Giter Club home page Giter Club logo

ansible-letsencrypt's Introduction

What is ansible-letsencrypt? Build Status

It is an Ansible role to generate and automate renewal for Let's Encrypt SSL certificates. It uses acme-tiny.

Supported platforms:
  • Ubuntu 16.04 LTS (Xenial)
  • Debian 8 (Jessie)

What problem does it solve and why is it useful?

Let's Encrypt allows you to create free SSL certificates. They have a short half-life and must be renewed every 90 days or they will expire.

Having to manually keep track of renewals is an excellent way to forget by accident so this role will do everything for you.

Feel free to use it with any web server configuration you want. If you want a near zero configuration nginx role to go along with this role then check out my https://github.com/nickjj/ansible-nginx role.

Role variables

Below is a list of default values along with a description of what they do.

---

# A list of domain names to register certificates for. This has a limit of 100.
# The first item in the list will end up being the file name, for example:
#   letsencrypt_domains: ['example.com', 'www.example.com']
# The above will create example.com.pem and example.com.key files that work for
# both the root domain and the www sub-domain.
letsencrypt_domains: []

# Which web server service name needs to get restarted at the end of the run?
letsencrypt_restart_service_name: 'nginx'

# Installation paths.
letsencrypt_install_path: '/usr/local/acme-tiny'
letsencrypt_challenge_path: '/usr/share/nginx/challenges/.well-known/acme-challenge'
letsencrypt_certificate_path: '/etc/nginx/ssl'
letsencrypt_log_path: '/var/log/acme-tiny'

# Generated private keys and certificates.
letsencrypt_account_key_path: '{{ letsencrypt_install_path }}/account.key'
letsencrypt_domain_csr_path: '{{ letsencrypt_install_path }}/{{ letsencrypt_domains[0] }}.csr'
letsencrypt_valid_certificate_path: '{{ letsencrypt_install_path }}/{{ letsencrypt_domains[0] }}.crt'

# Final generated private key and certificate.
letsencrypt_domain_key_path: '{{ letsencrypt_certificate_path }}/{{ letsencrypt_domains[0] }}.key'
letsencrypt_chained_pem_path: '{{ letsencrypt_certificate_path }}/{{ letsencrypt_domains[0] }}.pem'

# Locations of the intermediate certificate used in the chain.
letsencrypt_intermediate_url: 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem'

# By default we'll use the staging server endpoint so that you're forced to
# explicitly set this when you're ready for production.
#
# For production, set this to:
#   letsencrypt_default_ca: 'https://acme-v01.api.letsencrypt.org'
letsencrypt_default_ca: 'https://acme-staging.api.letsencrypt.org'

# How often should we try to renew certificates? Default is once per month.
letsencrypt_cron_renew: ['0', '0', '1', '*', '*']

# When set to True this will delete all private keys, CSRs and certificates.
# You would use this when you want to force create new certificates, such as
# adding a new sub-domain to your certificate file.
#
# Don't always keep this enabled or you'll likely run into rate limits.
letsencrypt_force_reset_all: False

Example playbook

For the sake of this example let's assume you have a group called app and you have a typical site.yml file.

To use this role edit your site.yml file to look something like this:

---

- name: Configure app server(s)
  hosts: app
  become: True

  roles:
    - { role: nickjj.letsencrypt, tags: letsencrypt }

Let's say you want to generate certs for blog.example.com in production. You can do this by opening or creating group_vars/app.yml which is located relative to your inventory directory and then making it look like this:

---

letsencrypt_domains: ['blog.example.com']
letsencrypt_default_ca: 'https://acme-v01.api.letsencrypt.org'

Revoking certificates

Certificates expire in 90 days and you can issue new certificates at will so there's no way to revoke them built into this role.

If you really need to revoke them then I recommend checking out this project because it includes a way to revoke certificates and is made by the same author as acme-tiny.

Installation

$ ansible-galaxy install nickjj.letsencrypt

Ansible Galaxy

You can find it on the official Ansible Galaxy if you want to rate it.

License

MIT

Special thanks

Thanks to Maciej Delmanowski for helping me debug a few tricky issues with this role. He is the creator of DebOps.

ansible-letsencrypt's People

Contributors

nickjj avatar scuttlese avatar

Watchers

avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.