An ansible role to obtain and renew SSL certs from letsencrypt, using webroot
authenticator.
*see also: nginx*
An ansible role to generate TLS certificates and get them signed by Let's Encrypt.
Currently attempts first to use the `webroot` authenticator, then if that fails to create certificates,
it will use the standalone authenticator. This is handy for generating certs on a fresh machine before
the web server has been configured or even installed.
Dependencies
------------
*nginx* role, with *letsencrypt-check* feature enabled on the domains you want
to get a letsencrypt cert for.
Process to obtain and setup certs:
1. setup correctly vars for nginx (mind *letsencrypt-check*) and letsencrypt roles.
2. run nginx role
3. run letsencrypt role
4. run nginx role again (so that it detects the new certs, use them, and restart)
I've tested this on a couple of Debian Jessie boxes with nginx, if you test it on other things please let me know
the results (positive or otherwise) so I can document them here/fix the issue.
Renewing is automatic. nginx is restarted after renewal.
It restarts **nginx** https after renewal.
# Usage
First, read Let's Encrypt's TOS and EULA. Only proceed if you agree to them.
Vars
----
The following variables are available:
Example:
`letsencrypt_webroot_path` is the root path that gets served by your web server. Defaults to `/var/www`.
`letsencrypt_email` needs to be set to your email address. Let's Encrypt wants it. Defaults to `webmaster@{{ ansible_fqdn }}`.
letsencrypt_webroot_path: /var/www/html
letsencrypt_email: user@example.net
letsencrypt_cert_domains:
- www.example.net
- example.net
`letsencrypt_rsa_key_size` allows to specify a size for the generated key.
`letsencrypt_cert_domains` is a list of domains you wish to get a certificate for. It defaults to a single item with the value of `{{ ansible_fqdn }}`.
### Required
`letsencrypt_install_directory` should probably be left alone, but if you set it, it will change where the letsencrypt program is installed.
None ! If you set nothing, letsencyrpt will make a cert for the server fqdn.
`letsencrypt_server` sets the auth server. Set to `https://acme-staging.api.letsencrypt.org/directory` to use the staging server (far higher rate limits, but certs are not trusted, intended for testing)
### Optional
The [Let's Encrypt client](https://github.com/letsencrypt/letsencrypt) will put the certificate and accessories in `/etc/letsencrypt/live/<first listed domain>/`. For more info, see the [Let's Encrypt documentation](https://letsencrypt.readthedocs.org/en/latest/using.html#where-are-my-certificates).
-`letsencrypt_cert_domains` a list of domains you want a LE cert for (they
require to have a nginx vhost configured with *letsencryt-check* enabled on
plain HTTP)
-`letsencrypt_webroot_path` is the root path that gets served by your web
server. Defaults to `/var/www`.
-`letsencrypt_email` needs to be set to your email address. Let's Encrypt wants it. Defaults to `webmaster@{{ ansible_fqdn }}`.
-`letsencrypt_renewal_frequency` has 3 properties : `day`, `hour` and
`minute`, which are cron time selector (defaults to