https://github.com/claranet/ansible-role-certbot
Install and manage certbot
https://github.com/claranet/ansible-role-certbot
ansible certbot claranet role
Last synced: about 1 year ago
JSON representation
Install and manage certbot
- Host: GitHub
- URL: https://github.com/claranet/ansible-role-certbot
- Owner: claranet
- License: mpl-2.0
- Created: 2021-12-10T10:46:50.000Z (over 4 years ago)
- Default Branch: main
- Last Pushed: 2024-07-05T07:29:52.000Z (almost 2 years ago)
- Last Synced: 2025-03-28T00:34:31.141Z (over 1 year ago)
- Topics: ansible, certbot, claranet, role
- Language: Jinja
- Homepage:
- Size: 54.7 KB
- Stars: 5
- Watchers: 12
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
README
# Ansible role - certbot
[](https://www.claranet.fr/)
[](LICENSE)
[](https://github.com/claranet/ansible-role-certbot/releases)
[](https://github.com/claranet/ansible-role-certbot/actions?query=workflow%3A%22Ansible+Molecule%22)
[](https://github.com/ansible/ansible)
[](https://galaxy.ansible.com/claranet/certbot)
> :star: Star us on GitHub — it motivates us a lot!
Install and manage certbot
## :warning: Requirements
Ansible >= 2.10
## :zap: Installation
```bash
ansible-galaxy install claranet.certbot
```
## :gear: Role variables
Variable | Default value | Description
---------|---------------|------------
certbot_packages | **['certbot', 'python3-pip']** | Package name
certbot_webroot | **/var/www/letsencrypt** | Directory for http challenges
certbot_auto_renew | **true** | Enable certificate renew
certbot_auto_renew_user | **root** | User to configure certificate renew
certbot_auto_renew_hour | **3** | Cron job hour for renew
certbot_auto_renew_minute | **30** | Cron job minutes for renew
certbot_auto_renew_option | **--quiet --no-self-upgrade** | Options for renew command
certbot_certs | **[]** | See defaults/main.yml for details
certbot_staging_enabled | **true** | Use letsencrypt staging
certbot_create_command | **certbot certonly --webroot ...** | See defaults/main.yml for details
certbot_plugins | **[]** | List of plugins to install using pip
certbot_plugins_pip_executable | **pip3** | pip executable to use to install certbot plugins
certbot_reload_services_before_enabled | **true** | Reload `certbot_reload_services` before configuring certbot
certbot_reload_services_after_enabled | **true** | Reload `certbot_reload_services` after configuring certbot
certbot_reload_services | **[]** | List of services to reload
## :arrows_counterclockwise: Dependencies
N/A
## HTTP-01 Challenge
:warning: To use HTTP-01 challenge, you have to only use webroot plugin (default behavior)
Before using this challenge type, your server must have a public IP and a DNS record zone pointing to it.
### Webserver Setup
Before configuring certbot to issue a certificate, you must setup your webserver in order to handle certbot http challenges.
#### Apache2
```bash
Alias /.well-known/acme-challenge/ "/var/www/letsencrypt/.well-known/acme-challenge/"
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require all granted
```
```yaml
certbot_certs:
- email: "test@clara.net"
certbot_webroot: "/var/www/letsencrypt"
domains:
- "lamp-01.clara.net"
- "lamp-02.clara.net"
certbot_reload_services:
- apache2
```
#### Nginx
```
location /.well-known/acme-challenge/ {
alias /var/www/letsencrypt/.well-known/acme-challenge/;
}
```
```yaml
certbot_certs:
- email: "test@clara.net"
certbot_webroot: "/var/www/letsencrypt"
domains:
- "lamp-01.clara.net"
- "lamp-02.clara.net"
certbot_reload_services:
- nginx
```
## DNS-01 Challenge
:warning: For wildcard certificate, you have to use `--cert-name` option like this to avoid creating a new certificate for each ansible run :
```
--cert-name "{{ _certbot_cert_item.domains | first | regex_replace('^\*\.(.*)$'
```
### Route53 example
```yaml
certbot_certs:
- email: "test@clara.net"
domains:
- "*.molecule.clara.net"
- email: "test@clara.net"
domains:
- "lamp-01.clara.net"
- "lamp-02.clara.net"
certbot_reload_services:
- nginx
certbot_create_command: >-
certbot certonly --dns-route53
{{ '--staging --break-my-certs' if certbot_staging_enabled else '' }}
--noninteractive --agree-tos
--email {{ _certbot_cert_item.email | default(certbot_admin_email) }}
--cert-name "{{ _certbot_cert_item.domains | first | regex_replace('^\*\.(.*)$', 'wildcard.\1') }}"
--expand
-d {{ _certbot_cert_item.domains | join(',') }}
certbot_plugins:
- certbot-dns-route53==1.22.0
```
## :pencil2: Example Playbook
```yaml
---
- hosts: all
roles:
- claranet.certbot
```
## :closed_lock_with_key: [Hardening](HARDENING.md)
## :heart_eyes_cat: [Contributing](CONTRIBUTING.md)
## :copyright: [License](LICENSE)
[Mozilla Public License Version 2.0](https://www.mozilla.org/en-US/MPL/2.0/)