L-P.simp_le

Panoramica Versioni Approfondimenti

ansible-role-simp_le

This role installs simp_le, creates SSL certificates, and automatically renews them on Debian/Ubuntu servers.

The certificates will be renewed daily by a cron job managed by the Ansible user.

You can find the role on Ansible Galaxy: L-P.simp_le

Note: I recommend using acmetool for any new Ubuntu servers (version 16.04 or later).

Required Variables

You need to provide a list of virtual hosts for which certificates will be generated:

simp_le_vhosts:
  - domains: ["www.example.com", "example.com"]
    root: "/path/to/challenges" # This path must be accessible via HTTP
    output: "/path/to/output/dir" # Directory where certificates will be saved

You also need to provide an email address for Let's Encrypt, which will use it to identify you and send renewal notifications:

simp_le_email: "[email protected]"

Optional Keys

You can set these optional keys for your hosts:

  • user and group: Define who owns the keys, challenges, and their directories. Default owner is www-data:www-data.
  • extra_args: Use this to send additional arguments to simp_le, like connecting to the Let's Encrypt staging server or reusing the key pair when renewing certificates. This is particularly useful if using TLSA records, so your TLSA record doesn't have to change when the certificate is renewed.
  • update_action: Command to run when a certificate is renewed (e.g., systemctl restart apache2).

Example:

simp_le_vhosts:
  - domains: ["smtp.example.com", "mail.example.com"]
    root: "/path/to/challenges"
    output: "/path/to/output/dir"
    user: "Debian-exim"
    group: "Debian-exim"
    extra_args: "--reuse_key --server https://acme-staging.api.letsencrypt.org/directory"
    update_action: "/bin/systemctl restart exim4"

Check defaults/main.yml for more configurations.

Server Configuration

Your server must serve challenge files over HTTP. Here's an example configuration for nginx that redirects all HTTP requests to HTTPS except for the challenges:

location /.well-known/acme-challenge/ {
    alias /var/www/challenges/.well-known/acme-challenge/;
    try_files $uri @forward_https;
}
location @forward_https {
    return 301 https://example.com$request_uri;
}
location / {
    return 301 https://example.com$request_uri;
}

Example Playbook

- hosts: all
  roles:
    - {role: "L-P.simp_le", become: no}

Most operations can be done without sudo, but it is needed to create directories with the correct permissions and ownership.

Informazioni sul progetto

simp_le installation and certificate generation for Ubuntu/Debian.

role https letsencrypt ssl tls web
Installa
ansible-galaxy install L-P.simp_le
GitHub repository
14 stelle
5 fork
0 problemi aperti
Licenza
mit
Download
143
Proprietario