⭐ Star us on GitHub — it motivates us a lot!
Install and manage certbot
Ansible >= 2.10
ansible-galaxy install claranet.certbot
Variable | Default value | Description |
---|---|---|
certbot_packages | ['certbot', 'python3-pip'] | Package name |
certbot_webroot | /var/www/letsencrypt | Directory for http challenges |
certbot_auto_renew | true | Enable certificate renew |
certbot_auto_renew_user | root | User to configure certificate renew |
certbot_auto_renew_hour | 3 | Cron job hour for renew |
certbot_auto_renew_minute | 30 | Cron job minutes for renew |
certbot_auto_renew_option | --quiet --no-self-upgrade | Options for renew command |
certbot_certs | [] | See defaults/main.yml for details |
certbot_staging_enabled | true | Use letsencrypt staging |
certbot_create_command | certbot certonly --webroot ... | See defaults/main.yml for details |
certbot_plugins | [] | List of plugins to install using pip |
certbot_plugins_pip_executable | pip3 | pip executable to use to install certbot plugins |
certbot_reload_services_before_enabled | true | Reload certbot_reload_services before configuring certbot |
certbot_reload_services_after_enabled | true | Reload certbot_reload_services after configuring certbot |
certbot_reload_services | [] | List of services to reload |
N/A
Before using this challenge type, your server must have a public IP and a DNS record zone pointing to it.
Before configuring certbot to issue a certificate, you must setup your webserver in order to handle certbot http challenges.
Alias /.well-known/acme-challenge/ "/var/www/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/www/letsencrypt">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require all granted
</Directory>
certbot_certs:
- email: "test@clara.net"
certbot_webroot: "/var/www/letsencrypt"
domains:
- "lamp-01.clara.net"
- "lamp-02.clara.net"
certbot_reload_services:
- apache2
location /.well-known/acme-challenge/ {
alias /var/www/letsencrypt/.well-known/acme-challenge/;
}
certbot_certs:
- email: "test@clara.net"
certbot_webroot: "/var/www/letsencrypt"
domains:
- "lamp-01.clara.net"
- "lamp-02.clara.net"
certbot_reload_services:
- nginx
--cert-name
option like this to avoid creating a new certificate for each ansible run :
--cert-name "{{ _certbot_cert_item.domains | first | regex_replace('^\*\.(.*)$'
certbot_certs:
- email: "test@clara.net"
domains:
- "*.molecule.clara.net"
- email: "test@clara.net"
domains:
- "lamp-01.clara.net"
- "lamp-02.clara.net"
certbot_reload_services:
- nginx
certbot_create_command: >-
certbot certonly --dns-route53
{{ '--staging --break-my-certs' if certbot_staging_enabled else '' }}
--noninteractive --agree-tos
--email {{ _certbot_cert_item.email | default(certbot_admin_email) }}
--cert-name "{{ _certbot_cert_item.domains | first | regex_replace('^\*\.(.*)$', 'wildcard.\1') }}"
--expand
-d {{ _certbot_cert_item.domains | join(',') }}
certbot_plugins:
- certbot-dns-route53==1.22.0
---
- hosts: all
roles:
- claranet.certbot