Skip to content
This repository has been archived by the owner on Jun 23, 2018. It is now read-only.
/ ansible-role-simp_le Public archive

Ansible role to install simp_le and generate certificates on Ubuntu/Debian.

License

MIT license
14 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

L-P/ansible-role-simp_le

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

47 Commits
defaults
defaults
 
 
files
files
 
 
meta
meta
 
 
tasks
tasks
 
 
templates
templates
 
 
.gitignore
.gitignore
 
 
.vimrc
.vimrc
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

ansible-role-simp_le

Install simp_le, generate certificates and renew them automatically on Debian/Ubuntu servers.

Renewal will be attempted daily via a cron job run by the Ansible remote user.

See the role on Ansible Galaxy: L-P.simp_le

Note: I started using acmetool and recommand you do the same for any new server running Ubuntu ≥ 16.04.

Required variables

A list of virtual hosts for which we'll generate certificates:

simp_le_vhosts:
  - domains: ["www.example.com", "example.com"]
    root: "/path/to/challenges" # accessible via HTTP
    output: "/path/to/output/dir" # where to write the certificates

An email address LetsEncrypt will use to identify you and send renewal notices:

simp_le_email: "your.email@example.com"

There are three optional keys you can set on hosts:

  • user and group to specifiy who will own the keys, challenges and their parent directory The owner defaults to www-data:www-data.
  • extra_args to pass extra arguments to simp_le, this can be used to use the LetsEncrypt staging server or to tell simp_le to reuse the key pair when renewing the certificate. This is useful if you are using TLSA records, you can then use Selector type 1 (SubjectPublicKeyInfo) and your TLSA record will not need changing when the certificate is renewed.
  • update_action a command to be run when a certificate is renewed, e.g. systemctl restart apache2

Example:

simp_le_vhosts:
  - domains: ["smtp.example.com", "mail.example.com"]
    root: "/path/to/challenges"
    output: "/path/to/output/dir"
    user: "Debian-exim"
    group: "Debian-exim"
    extra_args: "--reuse_key --server https://acme-staging.api.letsencrypt.org/directory"
    update_action: "/bin/systemctl restart exim4"

See defaults/main.yml for more configuration.

Server configuration

Your server needs to serve the challenge files over HTTP, here is an example configuration you can use for nginx that will redirect every HTTP request to HTTPS except for the challenges:

location /.well-known/acme-challenge/ {
    alias /var/www/challenges/.well-known/acme-challenge/;
    try_files $uri @forward_https;
}
location @forward_https {
    return 301 https://example.com$request_uri;
}
location / {
    return 301 https://example.com$request_uri;
}

Example playbook

- hosts: all
  roles:
    - {role: "L-P.simp_le", become: no}

While most of the operations are done without sudo, it is still used to create the various directories with the proper permissions and owners.

About

Ansible role to install simp_le and generate certificates on Ubuntu/Debian.

Topics

letsencrypt tls ansible ansible-roles

Resources

Readme

License

MIT license
Activity

Stars

14 stars

Watchers

6 watching

Forks

5 forks
Report repository

Releases 9

v1.4.3 Latest
Jan 15, 2017
+ 8 releases

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages