Comments (6)
Right now my process is:
- Provision new server using this role (
geerlingguy.certbot
), and set up Apache/Nginx config to direct traffic to port 80 for each virtualhost. - Log in, run (not as root):
/path/to/certbot-auto --apache certonly -d [domain] -d [domain]
(with-d [domain]
for all the domains on the server you want to have certs). - Run through the certbot UI answering questions, setting up the account, etc.
- Once the certs are generated, edit my Apache/Nginx config to redirect 80 to 443 with the following configuration per virtualhost (example is on Ubuntu):
/etc/apache2/ssl.conf:
SSLEngine on
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder On
SSLCompression off
/etc/apache2/sites-enabled/[site].conf:
<VirtualHost *:80>
ServerName www.example.com
Redirect permanent / https://www.example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName www.example.com
ServerAlias example.com
ServerAdmin [email protected]
DocumentRoot /path/to/example_com
Include /etc/apache2/ssl.conf
SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.example.com/chain.pem
<Directory "/path/to/example_com">
AllowOverride All
Options -Indexes +SymLinksIfOwnerMatch
Order deny,allow
Require all granted
</Directory>
</VirtualHost>
- Let Ansible do it's thing, Apache restarts once the vhosts are updated (via handler), and everything works splendidly. I just (finally) switched Ansible for DevOps' site to Let's Encrypt using this method: https://www.ansiblefordevops.com/
- Test the automated renewal script (dry run) on the server:
/opt/certbot/certbot-auto renew --dry-run
- Add cron job via Ansible like:
37 3 * * * /opt/certbot/certbot-auto renew --quiet --no-self-upgrade
- Add the
/etc/letsencrypt
directory to a set ofbackup_directories
that are backed up securely.
This example is Ubuntu / Apache; Nginx is similar but with a different configuration layout.
from ansible-role-certbot.
So the "privkey.pem" is updated every time renew is run with the current one? The directory with all the keys (/etc/letsencrypt/keys) just keeps adding more. This was a non-obvious realization that I thought was super important to not breaking the site every time 'renew' is ran.
from ansible-role-certbot.
For Nginx:
- Before step 2, make sure your Nginx
server
directive(s) are set tolisten 443 ssl
(at a minimum), and if on Ubuntu, you can use/etc/ssl/private/ssl-cert-snakeoil.key
(key) and/etc/ssl/certs/ssl-cert-snakeoil.pem
for starters. Restart Nginx so Certbot will be able to verify the servers on port 443. - In step 2, use
--nginx
instead of--apache
. - TODO: For Drupal sites in particular, I have quite a bit of Nginx template magic going on to work correctly with Drupal 7 or 8, with proxy or no proxy (for super fast Nginx cache even with https), etc.
from ansible-role-certbot.
Added some more docs in the README based on work I'm doing for a separate project.
from ansible-role-certbot.
See also, #12 — I'm doing a little testing with this for at least Nginx (and probably will work on Apache as well).
from ansible-role-certbot.
tl;dr: #12 (comment)
Closing this ticket in favor of follow-up to automate generation using --webroot (PR #38 already adds --standalone automated cert generation support.)
from ansible-role-certbot.
Related Issues (20)
- Simple example HOT 3
- Install from source is broken HOT 3
- standalone mode fails when certbot_auto_renew_user is different than root HOT 5
- Documentation unclear: DNS challenge supported? HOT 7
- Adding new domains to a cert_item does not work HOT 6
- setup-RedHat.yml HOT 7
- Allow for configurable cronjob name and file HOT 5
- [DEPRECATION WARNING]: evaluating u'certbot_create_standalone_stop_services' as a bare variable HOT 3
- Unable to install from Source HOT 4
- chown failed: failed to look up user root HOT 2
- Feature request: certbot_install_method = podman HOT 2
- Missing certbot-auto HOT 4
- FEATURE: Support for certbot plugins(Nginx,Apache) HOT 2
- Recommendation to Prioritize Snap Installation for Certbot and Deprecate Outdated Install Methods HOT 2
- `certbot_create_standalone_stop_services` does not stop nginx on first run
- 5.1.1 not published on ansible galaxy HOT 5
- Use nginx -s reload or systemd reload nginx instead of restart
- communication
- 5.2.0 breaks on RHEL9
- certbot_create_extra_args not defined error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-role-certbot.