Skip to content
This repository has been archived by the owner on Jun 23, 2018. It is now read-only.


Folders and files

Last commit message
Last commit date

Latest commit



47 Commits

Repository files navigation


Install simp_le, generate certificates and renew them automatically on Debian/Ubuntu servers.

Renewal will be attempted daily via a cron job run by the Ansible remote user.

See the role on Ansible Galaxy: L-P.simp_le

Note: I started using acmetool and recommand you do the same for any new server running Ubuntu ≥ 16.04.

Required variables

A list of virtual hosts for which we'll generate certificates:

  - domains: ["", ""]
    root: "/path/to/challenges" # accessible via HTTP
    output: "/path/to/output/dir" # where to write the certificates

An email address LetsEncrypt will use to identify you and send renewal notices:

simp_le_email: ""

There are three optional keys you can set on hosts:

  • user and group to specifiy who will own the keys, challenges and their parent directory The owner defaults to www-data:www-data.
  • extra_args to pass extra arguments to simp_le, this can be used to use the LetsEncrypt staging server or to tell simp_le to reuse the key pair when renewing the certificate. This is useful if you are using TLSA records, you can then use Selector type 1 (SubjectPublicKeyInfo) and your TLSA record will not need changing when the certificate is renewed.
  • update_action a command to be run when a certificate is renewed, e.g. systemctl restart apache2


  - domains: ["", ""]
    root: "/path/to/challenges"
    output: "/path/to/output/dir"
    user: "Debian-exim"
    group: "Debian-exim"
    extra_args: "--reuse_key --server"
    update_action: "/bin/systemctl restart exim4"

See defaults/main.yml for more configuration.

Server configuration

Your server needs to serve the challenge files over HTTP, here is an example configuration you can use for nginx that will redirect every HTTP request to HTTPS except for the challenges:

location /.well-known/acme-challenge/ {
    alias /var/www/challenges/.well-known/acme-challenge/;
    try_files $uri @forward_https;
location @forward_https {
    return 301$request_uri;
location / {
    return 301$request_uri;

Example playbook

- hosts: all
    - {role: "L-P.simp_le", become: no}

While most of the operations are done without sudo, it is still used to create the various directories with the proper permissions and owners.