Ansible: Elan Certbot Role

This Ansible role helps to set up automatic renewal of TLS certificates using certbot. It is the same as the one found at https://github.com/elan-ev/opencast_certbot, but it does not depend on the opencast_nginx (see https://github.com/elan-ev/opencast_certbot/pull/3). This role can be used with both the opencast_nginx and the simple_nginx_reverse_proxy, but may not work with a standard nginx or other setups.

Role Variables

• elan_certbot_letsencrypt_email: The email address for your Let's Encrypt account (this is required). Let's Encrypt uses this email to notify you if your certificate is about to expire.
• elan_certbot_domains: A list of the domains where the certificate will be valid. By default, it is set to ["{{ inventory_hostname }}"].
• elan_certbot_expand_existing: A boolean option you can use when running a playbook to force certbot to expand already existing certificates. It is not recommended to set this to true by default; use it only when necessary.
• elan_certbot_ca: You can choose to use letsencrypt (the default option) or sectigo with eab for DFN ACME. If you choose sectigo, you must also define elan_certbot_eab_kid and elan_certbot_eab_hmac.

Example Playbook

Here is how to configure and use the role:

- hosts: servers
  become: true
  roles:
    - role: elan.elan_certbot
      elan_certbot_letsencrypt_email: [email protected]