GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → geerlingguy → Ansible Role Certbot

geerlingguy / Ansible Role Certbot

Licence: mit
Ansible Role - Certbot (for Let's Encrypt)

Labels

ansiblehttpssslletsencryptcertificaterolecertbot

Projects that are alternatives of or similar to Ansible Role Certbot

django-yadpt-starter
Yet Another Django Project Template skeleton for Django projects
Stars: ✭ 28 (-94.13%)
Mutual labels:  letsencrypt, certificate, https, certbot
letsencrypt-www
Probably the easiest way to create | renew | deploy certificate
Stars: ✭ 27 (-94.34%)
Mutual labels:  letsencrypt, ssl, certificate, https
docker-nginx-certbot
Automatically create and renew website certificates for free using the Let's Encrypt certificate authority.
Stars: ✭ 367 (-23.06%)
Mutual labels:  letsencrypt, ssl, https, certbot
Docker Letsencrypt Certgen
Docker image to generate, renew, revoke RSA and/or ECDSA SSL certificates from LetsEncrypt CA using certbot and acme.sh clients in automated fashion
Stars: ✭ 64 (-86.58%)
Mutual labels:  https, ssl, letsencrypt, certbot
Acme client
Java ACME Client application
Stars: ✭ 77 (-83.86%)
Mutual labels:  https, ssl, letsencrypt, certificate
Serverpilot Letsencrypt
Automate the installation of Let's Encrypt SSL on the free plan of ServerPilot
Stars: ✭ 129 (-72.96%)
Mutual labels:  https, ssl, letsencrypt, certbot
Certificaat
General-purpose ACME client
Stars: ✭ 88 (-81.55%)
Mutual labels:  https, ssl, letsencrypt, certificate
Ansible Letsencrypt
Ansible role for LetsEncrypt
Stars: ✭ 66 (-86.16%)
Mutual labels:  ansible, letsencrypt, certificate, certbot
Bubbly
Better SSL in Nginx in 10 minutes. Configuration files and setup scripts for Certbot.
Stars: ✭ 217 (-54.51%)
Mutual labels:  ssl, certificate, certbot
website-checks
check your website for issues with multiple tools and get PDF reports of the results
Stars: ✭ 69 (-85.53%)
Mutual labels:  ssl, certificate, https
Certes
A client implementation for the Automated Certificate Management Environment (ACME) protocol
Stars: ✭ 357 (-25.16%)
Mutual labels:  https, ssl, letsencrypt
sslcontext-kickstart
🔐 A lightweight high level library for configuring a http client or server based on SSLContext or other properties such as TrustManager, KeyManager or Trusted Certificates to communicate over SSL TLS for one way authentication or two way authentication provided by the SSLFactory. Support for Java, Scala and Kotlin based clients with examples. Av…
Stars: ✭ 295 (-38.16%)
Mutual labels:  ssl, certificate, https
acme2
Another PHP client for acme protocal (version 2) implementation, used for generating letsencrypt's free ssl certificates.
Stars: ✭ 45 (-90.57%)
Mutual labels:  letsencrypt, ssl, certificate
freshcerts
ACME certificate protocol (Let's Encrypt) proxy client with a dashboard and monitoring
Stars: ✭ 59 (-87.63%)
Mutual labels:  letsencrypt, ssl, certificate
Echo
High performance, minimalist Go web framework
Stars: ✭ 21,297 (+4364.78%)
Mutual labels:  https, ssl, letsencrypt
letsencrypt-inwx
A small cli utility for automating the letsencrypt dns-01 challenge for domains hosted by inwx.
Stars: ✭ 43 (-90.99%)
Mutual labels:  letsencrypt, certificate, certbot
wat
WAT - Windows ACME Tool
Stars: ✭ 28 (-94.13%)
Mutual labels:  letsencrypt, certificate, certbot
Ssl Proxy
🔒 Simple zero-config SSL reverse proxy with real autogenerated certificates (LetsEncrypt, self-signed, provided)
Stars: ✭ 427 (-10.48%)
Mutual labels:  ssl, letsencrypt, certificate
docker-haproxy-certbot
Dockerized HAProxy with Let's Encrypt certificates automatic renewal
Stars: ✭ 28 (-94.13%)
Mutual labels:  letsencrypt, ssl, certbot
Dnsrobocert
Orchestrate Certbot and Lexicon together to provide Let's Encrypt TLS certificates validated by DNS challenges
Stars: ✭ 420 (-11.95%)
Mutual labels:  ssl, letsencrypt, certbot
View All Similar Projects ➔

Ansible Role: Certbot (for Let's Encrypt)

CI

Installs and configures Certbot (for Let's Encrypt).

Requirements

If installing from source, Git is required. You can install Git using the geerlingguy.git role.

Generally, installing from source (see section Source Installation from Git) leads to a better experience using Certbot and Let's Encrypt, especially if you're using an older OS release.

Role Variables

The variable certbot_install_from_source controls whether to install Certbot from Git or package management. The latter is the default, so the variable defaults to no.

certbot_auto_renew: true
certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}"
certbot_auto_renew_hour: "3"
certbot_auto_renew_minute: "30"
certbot_auto_renew_options: "--quiet --no-self-upgrade"

By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run certbot renew (or certbot-auto renew) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.

Automatic Certificate Generation

Currently there is one built-in method for generating new certificates using this role: standalone. Other methods (e.g. using nginx or apache and a webroot) may be added in the future.

For a complete example: see the fully functional test playbook in molecule/default/playbook-standalone-nginx-aws.yml.

certbot_create_if_missing: false
certbot_create_method: standalone

Set certbot_create_if_missing to yes or True to let this role generate certs. Set the method used for generating certs with the certbot_create_method variable—current allowed values include: standalone.

certbot_admin_email: [email protected]

The email address used to agree to Let's Encrypt's TOS and subscribe to cert-related notifications. This should be customized and set to an email address that you or your organization regularly monitors.

certbot_certs: []
  # - email: [email protected]
  #   domains:
  #     - example1.com
  #     - example2.com
  # - domains:
  #     - example3.com

A list of domains (and other data) for which certs should be generated. You can add an email key to any list item to override the certbot_admin_email.

certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"

The certbot_create_command defines the command used to generate the cert.

Standalone Certificate Generation

certbot_create_standalone_stop_services:
  - nginx

Services that should be stopped while certbot runs it's own standalone server on ports 80 and 443. If you're running Apache, set this to apache2 (Ubuntu), or httpd (RHEL), or if you have Nginx on port 443 and something else on port 80 (e.g. Varnish, a Java app, or something else), add it to the list so it is stopped when the certificate is generated.

These services will only be stopped the first time a new cert is generated.

Source Installation from Git

You can install Certbot from it's Git source repository if desired. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).

certbot_install_from_source: false
certbot_repo: https://github.com/certbot/certbot.git
certbot_version: master
certbot_keep_updated: true

Certbot Git repository options. To install from source, set certbot_install_from_source to yes. This clones the configured certbot_repo, respecting the certbot_version setting. If certbot_keep_updated is set to yes, the repository is updated every time this role runs.

certbot_dir: /opt/certbot

The directory inside which Certbot will be cloned.

Wildcard Certificates

Let's Encrypt supports generating wildcard certificates, but the process for generating and using them is slightly more involved. See comments in this pull request for an example of how to use this role to maintain wildcard certs.

Michael Porter also has a walkthrough of Creating A Let’s Encrypt Wildcard Cert With Ansible, specifically with Cloudflare.

Dependencies

None.

Example Playbook

- hosts: servers

  vars:
    certbot_auto_renew_user: your_username_here
    certbot_auto_renew_minute: "20"
    certbot_auto_renew_hour: "5"

  roles:
    - geerlingguy.certbot

See other examples in the tests/ directory.

Manually creating certificates with certbot

Note: You can have this role automatically generate certificates; see the "Automatic Certificate Generation" documentation above.

You can manually create certificates using the certbot (or certbot-auto) script (use letsencrypt on Ubuntu 16.04, or use /opt/certbot/certbot-auto if installing from source/Git. Here are some example commands to configure certificates with Certbot:

# Automatically add certs for all Apache virtualhosts (use with caution!).
certbot --apache

# Generate certs, but don't modify Apache configuration (safer).
certbot --apache certonly

If you want to fully automate the process of adding a new certificate, but don't want to use this role's built in functionality, you can do so using the command line options to register, accept the terms of service, and then generate a cert using the standalone server:

  1. Make sure any services listening on ports 80 and 443 (Apache, Nginx, Varnish, etc.) are stopped.
  2. Register with something like certbot register --agree-tos --email [[email protected]] - Note: You won't need to do this step in the future, when generating additional certs on the same server.
  3. Generate a cert for a domain whose DNS points to this server: certbot certonly --noninteractive --standalone -d example.com -d www.example.com
  4. Re-start whatever was listening on ports 80 and 443 before.
  5. Update your webserver's virtualhost TLS configuration to point at the new certificate (fullchain.pem) and private key (privkey.pem) Certbot just generated for the domain you passed in the certbot command.
  6. Reload or restart your webserver so it uses the new HTTPS virtualhost configuration.

Certbot certificate auto-renewal

By default, this role adds a cron job that will renew all installed certificates once per day at the hour and minute of your choosing.

You can test the auto-renewal (without actually renewing the cert) with the command:

/opt/certbot/certbot-auto renew --dry-run

See full documentation and options on the Certbot website.

License

MIT / BSD

Author Information

This role was created in 2016 by Jeff Geerling, author of Ansible for DevOps.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].