add variable for MDCAChallenges

fdd0e5a0 · Chris Croome · 4a6b37c0 · fdd0e5a0 · fdd0e5a0 · fdd0e5a0
Verified Commit fdd0e5a0 authored 1 month ago by Chris Croome
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -242,6 +242,12 @@ apache_md_private_keys:
 # Use latest for the latest release or default for the packaged version
 apache_md_version: latest
 apache_md_renew_window: 33%
+# MDCAChallenges, note that tls-alpn-01 (and Protocols acme-tls/1) don't appear
+# to work when Cloudflare is in use but if tls-alpn-01 fails mod_md should fall
+# back to http-01
+apache_md_ca_challenges:
+  - tls-alpn-01
+  - http-01
 apache_mpm_max_connections_per_child: 10000
 apache_mpm_max_request_workers: 128
 apache_verify: true

--- a/meta/argument_specs.yml
+++ b/meta/argument_specs.yml
@@ -105,6 +105,11 @@ argument_specs:
        type: str
        required: false
        description: An optional Matomo domain name for the webarch.conf template.
+      apache_md_ca_challenges:
+        type: list
+        elements: str
+        required: true
+        description: A list of MDCAChallenges for mod_md.
      apache_md_cert_copy:
        type: list
        elements: dict

--- a/templates/md.conf.j2
+++ b/templates/md.conf.j2
 # {{ ansible_managed }}

 <IfModule md_module>
-  # Note that tls-alpn-01 and acme-tls/1 won't work with Cloudflare but mod_md should fall back to http-01 and http
-  MDCAChallenges tls-alpn-01 http-01
+  MDCAChallenges {{ apache_md_ca_challenges | join(' ') }}
  MDCertificateAgreement accepted
  MDContactEmail "{{ apache_server_admin }}"
  MDRenewMode always