gregandev/ansible-role-certbot
gregandev/ansible-role-certbot
1
0
Fork 0
mirror of https://github.com/geerlingguy/ansible-role-certbot.git synced 2026-05-08 04:01:20 +02:00
Code Issues Projects Releases Wiki Activity
ansible-role-certbot/README.md
Stefan Grosser 84e0193e31 Add pip-in-venv install method, deprecate source install 
certbot-auto was removed from the certbot repo by EFF in 2021 (see issue
#204), which leaves certbot_install_method: source broken — the existing
install-from-source.yml still references {{ certbot_dir }}/certbot-auto,
a path that no longer exists after the git clone.

This adds a new install method `pip` that follows EFF's recommended
install path (https://certbot.eff.org/instructions?os=pip): create a
Python venv at {{ certbot_dir }}, pip install certbot, symlink the
binary onto PATH at /usr/local/bin/certbot.

Plugins (e.g. certbot-dns-rfc2136, certbot-dns-cloudflare) can be
opted into per-host via a new certbot_pip_extra_packages list, which
installs additional pip packages into the same venv after certbot.

The legacy `source` method is left in place for backwards compatibility
but is now documented as deprecated in the README and defaults file.

Tested on Debian 12 and Debian 13.
2026-05-04 13:37:39 +02:00

186 lines
10 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Ansible Role: Certbot (for Let's Encrypt)
[![CI](https://github.com/geerlingguy/ansible-role-certbot/actions/workflows/ci.yml/badge.svg)](https://github.com/geerlingguy/ansible-role-certbot/actions/workflows/ci.yml)
Installs and configures Certbot (for Let's Encrypt).
## Requirements
If installing from source (deprecated), Git is required. You can install Git using the `geerlingguy.git` role.
For the `pip` install method, only Debian-family targets are supported (apt is used for the `python3-venv` / `libaugeas-dev` / `gcc` prerequisites).
If you want an always-latest Certbot install on modern distros, prefer `pip` (see `Pip Installation` below) over `source` — the legacy source method relies on `certbot-auto`, which EFF removed from the Certbot repo in 2021.
## Role Variables
certbot_install_method: package
Controls how Certbot is installed. Available options are 'package', 'snap', 'pip', and 'source' (deprecated).
certbot_auto_renew: true
certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}"
certbot_auto_renew_hour: "3"
certbot_auto_renew_minute: "30"
certbot_auto_renew_options: "--quiet"
By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.
### Automatic Certificate Generation
Currently the `standalone` and `webroot` method are supported for generating new certificates using this role.
**For a complete example**: see the fully functional test playbook in [molecule/default/playbook-standalone-nginx-aws.yml](molecule/default/playbook-standalone-nginx-aws.yml).
certbot_create_if_missing: false
Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs.
certbot_create_method: standalone
Set the method used for generating certs with the `certbot_create_method` variable — current allowed values are: `standalone` or `webroot`.
certbot_testmode: false
Enable test mode to only run a test request without actually creating certificates.
certbot_hsts: false
Enable (HTTP Strict Transport Security) for the certificate generation.
certbot_admin_email: email@example.com
The email address used to agree to Let's Encrypt's TOS and subscribe to cert-related notifications. This should be customized and set to an email address that you or your organization regularly monitors.
certbot_certs: []
# - email: janedoe@example.com
# webroot: "/var/www/html"
# domains:
# - example1.com
# - example2.com
# - domains:
# - example3.com
A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`. When using the `webroot` creation method, a `webroot` item has to be provided, specifying which directory to use for the authentication. Make sure your webserver correctly delivers contents from this directory.
certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"
The `certbot_create_command` defines the command used to generate the cert. See the full default command inside `defaults/main.yml` for a full example—and you can easily add in extra arguments that are not in the default command with the `certbot_create_extra_args` variable.
#### Standalone Certificate Generation
certbot_create_standalone_stop_services:
- nginx
Services that should be stopped while `certbot` runs it's own standalone server on ports 80 and 443. If you're running Apache, set this to `apache2` (Ubuntu), or `httpd` (RHEL), or if you have Nginx on port 443 and something else on port 80 (e.g. Varnish, a Java app, or something else), add it to the list so it is stopped when the certificate is generated.
These services will only be stopped the first time a new cert is generated.
### Snap Installation
Beginning in December 2020, the Certbot maintainers decided to recommend installing Certbot from Snap rather than maintain scripts like `certbot-auto`.
Setting `certbot_install_method: snap` configures this role to install Certbot via Snap.
This install method is currently experimental and may or may not work across all Linux distributions.
#### Webroot Certificate Generation
When using the `webroot` creation method, a `webroot` item has to be provided for every `certbot_certs` item, specifying which directory to use for the authentication. Also, make sure your webserver correctly delivers contents from this directory.
### Pip Installation
Setting `certbot_install_method: pip` installs Certbot into a Python virtual environment at `{{ certbot_dir }}` (default `/opt/certbot`) using EFF's recommended pip install path: <https://certbot.eff.org/instructions?os=pip>. The `certbot` binary is symlinked into `/usr/local/bin` so it is on `PATH`.
This is the modern equivalent of the legacy `source` install — use it when you want an always-latest Certbot on a distro whose packaged version is too old. Only Debian-family targets are supported by the included tasks; the necessary apt prerequisites (`python3-venv`, `libaugeas-dev`, `gcc`, etc.) are installed automatically.
If `certbot_keep_updated: true` (the default), each role run will upgrade Certbot to the latest version on PyPI.
certbot_dir: /opt/certbot
The directory used as the venv root for the `pip` install (and the clone target for the legacy `source` install).
certbot_pip_extra_packages: []
Extra pip packages installed alongside Certbot in the same venv when using the `pip` install method. Use this for plugins, e.g.:
certbot_pip_extra_packages:
- certbot-dns-rfc2136
- certbot-dns-cloudflare
### Source Installation from Git (deprecated)
> **Deprecated.** EFF removed the `certbot-auto` shim from the Certbot repo in 2021, so this install path no longer produces a working `certbot` binary. Use `certbot_install_method: pip` for the modern equivalent.
You can install Certbot from it's Git source repository if desired with `certbot_install_method: source`. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).
certbot_repo: https://github.com/certbot/certbot.git
certbot_version: master
certbot_keep_updated: true
Certbot Git repository options. If installing from source, the configured `certbot_repo` is cloned, respecting the `certbot_version` setting. If `certbot_keep_updated` is set to `yes`, the repository is updated every time this role runs.
### Wildcard Certificates
Let's Encrypt supports [generating wildcard certificates](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579), but the process for generating and using them is slightly more involved. See comments in [this pull request](https://github.com/geerlingguy/ansible-role-certbot/pull/60#issuecomment-423919284) for an example of how to use this role to maintain wildcard certs.
Michael Porter also has a walkthrough of [Creating A Lets Encrypt Wildcard Cert With Ansible](https://www.michaelpporter.com/2018/09/creating-a-wildcard-cert-with-ansible/), specifically with Cloudflare.
## Dependencies
None.
## Example Playbook
- hosts: servers
vars:
certbot_auto_renew_user: your_username_here
certbot_auto_renew_minute: "20"
certbot_auto_renew_hour: "5"
roles:
- geerlingguy.certbot
See other examples in the `tests/` directory.
### Manually creating certificates with certbot
_Note: You can have this role automatically generate certificates; see the "Automatic Certificate Generation" documentation above._
You can manually create certificates using the `certbot` (or `certbot-auto`) script (use `letsencrypt` on Ubuntu 16.04, or use `/opt/certbot/certbot-auto` if installing from source/Git. Here are some example commands to configure certificates with Certbot:
# Automatically add certs for all Apache virtualhosts (use with caution!).
certbot --apache
# Generate certs, but don't modify Apache configuration (safer).
certbot --apache certonly
If you want to fully automate the process of adding a new certificate, but don't want to use this role's built in functionality, you can do so using the command line options to register, accept the terms of service, and then generate a cert using the standalone server:
1. Make sure any services listening on ports 80 and 443 (Apache, Nginx, Varnish, etc.) are stopped.
2. Register with something like `certbot register --agree-tos --email [your-email@example.com]`
- Note: You won't need to do this step in the future, when generating additional certs on the same server.
3. Generate a cert for a domain whose DNS points to this server: `certbot certonly --noninteractive --standalone -d example.com -d www.example.com`
4. Re-start whatever was listening on ports 80 and 443 before.
5. Update your webserver's virtualhost TLS configuration to point at the new certificate (`fullchain.pem`) and private key (`privkey.pem`) Certbot just generated for the domain you passed in the `certbot` command.
6. Reload or restart your webserver so it uses the new HTTPS virtualhost configuration.
### Certbot certificate auto-renewal
By default, this role adds a cron job that will renew all installed certificates once per day at the hour and minute of your choosing.
You can test the auto-renewal (without actually renewing the cert) with the command:
/opt/certbot/certbot-auto renew --dry-run
See full documentation and options on the [Certbot website](https://certbot.eff.org/).
## License
MIT / BSD
## Author Information
This role was created in 2016 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).
Reference in New Issue View Git Blame Copy Permalink