update Readme with instructions for uib-ssl

README.md

@@ -43,10 +43,38 @@ The content can be added to hjelp.uib.no to receive a certificate from cert-mana
 
 Two of the urls from one of the emails should be added to (vaulted) variables.
 
-* as Certificate only, PEM encoded
-* as Root/Intermediate(s) only, PEM encoded
+* `certificate_only_url` as Certificate only, PEM encoded (url ends-with &format=x509CO)
+* `certificate_interm_only_url` as Root/Intermediate(s) only, PEM encoded (url ends-with &format=x509IOR)
 
-Ad dto vhost, see the example below.
+To renew an existing certificate which has been sent by UiB ITA:
+
+CSR and private key will not be updated, ITA will reuse old CSR to generate a new certificate, which we receive by mail.
+
+* Replace/update `certificate_interm_only_url` (usually vaulted) and certificate_interm_only_url (may not have changed) with the values from the updated 
+* Run the playbook with the apache role with the the parameter `apache_digicert_renew` with a truthy value added
+
+```
+ ansible-playbook monitor.yml --vault-id ~/secrets/secret -e deploy_env=prod -i inventory/hostfile  -e apache_digicert_renew=true
+```
+
+**Example vhosts section with multiple ssl set using one certificate** 
+```
+      apache_vhosts:
+        - servername: "example.com"
+          ssl: true
+          ssl_type: "uib" # default letsencrypt if empty
+          altname: "DNS:example2.com,DNS:example3.com" #adding altnames also for additional vhosts
+          certificate_interm_only_url: "{{ eksempel_no_interm_only_url }} " # url ends with &format=x509IOR
+          certificate_only_url: "{{ eksempel_no_cert_only_url }}" #  url ends with &format=x509CO
+          ...
+        - servername: "example2.com" # when additional hosts have ssl set, they will use the same ssl key from the first entry in apache_vhosts
+          ssl: true
+          ssl_type: "uib"
+          ...
+        - servername: "example3.com"
+          ssl: true
+          ssl_type: "uib"
+```
 
 ## Example playbook
 
@@ -77,23 +105,8 @@ Ad dto vhost, see the example below.
       - httpd
 ```
 
-If uib is set, an email is sent to serveradmin containing a template for creating a ssl-request in hjelp.uib.no.
-You get another email from the certificate provider containing various urls.
-
-Continue by adding to the vhost section after ssl_type:
-
-```
-...
-ssl_type: "uib"
-certificate_interm_only_url: "# url from link to intermediate certificate only"
-certificate_only_url: "# url from email to certificate only"
-```
-The role will fail (var not set) until these are set. When rerunning the playbook, a certificate should be set.
-
-@todo Renewing a certificate.
-
-* End of local changes * 
 
+## Begin original docs
 Available variables are listed below, along with default values (see `defaults/main.yml`):
 
     apache_enablerepo: ""