Ansible role - certbot

⭐ Star us on GitHub — it motivates us a lot!

Install and manage certbot

⚠️ Requirements

Ansible >= 2.10

⚡ Installation

ansible-galaxy install claranet.certbot

⚙️ Role variables

Variable	Default value	Description
certbot_packages	['certbot', 'python3-pip']	Package name
certbot_webroot	/var/www/letsencrypt	Directory for http challenges
certbot_auto_renew	true	Enable certificate renew
certbot_auto_renew_user	root	User to configure certificate renew
certbot_auto_renew_hour	3	Cron job hour for renew
certbot_auto_renew_minute	30	Cron job minutes for renew
certbot_auto_renew_option	--quiet --no-self-upgrade	Options for renew command
certbot_certs	[]	See defaults/main.yml for details
certbot_staging_enabled	true	Use letsencrypt staging
certbot_create_command	certbot certonly --webroot ...	See defaults/main.yml for details
certbot_plugins	[]	List of plugins to install using pip
certbot_plugins_pip_executable	pip3	pip executable to use to install certbot plugins
certbot_reload_services_before_enabled	true	Reload certbot_reload_services before configuring certbot
certbot_reload_services_after_enabled	true	Reload certbot_reload_services after configuring certbot
certbot_reload_services	[]	List of services to reload

🔄 Dependencies

N/A

HTTP-01 Challenge

⚠️ To use HTTP-01 challenge, you have to only use webroot plugin (default behavior)

Before using this challenge type, your server must have a public IP and a DNS record zone pointing to it.

Webserver Setup

Before configuring certbot to issue a certificate, you must setup your webserver in order to handle certbot http challenges.

Apache2

Alias /.well-known/acme-challenge/ "/var/www/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/www/letsencrypt">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require all granted
</Directory>

certbot_certs:
  - email: "test@clara.net"
    certbot_webroot: "/var/www/letsencrypt"
    domains:
      - "lamp-01.clara.net"
      - "lamp-02.clara.net"
certbot_reload_services:
  - apache2

Nginx

location /.well-known/acme-challenge/ {
    alias /var/www/letsencrypt/.well-known/acme-challenge/;
}

certbot_certs:
  - email: "test@clara.net"
    certbot_webroot: "/var/www/letsencrypt"
    domains:
      - "lamp-01.clara.net"
      - "lamp-02.clara.net"
certbot_reload_services:
  - nginx

DNS-01 Challenge

⚠️ For wildcard certificate, you have to use --cert-name option like this to avoid creating a new certificate for each ansible run :

--cert-name "{{ _certbot_cert_item.domains | first | regex_replace('^\*\.(.*)$'

Route53 example

certbot_certs:
- email: "test@clara.net"
  domains:
    - "*.molecule.clara.net"
- email: "test@clara.net"
  domains:
    - "lamp-01.clara.net"
    - "lamp-02.clara.net"

certbot_reload_services:
  - nginx

certbot_create_command: >-
  certbot certonly --dns-route53
  {{ '--staging --break-my-certs' if certbot_staging_enabled else '' }}
  --noninteractive --agree-tos
  --email {{ _certbot_cert_item.email | default(certbot_admin_email) }}
  --cert-name "{{ _certbot_cert_item.domains | first | regex_replace('^\*\.(.*)$', 'wildcard.\1') }}"
  --expand
  -d {{ _certbot_cert_item.domains | join(',') }}

certbot_plugins:
  - certbot-dns-route53==1.22.0

✏️ Example Playbook

---
- hosts: all
  roles:
    - claranet.certbot

🔐 Hardening

😻 Contributing

©️ License

Mozilla Public License Version 2.0