Let's Encrypt Nginx setup with Ansible
source link: https://gist.github.com/mattiaslundberg/ba214a35060d3c8603e9b1ec8627d349
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
great ! thanks
SashaDesigN commented Mar 2, 2019 •
GREAT work, thanks a lot)
Just note for whom it failed:
On Ubuntu you need to use certbot instead letsencrypt cli
And no need to use 2 websites to generate a certificate, it worked for me always with one, even when it's proxy and doesn't have no working directory to pass acme validation.
Also: letsencrypt made legacy one of methods for domains verification so make sure you're using certbot v0.28 and above
Happy coding)
:-) sweet
Thank you so much !! You saved me so much time !!
GREAT work, thanks a lot)
Just note for whom it failed:
On Ubuntu you need to use certbot instead letsencrypt cli
And no need to use 2 websites to generate a certificate, it worked for me always with one, even when it's proxy and doesn't have no working directory to pass acme validation.Also: letsencrypt made legacy one of methods for domains verification so make sure you're using certbot v0.28 and above
Happy coding)
Can you share the command need to run in playbook for certbot (i'm using ubuntu)
This is amazing. Worked without any major modifications on ubuntu 19.10 on a raspberry pi.
I did the following changes
- Changed hosts to localhost
- Removed inventory file
- Renamed the template files to fix their names after the download
- Modified the SSL config to be a reverse proxy
- Moved variables from inventory file into vars in the playbook
- ran the playbook with ansible-playbook playbook.yml
My playbook:
---
- hosts: localhost
become: true
gather_facts: no
vars:
domain_name: www.example.com
letsencrypt_email: [email protected]
tasks:
- name: Install nginx
apt:
name: nginx
state: latest
- name: install letsencrypt
apt:
name: letsencrypt
state: latest
- name: create letsencrypt directory
file:
name: /var/www/letsencrypt
state: directory
- name: Remove default nginx config
file:
name: /etc/nginx/sites-enabled/default
state: absent
- name: Install system nginx config
template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
- name: Install nginx site for letsencrypt requests
template:
src: nginx-http.j2
dest: /etc/nginx/sites-enabled/http
- name: Reload nginx to activate letsencrypt site
service:
name: nginx
state: restarted
- name: Create letsencrypt certificate
shell: letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos -d {{ domain_name }}
args:
creates: /etc/letsencrypt/live/{{ domain_name }}
- name: Generate dhparams
shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048
args:
creates: /etc/nginx/dhparams.pem
- name: Install nginx site for specified site
template:
src: nginx-le.j2
dest: /etc/nginx/sites-enabled/le
- name: Reload nginx to activate specified site
service: name=nginx state=restarted
- name: Add letsencrypt cronjob for cert renewal
cron:
name: letsencrypt_renewal
special_time: weekly
job: letsencrypt --renew certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos -d {{ domain_name }} && service nginx reload
@diablozzq this is great. what if need to handle 2 sub domains
example: domain_name: aaa.example.com and domain_name_2: bbbb.example.com
googya commented Jun 5, 2020
@diablozzq this is great. what if need to handle 2 sub domains
example:
domain_name: aaa.example.comanddomain_name_2: bbbb.example.com
you can do like this: -d www.aname.com -d api.aname.com -d api2.aname.com
also you can use wildcard way
Thanks for this!
FYI, on my Ubuntu 16.04.6 server with certbot 0.27.0, I had to change the cronjob from
job: letsencrypt --renew certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos -d {{ domain_name }} && service nginx reload
job: letsencrypt --renew-by-default certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos -d {{ domain_name }} && service nginx reload
SzudemJ commented Apr 2, 2021
Thank you man! This saved me hours!
necrose99 commented Apr 3, 2021 •
pre_tasks:
- raw: apt-get install -y python-simplejson
for Gentoo replace
pre_tasks:
- raw: emerge -v dev-python/simplejson
thanks man! amazing work.
mjovanc commented May 8, 2022
Great stuff man, thanks a lot!
why u not using proxy nginx with buffer?
nuxion commented Aug 13, 2022
thanks for this! nowadays python-simplejson is python3-simplejson (tested on debian 11)
--renew-by-default
thanks for the tip
Recommend
-
17
A quick review of my Let's Encrypt setup A quick review of my Let's Encrypt setup June 27, 2018 on Drew DeVault's blog Let’s Encrypt makes TLS much easier for pretty much e...
-
10
Web进行安全通信依赖于HTTPS,这需要使用数字证书,以便浏览器验证Web服务器的身份(比如说,google.com是真的吗?) Web服务器从证书颁发机构(CA可信第三方)获取其证书以验证域名真实性。 Certbot是一个易于使用的客户端,它由EFF,Mozilla和开源组织发起。...
-
88
Welcome to our guide on How to Install Ansible AWX on CentOS 7 / Fedora with Nginx Reverse Proxy and Let’s Encrypt SSL Certificate. This installation will have http to https redirection configured on Nginx.What is AWX?AWX is t...
-
9
Configuring NGINX for SSL with Let's Encrypt By Joel Berger o...
-
6
Using a Different System? Let...
-
9
How to encrypt sensitive data in playbooks with Ansible Vault Ansible Vault lets you keep sensitive data, such as passwords and k...
-
6
Let's Encrypt 如何在CentOS 8 Nginx配置Let's Encrypt SSL证书 Web进行安全通信依赖于HTTPS,这需要使用数字证书,以便浏览器验证Web服务...
-
9
Let's Encrypt 如何在CentOS 7 Nginx配置Let's Encrypt SSL证书 Web进行安全通信依赖于HTTPS,这需要使用数字证书,以便浏览器验证Web服务...
-
9
Let's Encrypt 如何在Ubuntu 18.04 Nginx配置Let's Encrypt SSL证书 Web进行安全通信依赖于HTTPS,这需要使用数字证书,以便浏览器验证Web...
-
5
Let's Encrypt 如何在Debian 9 Nginx配置Let's Encrypt SSL证书 Web进行安全通信依赖于HTTPS,这需要使用数字证书,以便浏览器验证Web服务...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK