Code Monkey home page Code Monkey logo

Comments (6)

geerlingguy avatar geerlingguy commented on August 12, 2024

Right now my process is:

  1. Provision new server using this role (geerlingguy.certbot), and set up Apache/Nginx config to direct traffic to port 80 for each virtualhost.
  2. Log in, run (not as root): /path/to/certbot-auto --apache certonly -d [domain] -d [domain] (with -d [domain] for all the domains on the server you want to have certs).
  3. Run through the certbot UI answering questions, setting up the account, etc.
  4. Once the certs are generated, edit my Apache/Nginx config to redirect 80 to 443 with the following configuration per virtualhost (example is on Ubuntu):

/etc/apache2/ssl.conf:

SSLEngine on
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder On
SSLCompression off

/etc/apache2/sites-enabled/[site].conf:

<VirtualHost *:80>
  ServerName www.example.com
  Redirect permanent / https://www.example.com/
</VirtualHost>
<VirtualHost *:443>
  ServerName www.example.com
  ServerAlias example.com
  ServerAdmin [email protected]
  DocumentRoot /path/to/example_com

  Include /etc/apache2/ssl.conf
  SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/www.example.com/chain.pem

  <Directory "/path/to/example_com">
    AllowOverride All
    Options -Indexes +SymLinksIfOwnerMatch
    Order deny,allow
    Require all granted
  </Directory>
</VirtualHost>
  1. Let Ansible do it's thing, Apache restarts once the vhosts are updated (via handler), and everything works splendidly. I just (finally) switched Ansible for DevOps' site to Let's Encrypt using this method: https://www.ansiblefordevops.com/
  2. Test the automated renewal script (dry run) on the server: /opt/certbot/certbot-auto renew --dry-run
  3. Add cron job via Ansible like: 37 3 * * * /opt/certbot/certbot-auto renew --quiet --no-self-upgrade
  4. Add the /etc/letsencrypt directory to a set of backup_directories that are backed up securely.

This example is Ubuntu / Apache; Nginx is similar but with a different configuration layout.

from ansible-role-certbot.

llbbl avatar llbbl commented on August 12, 2024

So the "privkey.pem" is updated every time renew is run with the current one? The directory with all the keys (/etc/letsencrypt/keys) just keeps adding more. This was a non-obvious realization that I thought was super important to not breaking the site every time 'renew' is ran.

from ansible-role-certbot.

geerlingguy avatar geerlingguy commented on August 12, 2024

For Nginx:

  • Before step 2, make sure your Nginx server directive(s) are set to listen 443 ssl (at a minimum), and if on Ubuntu, you can use /etc/ssl/private/ssl-cert-snakeoil.key (key) and /etc/ssl/certs/ssl-cert-snakeoil.pem for starters. Restart Nginx so Certbot will be able to verify the servers on port 443.
  • In step 2, use --nginx instead of --apache.
  • TODO: For Drupal sites in particular, I have quite a bit of Nginx template magic going on to work correctly with Drupal 7 or 8, with proxy or no proxy (for super fast Nginx cache even with https), etc.

from ansible-role-certbot.

geerlingguy avatar geerlingguy commented on August 12, 2024

Added some more docs in the README based on work I'm doing for a separate project.

from ansible-role-certbot.

geerlingguy avatar geerlingguy commented on August 12, 2024

See also, #12 — I'm doing a little testing with this for at least Nginx (and probably will work on Apache as well).

from ansible-role-certbot.

geerlingguy avatar geerlingguy commented on August 12, 2024

tl;dr: #12 (comment)

Closing this ticket in favor of follow-up to automate generation using --webroot (PR #38 already adds --standalone automated cert generation support.)

from ansible-role-certbot.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.