ansible-role-simp_le's Introduction

ansible-role-simp_le

Install simp_le, generate certificates and renew them automatically on Debian/Ubuntu servers.

Renewal will be attempted daily via a cron job run by the Ansible remote user.

See the role on Ansible Galaxy: L-P.simp_le

Note: I started using acmetool and recommand you do the same for any new server running Ubuntu ≥ 16.04.

Required variables

A list of virtual hosts for which we'll generate certificates:

simp_le_vhosts:
  - domains: ["www.example.com", "example.com"]
    root: "/path/to/challenges" # accessible via HTTP
    output: "/path/to/output/dir" # where to write the certificates

An email address LetsEncrypt will use to identify you and send renewal notices:

simp_le_email: "[email protected]"

There are three optional keys you can set on hosts:

user and group to specifiy who will own the keys, challenges and their parent directory The owner defaults to www-data:www-data.
extra_args to pass extra arguments to simp_le, this can be used to use the LetsEncrypt staging server or to tell simp_le to reuse the key pair when renewing the certificate. This is useful if you are using TLSA records, you can then use Selector type 1 (SubjectPublicKeyInfo) and your TLSA record will not need changing when the certificate is renewed.
update_action a command to be run when a certificate is renewed, e.g. systemctl restart apache2

Example:

simp_le_vhosts:
  - domains: ["smtp.example.com", "mail.example.com"]
    root: "/path/to/challenges"
    output: "/path/to/output/dir"
    user: "Debian-exim"
    group: "Debian-exim"
    extra_args: "--reuse_key --server https://acme-staging.api.letsencrypt.org/directory"
    update_action: "/bin/systemctl restart exim4"

See defaults/main.yml for more configuration.

Server configuration

Your server needs to serve the challenge files over HTTP, here is an example configuration you can use for nginx that will redirect every HTTP request to HTTPS except for the challenges:

location /.well-known/acme-challenge/ {
    alias /var/www/challenges/.well-known/acme-challenge/;
    try_files $uri @forward_https;
}
location @forward_https {
    return 301 https://example.com$request_uri;
}
location / {
    return 301 https://example.com$request_uri;
}

Example playbook

- hosts: all
  roles:
    - {role: "L-P.simp_le", become: no}

While most of the operations are done without sudo, it is still used to create the various directories with the proper permissions and owners.

ansible-role-simp_le's People

Contributors

Stargazers

Watchers

ansible-role-simp_le's Issues

Problem with my system?

First, thanks a lot for the role. I'm trying to use it, but I experienced an error at Create certificates step:

fatal: [37.205.11.220]: FAILED! => {"changed": true, "cmd": ["/home/root/.cache/ansible-simp_le/generate-certs", "/home/root/.cache/ansible-simp_le/conf.json"], "delta": "0:00:00.027201", "end": "2016-03-13 14:27:54.053156", "failed": true, "rc": 1, "start": "2016-03-13 14:27:54.025955", "stderr": "Traceback (most recent call last):\n File \"/home/root/.cache/ansible-simp_le/generate-certs\", line 77, in <module>\n main(sys.argv)\n File \"/home/root/.cache/ansible-simp_le/generate-certs\", line 68, in main\n ret = subprocess.call(cmd, cwd=vhost[\"output\"])\n File \"/usr/lib/python2.7/subprocess.py\", line 522, in call\n return Popen(*popenargs, **kwargs).wait()\n File \"/usr/lib/python2.7/subprocess.py\", line 710, in __init__\n errread, errwrite)\n File \"/usr/lib/python2.7/subprocess.py\", line 1327, in _execute_child\n raise child_exception\nOSError: [Errno 2] No such file or directory", "stdout": "", "stdout_lines": [], "warnings": []}

I'm using Ubuntu 14.04 and don't know, what file or directory could be missing.

Deprecation warning: sudo vs become

When running the playbook, we get this error message:


[DEPRECATION WARNING]: Instead of sudo/sudo_user, use become/become_user and make sure become_method is 'sudo' (default).
This feature                                                                                                                          
 will be removed in a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

Maybe it's not the time yet to upgrade to become if you want to support older ansible versions, but it's something to be aware of.
http://docs.ansible.com/ansible/become.html

l-p / ansible-role-simp_le Goto Github PK

ansible-role-simp_le's Introduction

ansible-role-simp_le

Required variables

Server configuration

Example playbook

ansible-role-simp_le's People

Contributors

Stargazers

Watchers

Forkers

ansible-role-simp_le's Issues

Problem with my system?

Deprecation warning: sudo vs become

need a working simp_le fork

Just changing the git revision isn't enough to generate a new version of simp_le

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent