{ cert_backend.remainingdays }}"
     challenge: "{{ external_challange_type }}"
     deactivate_authzs: yes
   register: challenge
@@ -21,9 +21,9 @@
 - name: "setup challenge server for {{ certname }} (dns challange)"
   when:
   - challenge is changed
-  - certificates.backends.letsencrypt.challange == "dns-01"
+  - cert_backend.challange == "dns-01"
   delegate_to: "{{ item.0 }}"
-  loop: "{{ certificates.backends.letsencrypt.challangeserver|product(challenge.challenge_data.keys()|list)|list }}"
+  loop: "{{ cert_backend.challangeserver|product(challenge.challenge_data.keys()|list)|list }}"
   command:
     argv:
     - "/usr/local/bin/pdns.py"
@@ -33,24 +33,24 @@
 - name: "setup challenge server for {{ certname }} (manual dns challange)"
   when:
   - challenge is changed
-  - certificates.backends.letsencrypt.challange == "dns-01-manual"
+  - cert_backend.challange == "dns-01-manual"
   loop: "{{ challenge.challenge_data_dns|d({})|dict2items }}"
   debug:
-    msg: "add the following dns record: '{{ item.key }}.': { TXT: '{{ item.value[0] }}' }"
+    msg: "add the following dns record: '{{ item.key }}.': { TXT: {{ item.value }} }"
 
 - name: wait for challenges in dns (manual dns challange)
   pause:
     prompt: "When the relevant lines were added to dns and synced, press enter"
   when:
   - challenge is changed
-  - certificates.backends.letsencrypt.challange == "dns-01-manual"
+  - cert_backend.challange == "dns-01-manual"
 
 - name: "setup challenge server for {{ certname }} (http challange)"
   when:
   - challenge is changed
-  - certificates.backends.letsencrypt.challange == "http-01"
+  - cert_backend.challange == "http-01"
   delegate_to: "{{ item.0 }}"
-  loop: "{{ certificates.backends.letsencrypt.challangeserver|product(challenge.challenge_data.keys()|list)|list }}"
+  loop: "{{ cert_backend.challangeserver|product(challenge.challenge_data.keys()|list)|list }}"
   copy:
     dest: "/var/www/letsencrypt/{{ challenge.challenge_data[item.1]['http-01'].resource | basename }}"
     content: "{{ challenge.challenge_data[item.1]['http-01'].resource_value }}"