This repository has been archived by the owner. It is now read-only.
Ansible role to install simp_le and generate certificates on Ubuntu/Debian.
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
defaults
files
meta
tasks
templates
.gitignore
.vimrc
LICENSE
README.md

README.md

ansible-role-simp_le

Install simp_le, generate certificates and renew them automatically on Debian/Ubuntu servers.

Renewal will be attempted daily via a cron job run by the Ansible remote user.

See the role on Ansible Galaxy: L-P.simp_le

Note: I started using acmetool and recommand you do the same for any new server running Ubuntu ≥ 16.04.

Required variables

A list of virtual hosts for which we'll generate certificates:

simp_le_vhosts:
  - domains: ["www.example.com", "example.com"]
    root: "/path/to/challenges" # accessible via HTTP
    output: "/path/to/output/dir" # where to write the certificates

An email address LetsEncrypt will use to identify you and send renewal notices:

simp_le_email: "your.email@example.com"

There are three optional keys you can set on hosts:

  • user and group to specifiy who will own the keys, challenges and their parent directory The owner defaults to www-data:www-data.
  • extra_args to pass extra arguments to simp_le, this can be used to use the LetsEncrypt staging server or to tell simp_le to reuse the key pair when renewing the certificate. This is useful if you are using TLSA records, you can then use Selector type 1 (SubjectPublicKeyInfo) and your TLSA record will not need changing when the certificate is renewed.
  • update_action a command to be run when a certificate is renewed, e.g. systemctl restart apache2

Example:

simp_le_vhosts:
  - domains: ["smtp.example.com", "mail.example.com"]
    root: "/path/to/challenges"
    output: "/path/to/output/dir"
    user: "Debian-exim"
    group: "Debian-exim"
    extra_args: "--reuse_key --server https://acme-staging.api.letsencrypt.org/directory"
    update_action: "/bin/systemctl restart exim4"

See defaults/main.yml for more configuration.

Server configuration

Your server needs to serve the challenge files over HTTP, here is an example configuration you can use for nginx that will redirect every HTTP request to HTTPS except for the challenges:

location /.well-known/acme-challenge/ {
    alias /var/www/challenges/.well-known/acme-challenge/;
    try_files $uri @forward_https;
}
location @forward_https {
    return 301 https://example.com$request_uri;
}
location / {
    return 301 https://example.com$request_uri;
}

Example playbook

- hosts: all
  roles:
    - {role: "L-P.simp_le", become: no}

While most of the operations are done without sudo, it is still used to create the various directories with the proper permissions and owners.