From a38aac4cd336791a2104a74ab8abbef82aabc1c5 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Jan 14 2021 19:21:32 +0000
Subject: certbot: add a cli.ini file with (commented out) ecdsa certs


Once this becomes useful we should switch the letsencrypt certs we get.
Right now it's not, as the intermediate is the letsencrypt R3, which is
a rsa 2048 bit, so it doesn't help the FUTURE case. Someday they will
switch this to use the X1 cert which will be ECC and it will be useful
to switch.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

---

diff --git a/roles/letsencrypt/files/cli.ini b/roles/letsencrypt/files/cli.ini
new file mode 100644
index 0000000..104092b
--- /dev/null
+++ b/roles/letsencrypt/files/cli.ini
@@ -0,0 +1,2 @@
+#key-type = ecdsa
+#elliptic-curve = secp384r1
diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml
index a25597a..14da3ae 100644
--- a/roles/letsencrypt/tasks/main.yml
+++ b/roles/letsencrypt/tasks/main.yml
@@ -1,3 +1,13 @@
+- name: setup defaults file
+  copy: >
+    dest=/etc/letsencrypt/cli.ini
+    src=cli.ini
+    owner=root
+    group=root
+    mode=0644
+  tags:
+  - letsencrypt
+  
 - name: Generate (or renew) the certificate
   delegate_to: "certgetter01.iad2.fedoraproject.org"
   command: certbot certonly --expand --keep -n --webroot --webroot-path /var/www/html/ -d {{','.join([site_name] + server_aliases)}}