3

Let's Encrypt Nginx setup with Ansible

 1 year ago
source link: https://gist.github.com/mattiaslundberg/ba214a35060d3c8603e9b1ec8627d349
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

great ! thanks

SashaDesigN commented Mar 2, 2019

edited

GREAT work, thanks a lot)
Just note for whom it failed:
On Ubuntu you need to use certbot instead letsencrypt cli
And no need to use 2 websites to generate a certificate, it worked for me always with one, even when it's proxy and doesn't have no working directory to pass acme validation.

Also: letsencrypt made legacy one of methods for domains verification so make sure you're using certbot v0.28 and above

Happy coding)

:-) sweet

Thank you so much !! You saved me so much time !!

GREAT work, thanks a lot)
Just note for whom it failed:
On Ubuntu you need to use certbot instead letsencrypt cli
And no need to use 2 websites to generate a certificate, it worked for me always with one, even when it's proxy and doesn't have no working directory to pass acme validation.

Also: letsencrypt made legacy one of methods for domains verification so make sure you're using certbot v0.28 and above

Happy coding)

Can you share the command need to run in playbook for certbot (i'm using ubuntu)

This is amazing. Worked without any major modifications on ubuntu 19.10 on a raspberry pi.
I did the following changes

  • Changed hosts to localhost
  • Removed inventory file
  • Renamed the template files to fix their names after the download
  • Modified the SSL config to be a reverse proxy
  • Moved variables from inventory file into vars in the playbook
  • ran the playbook with ansible-playbook playbook.yml

My playbook:

---
- hosts: localhost
  become: true
  gather_facts: no
  vars:
    domain_name: www.example.com
    letsencrypt_email: [email protected]
  tasks:
    - name: Install nginx
      apt:
        name: nginx
        state: latest
    - name: install letsencrypt
      apt:
        name: letsencrypt
        state: latest
    - name: create letsencrypt directory
      file:
        name: /var/www/letsencrypt
        state: directory
    - name: Remove default nginx config
      file: 
        name: /etc/nginx/sites-enabled/default
        state: absent
    - name: Install system nginx config
      template:
        src: nginx.conf.j2
        dest: /etc/nginx/nginx.conf
    - name: Install nginx site for letsencrypt requests
      template:
        src: nginx-http.j2
        dest: /etc/nginx/sites-enabled/http
    - name: Reload nginx to activate letsencrypt site
      service:
        name: nginx
        state: restarted
    - name: Create letsencrypt certificate
      shell: letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos -d {{ domain_name }}
      args:
        creates: /etc/letsencrypt/live/{{ domain_name }}
    - name: Generate dhparams
      shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048
      args:
        creates: /etc/nginx/dhparams.pem
    - name: Install nginx site for specified site
      template:
        src: nginx-le.j2
        dest: /etc/nginx/sites-enabled/le
    - name: Reload nginx to activate specified site
      service: name=nginx state=restarted
    - name: Add letsencrypt cronjob for cert renewal
      cron:
        name: letsencrypt_renewal
        special_time: weekly
        job: letsencrypt --renew certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos -d {{ domain_name }} && service nginx reload

@diablozzq this is great. what if need to handle 2 sub domains

example: domain_name: aaa.example.com and domain_name_2: bbbb.example.com

googya commented Jun 5, 2020

@diablozzq this is great. what if need to handle 2 sub domains

example: domain_name: aaa.example.com and domain_name_2: bbbb.example.com

you can do like this: -d www.aname.com -d api.aname.com -d api2.aname.com

also you can use wildcard way

Thanks for this!

FYI, on my Ubuntu 16.04.6 server with certbot 0.27.0, I had to change the cronjob from

job: letsencrypt --renew certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos -d {{ domain_name }} && service nginx reload

job: letsencrypt --renew-by-default certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos -d {{ domain_name }} && service nginx reload

SzudemJ commented Apr 2, 2021

Thank you man! This saved me hours!

necrose99 commented Apr 3, 2021

edited

pre_tasks:
- raw: apt-get install -y python-simplejson

for Gentoo replace

pre_tasks:
- raw: emerge -v dev-python/simplejson

thanks man! amazing work.

mjovanc commented May 8, 2022

Great stuff man, thanks a lot!

why u not using proxy nginx with buffer?

nuxion commented Aug 13, 2022

thanks for this! nowadays python-simplejson is python3-simplejson (tested on debian 11)

--renew-by-default

thanks for the tip


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK