mirror of
https://github.com/geerlingguy/ansible-role-certbot.git
synced 2025-04-19 17:01:37 +02:00
Merge fbe6399b007666e641a9c23c11f744c9067b3ddc into 574c0843c8620f299ff67acbf35c9a6aa45121d0
This commit is contained in:
tterranigma
GitHub
commit
655f1d96b2
29
README.md
29
README.md
@ -20,6 +20,27 @@ The variable `certbot_install_from_source` controls whether to install Certbot f
|
||||
|
||||
By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.
|
||||
|
||||
### Certificate generation
|
||||
`certbot_handle_certs: true`
|
||||
Set to true to have this role register and generate certificates for your
|
||||
domains.
|
||||
|
||||
`certbot_register_email: ''``
|
||||
The email to register with. This is required (if you set `certbot_handle_certs` to true) or else the role will fail.
|
||||
|
||||
certbot_domains: []
|
||||
The domains to generate certs for. This is required (if you set `certbot_handle_certs` to true) or else the role will fail. If you are also using the [geerlingguy/ansible-role-apache](https://github.com/geerlingguy/ansible-role-apache) role, you can use something like this to get a list of your domains:
|
||||
```yaml
|
||||
certbot_domains: "{{ [0,1,2] | map('extract', apache_vhosts, 'servername') | list }}"
|
||||
```
|
||||
where `[0,1,2,]` means the first, second and third virtual host specification respectively.
|
||||
|
||||
`certbot_register_command: "{{ certbot_script }} register --non-interactive --agree-tos --email {{ certbot_register_email }}"`
|
||||
The command to run to register with Let's Encrypt.
|
||||
|
||||
`certbot_cert_command: "{{ certbot_script }} certonly --noninteractive --standalone"`
|
||||
The command to run to generate the certificates.
|
||||
|
||||
### Source Installation from Git
|
||||
|
||||
You can install Certbot from it's Git source repository if desired. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).
|
||||
@ -42,16 +63,18 @@ None.
|
||||
## Example Playbook
|
||||
|
||||
- hosts: servers
|
||||
|
||||
|
||||
vars:
|
||||
certbot_auto_renew_user: your_username_here
|
||||
certbot_auto_renew_minute: 20
|
||||
certbot_auto_renew_hour: 5
|
||||
|
||||
|
||||
roles:
|
||||
- geerlingguy.certbot
|
||||
|
||||
### Creating certificates with certbot
|
||||
### Manually creating certificates with certbot
|
||||
|
||||
If you do not enable certificate generation via this role (`certbot_handle_certs: true`), you can follow the steps below to generate your certificates.
|
||||
|
||||
After installation, you can create certificates using the `certbot` (or `certbot-auto`) script (use `letsencrypt` on Ubuntu 16.04, or use `/opt/certbot/certbot-auto` if installing from source/Git. Here are some example commands to configure certificates with Certbot:
|
||||
|
||||
|
||||
@ -1,7 +1,10 @@
|
||||
---
|
||||
# Global options for configuration file
|
||||
certbot_config_file_options: {}
|
||||
|
||||
# Certbot auto-renew cron job configuration (for certificate renewals).
|
||||
certbot_auto_renew: true
|
||||
certbot_auto_renew_user: "{{ ansible_user }}"
|
||||
certbot_auto_renew_user: "{{ lookup('env', 'USER') }}"
|
||||
certbot_auto_renew_hour: 3
|
||||
certbot_auto_renew_minute: 30
|
||||
certbot_auto_renew_options: "--quiet --no-self-upgrade"
|
||||
@ -15,3 +18,19 @@ certbot_keep_updated: yes
|
||||
|
||||
# Where to put Certbot when installing from source.
|
||||
certbot_dir: /opt/certbot
|
||||
|
||||
# Set to true to have this role register and generate certificates for your
|
||||
# domains.
|
||||
certbot_handle_certs: true
|
||||
|
||||
# The email to register with (required).
|
||||
certbot_register_email: ''
|
||||
|
||||
# The command to run to register with Let's Encrypt
|
||||
certbot_register_command: "{{ certbot_script }} register --non-interactive --agree-tos --email {{ certbot_register_email }}"
|
||||
|
||||
# The domains to generate certs for
|
||||
certbot_domains: []
|
||||
|
||||
# The command to run to generate the certificates
|
||||
certbot_cert_command: "{{ certbot_script }} certonly --noninteractive --standalone --expand"
|
||||
|
||||
23
tasks/generate-certs.yml
Normal file
23
tasks/generate-certs.yml
Normal file
@ -0,0 +1,23 @@
|
||||
---
|
||||
|
||||
- name: Make sure we have an email
|
||||
assert:
|
||||
that:
|
||||
- "certbot_register_email != ''"
|
||||
msg: "You need to provide an email address you own to register with Let's Encrypt."
|
||||
|
||||
- name: Make sure we have domains
|
||||
assert:
|
||||
that:
|
||||
- "certbot_domains != []"
|
||||
msg: "You need to provide at least one domain to generate certificates for."
|
||||
|
||||
- name: Register with Let's Encrypt
|
||||
command: "{{ certbot_register_command }}"
|
||||
args:
|
||||
creates: /etc/letsencrypt/accounts
|
||||
|
||||
- name: Generate certificates
|
||||
command: "{{ certbot_cert_command }} -d {{ certbot_domains | join(' -d ') }}"
|
||||
register: result
|
||||
changed_when: result.stdout.find("Certificate not yet due for renewal") == -1
|
||||
@ -7,5 +7,8 @@
|
||||
- include: install-from-source.yml
|
||||
when: certbot_install_from_source
|
||||
|
||||
- include: generate-certs.yml
|
||||
when: certbot_handle_certs
|
||||
|
||||
- include: renew-cron.yml
|
||||
when: certbot_auto_renew
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user
