In lieu of complete automation, provide better documentation

[geerlingguy]

I'm leery of letting automated software that's out of my control from managing my own config files, especially when it comes to crypto. While many people are better off letting LE/Certbot do everything for them (many of these people hand-edit config files on their servers—gasp!), I'd rather let Certbot work on cert redemption/renewal, and then I'll work on the actual Apache config.

I'd like to document my process, at least, so I can see where it's more automatable... and so others can see how simple/better the process is for further automation if we use Ansible to the greatest extent possible.

[geerlingguy]

Right now my process is:

1. Provision new server using this role (geerlingguy.certbot), and set up Apache/Nginx config to direct traffic to port 80 for each virtualhost.
2. Log in, run (not as root): /path/to/certbot-auto --apache certonly -d [domain] -d [domain] (with -d [domain] for all the domains on the server you want to have certs).
3. Run through the certbot UI answering questions, setting up the account, etc.
4. Once the certs are generated, edit my Apache/Nginx config to redirect 80 to 443 with the following configuration per virtualhost (example is on Ubuntu):

/etc/apache2/ssl.conf:

SSLEngine on
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder On
SSLCompression off

/etc/apache2/sites-enabled/[site].conf:

<VirtualHost *:80>
  ServerName www.example.com
  Redirect permanent / https://www.example.com/
</VirtualHost>
<VirtualHost *:443>
  ServerName www.example.com
  ServerAlias example.com
  ServerAdmin webmaster@example.com
  DocumentRoot /path/to/example_com

  Include /etc/apache2/ssl.conf
  SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/www.example.com/chain.pem

  <Directory "/path/to/example_com">
    AllowOverride All
    Options -Indexes +SymLinksIfOwnerMatch
    Order deny,allow
    Require all granted
  </Directory>
</VirtualHost>

1. Let Ansible do it's thing, Apache restarts once the vhosts are updated (via handler), and everything works splendidly. I just (finally) switched Ansible for DevOps' site to Let's Encrypt using this method: https://www.ansiblefordevops.com/
2. Test the automated renewal script (dry run) on the server: /opt/certbot/certbot-auto renew --dry-run
3. Add cron job via Ansible like: 37 3 * * * /opt/certbot/certbot-auto renew --quiet --no-self-upgrade
4. Add the /etc/letsencrypt directory to a set of backup_directories that are backed up securely.

This example is Ubuntu / Apache; Nginx is similar but with a different configuration layout.

[llbbl]

So the "privkey.pem" is updated every time renew is run with the current one? The directory with all the keys (/etc/letsencrypt/keys) just keeps adding more. This was a non-obvious realization that I thought was super important to not breaking the site every time 'renew' is ran.

[geerlingguy]

For Nginx:

• Before step 2, make sure your Nginx server directive(s) are set to listen 443 ssl (at a minimum), and if on Ubuntu, you can use /etc/ssl/private/ssl-cert-snakeoil.key (key) and /etc/ssl/certs/ssl-cert-snakeoil.pem for starters. Restart Nginx so Certbot will be able to verify the servers on port 443.
• In step 2, use --nginx instead of --apache.
• TODO: For Drupal sites in particular, I have quite a bit of Nginx template magic going on to work correctly with Drupal 7 or 8, with proxy or no proxy (for super fast Nginx cache even with https), etc.

[geerlingguy]

Added some more docs in the README based on work I'm doing for a separate project.

[geerlingguy]

See also, #12 — I'm doing a little testing with this for at least Nginx (and probably will work on Apache as well).

[geerlingguy]

tl;dr: #12 (comment)

Closing this ticket in favor of follow-up to automate generation using --webroot (PR #38 already adds --standalone automated cert generation support.)