gregandev/ansible-role-certbot
gregandev/ansible-role-certbot
1
0
Fork 0
mirror of https://github.com/geerlingguy/ansible-role-certbot.git synced 2025-09-13 09:31:11 +02:00
Code Issues Projects Releases Wiki Activity
194 Commits 3 Branches 26 Tags 541 KiB
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

Ansible Role: Certbot (for Let's Encrypt)

CI

Installs and configures Certbot (for Let's Encrypt).

Requirements

Role Variables

certbot_install_method: package

Controls how Certbot is installed. Available options are 'package' and 'snap'.

certbot_auto_renew: true
certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}"
certbot_auto_renew_hour: "3"
certbot_auto_renew_minute: "30"
certbot_auto_renew_options: "--quiet"

By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run certbot renew (or certbot-auto renew) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.

Automatic Certificate Generation

This role supports generating new certificates using the dns-cloudflare method with Cloudflare DNS-01 challenge.

certbot_create_if_missing: false

Set certbot_create_if_missing to yes or True to let this role generate certs.

certbot_testmode: false

Enable test mode to only run a test request without actually creating certificates.

certbot_hsts: false

Enable (HTTP Strict Transport Security) for the certificate generation.

certbot_admin_email: email@example.com

The email address used to agree to Let's Encrypt's TOS and subscribe to cert-related notifications. This should be customized and set to an email address that you or your organization regularly monitors.

certbot_certs: []
  # - email: janedoe@example.com
  #   domains:
  #     - example1.com
  #     - example2.com
  # - domains:
  #     - example3.com

A list of domains (and other data) for which certs should be generated using Cloudflare DNS-01 challenge. You can add an email key to any list item to override the certbot_admin_email.

The certbot_create_command defines the command used to generate certificates using Cloudflare DNS-01 challenge. See the full default command inside defaults/main.yml for a full example—and you can easily add in extra arguments that are not in the default command with the certbot_create_extra_args variable.

Snap Installation

Beginning in December 2020, the Certbot maintainers decided to recommend installing Certbot from Snap rather than maintain scripts like certbot-auto.

Setting certbot_install_method: snap configures this role to install Certbot via Snap.

This install method is currently experimental and may or may not work across all Linux distributions.

DNS-01 Challenge with Cloudflare

You need to configure Cloudflare DNS credentials:

certbot_cloudflare_email: "your-email@example.com"
certbot_cloudflare_api_key: "your-global-api-key"
# OR use API token instead (recommended):
certbot_cloudflare_api_token: "your-api-token"
certbot_cloudflare_propagation_seconds: 10

You can use either the email + Global API Key combination OR an API token. The API token method is recommended as it's more secure and allows for more granular permissions.

For API token setup:

  1. Go to Cloudflare Dashboard → My Profile → API Tokens
  2. Create a token with Zone:DNS:Edit permissions for the zones you want certificates for
  3. Set the certbot_cloudflare_api_token variable with this token

This method supports wildcard certificates and doesn't require your server to be publicly accessible on ports 80/443.

Service Management During Certificate Generation

certbot_create_stop_services:
  - nginx

Services that can be stopped during certificate generation if needed. While DNS-01 challenge doesn't require stopping services (since it doesn't use ports 80/443), you may want to restart services after certificate deployment using deploy hooks.

Wildcard Certificates

Let's Encrypt supports generating wildcard certificates, but the process for generating and using them is slightly more involved. See comments in this pull request for an example of how to use this role to maintain wildcard certs.

Michael Porter also has a walkthrough of Creating A Lets Encrypt Wildcard Cert With Ansible, specifically with Cloudflare.

Dependencies

None.

Example Playbook

- hosts: servers

  vars:
    certbot_auto_renew_user: your_username_here
    certbot_auto_renew_minute: "20"
    certbot_auto_renew_hour: "5"

  roles:
    - simoncaron.certbot

See other examples in the tests/ directory.

Manually creating certificates with certbot

Note: You can have this role automatically generate certificates; see the "Automatic Certificate Generation" documentation above.

You can manually create certificates using the certbot (or certbot-auto) script (use letsencrypt on Ubuntu 16.04). Here are some example commands to configure certificates with Certbot:

# Automatically add certs for all Apache virtualhosts (use with caution!).
certbot --apache

# Generate certs, but don't modify Apache configuration (safer).
certbot --apache certonly

If you want to fully automate the process of adding a new certificate, but don't want to use this role's built in functionality, you can do so using the command line options to register, accept the terms of service, and then generate a cert using the standalone server:

  1. Make sure any services listening on ports 80 and 443 (Apache, Nginx, Varnish, etc.) are stopped.
  2. Register with something like certbot register --agree-tos --email [your-email@example.com] - Note: You won't need to do this step in the future, when generating additional certs on the same server.
  3. Generate a cert for a domain whose DNS points to this server: certbot certonly --noninteractive --standalone -d example.com -d www.example.com
  4. Re-start whatever was listening on ports 80 and 443 before.
  5. Update your webserver's virtualhost TLS configuration to point at the new certificate (fullchain.pem) and private key (privkey.pem) Certbot just generated for the domain you passed in the certbot command.
  6. Reload or restart your webserver so it uses the new HTTPS virtualhost configuration.

Certbot certificate auto-renewal

By default, this role adds a cron job that will renew all installed certificates once per day at the hour and minute of your choosing.

You can test the auto-renewal (without actually renewing the cert) with the command:

certbot renew --dry-run

See full documentation and options on the Certbot website.

License

MIT / BSD

Author Information

This role was created in 2016 by Jeff Geerling, author of Ansible for DevOps.

Description
Ansible Role - Certbot (for Let's Encrypt)
ansiblecertbotcertificatehttpsletsencryptrolessl
Readme MIT
Languages
Jinja 100%