{"id":16781636,"url":"https://github.com/danvaida/ansible-roles-letsencrypt","last_synced_at":"2025-04-10T21:22:09.667Z","repository":{"id":87587190,"uuid":"84253708","full_name":"danvaida/ansible-roles-letsencrypt","owner":"danvaida","description":"Handles the interaction with the ACME Server of Let's Encrypt.","archived":false,"fork":false,"pushed_at":"2018-03-22T13:37:26.000Z","size":16,"stargazers_count":7,"open_issues_count":0,"forks_count":2,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-24T18:52:26.105Z","etag":null,"topics":["ansible","ansible-roles","certificates","letsencrypt","letsencrypt-certificates","tls"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/danvaida.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-03-07T22:44:25.000Z","updated_at":"2018-08-31T16:20:01.000Z","dependencies_parsed_at":"2023-03-11T02:30:34.776Z","dependency_job_id":null,"html_url":"https://github.com/danvaida/ansible-roles-letsencrypt","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danvaida%2Fansible-roles-letsencrypt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danvaida%2Fansible-roles-letsencrypt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danvaida%2Fansible-roles-letsencrypt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danvaida%2Fansible-roles-letsencrypt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/danvaida","download_url":"https://codeload.github.com/danvaida/ansible-roles-letsencrypt/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248299024,"owners_count":21080449,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-roles","certificates","letsencrypt","letsencrypt-certificates","tls"],"created_at":"2024-10-13T07:43:27.770Z","updated_at":"2025-04-10T21:22:09.654Z","avatar_url":"https://github.com/danvaida.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build Status](https://travis-ci.org/danvaida/ansible-roles-letsencrypt.svg?branch=master)](https://travis-ci.org/danvaida/ansible-roles-letsencrypt)\n[![Galaxy](https://img.shields.io/ansible/role/16126.svg)](https://galaxy.ansible.com/danvaida/letsencrypt/)\n\n# Ansible Let's Encrypt role\n\nObtains TLS certificates through [ACME][1] from [Let's Encrypt][2].\n\nOnce you complete the challenge(s) and obtain the Certificate(s), you are responsible for setting it/them up in your web server(s) of choice.\n\n# Requirements\n\n* `openssl`\n* Python \u003e= 2.7.9\n\n# Role Variables\n\n* __letsencrypt_certs_dir:__\n  Path to work-dir, where all CSRs, Keys and Certs will be stored.\n\n* __letsencrypt_account_key_name:__\n  Name of the Let's Encrypt account's RSA key.\n\n* __letsencrypt_account_key_size:__\n  Size of the Let's Encrypt account's RSA key.\n\n* __letsencrypt_certs_to_generate:__\n  List of certs to generate.\n\n  * __account_email:__\n    E-mail address that's going to be exchanged with the ACME server. You'll get cert expiration warnings.\n\n  * __account_key:__\n    Path to the RSA key file.\n\n  * __acme_directory:__\n    ACME API endpoint. Uses Let's Encrypt's Staging by default.\n\n  * __agreement:__\n    URI to TOS doc you agree with.\n\n  * __challenge:__\n    The accepted challenge type.\n\n  * __csr:__\n    Path to the CSR file.\n\n  * __dest:__\n    Path to the resulting Certificate file (where you want to store it).\n\n  * __remaining_days:__\n    Number of days for the cert to be valid.\n\n# Dependencies\n\nN/A\n\n# Example Playbook\n\nIn this example, we are requesting a certificate from Let's Encrypt,\nalthough in theory, this Ansible module should be compatible with any\nACME server.\n\nWe have three plays:\n\n1. create CSR, Key and issue request for certificate release\n2. complete the challenge (DNS record in Route53 in this case)\n3. ask to validate the challenge and grant the certificate.\n\n```\n    - name: ACME Step 1\n      hosts: localhost\n      connection: local\n      roles:\n        - role: letsencrypt\n          letsencrypt_certs_dir:         './files/production/certs'\n          letsencrypt_account_key_name:  'letsencrypt_account'\n          letsencrypt_account_key_size:  2048\n          letsencrypt_certs_to_generate:\n            - domain: 'your-domain.com'\n              key_size: 2048\n              account_email: 'info@your-domain.com'\n              account_key: \"{{ letsencrypt_certs_dir }}/{{ letsencrypt_account_key_name }}.key\"\n              challenge: 'dns-01'\n              agreement: 'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'\n              csr: \"{{ letsencrypt_certs_dir }}/your-domain.com/your.csr\"\n              dest: \"{{ letsencrypt_certs_dir }}/your-domain.com/domain.crt\"\n              acme_directory: 'https://acme-v01.api.letsencrypt.org/directory'\n          tags: letsencrypt\n\n      tasks:\n        - name: List of Route53 records to create should be set as fact\n          set_fact:\n            route53_records_to_add: \"{{\n              route53_records_to_add | default([]) +\n              [{'zone': item.1.domain,\n              'record': item.0.challenge_data[item.1.domain]['dns-01']['resource'] + '.' + item.1.domain + '.',\n              'ttl': 300,\n              'type': 'TXT',\n              'value': '\\\"' + item.0.challenge_data[item.1.domain]['dns-01']['resource_value'] + '\\\"' }]\n              }}\"\n          with_together:\n            - \"{{ letsencrypt_acme_step_one }}\"\n            - \"{{ letsencrypt_certs_to_obtain | default([]) }}\"\n          when: item.1.domain == item.0.item.domain\n          tags: route53\n\n    - name: ACME challenge solving (DNS record in Route53)\n      hosts: localhost\n      connection: local\n      roles:\n        - role: route53\n          tags: route53\n\n    - name: ACME Step 2\n      hosts: localhost\n      connection: local\n      pre_tasks:\n        - name: We should wait for the DNS changes to propagate\n          pause: minutes=1\n\n      roles:\n        - role: letsencrypt\n          letsencrypt_acme_step: two\n          tags: letsencrypt\n```\n\nCompleting other challenge types should be all the same and opaque to this role.\n\n# Testing\n\nThe tests are relying on the DNS challenge type and are solving it via\n[AWS Route53][3].\n\nIf you want to run the tests on the provided docker environment, run the\nfollowing commands:\n\n    $ cd /path/to/ansible-roles/letsencrypt\n    $ ansible-galaxy install \\\n        --force \\\n        --role-file=./tests/requirements.yml \\\n        --roles-path=./tests/dependencies\n    $ docker build \\\n        --no-cache \\\n        --pull \\\n        --tag ansible-roles-test \\\n        tests/support\n    $ docker run \\\n        --rm \\\n        --interactive \\\n        --tty \\\n        --volume $PWD:/etc/ansible/roles/letsencrypt \\\n        --volume $PWD/tests/dependencies:/etc/ansible/roles/letsencrypt/tests/roles:ro \\\n        --env AWS_ACCESS_KEY=$AWS_ACCESS_KEY \\\n        --env AWS_SECRET_KEY=$AWS_SECRET_KEY \\\n        --workdir /etc/ansible/roles/letsencrypt/tests \\\n        ansible-roles-test\n\n# To-do\n\n* Support other challenge types\n* Support other DNS services APIs (i.e. [Cloud DNS][4])\n* Integration with some web servers roles (i.e. NGINX, Apache)\n* Support renewal\n* Support multiple Ansible versions and Distros\n* Update Ansible in the tests Docker image to be able to not specify the\n[agreement for the DNS challenge][5].\n\n# License\n\nThis project is licensed under the terms of the GNU GPL v3.0 license.\n\n# Author Information\n\nRole created by [Dan Vaida](https://github.com/danvaida).\n\n# Contributions\n\nSee the [ToDo](#to-do) list. Contributions are welcome.\n\n[1]: https://ietf-wg-acme.github.io/acme/\n[2]: https://letsencrypt.org\n[3]: https://aws.amazon.com/route53/\n[4]: https://cloud.google.com/dns/\n[5]: https://github.com/ansible/ansible/pull/33046\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdanvaida%2Fansible-roles-letsencrypt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdanvaida%2Fansible-roles-letsencrypt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdanvaida%2Fansible-roles-letsencrypt/lists"}