Ansible Role: Certbot (for Let's Encrypt)

This role installs and sets up Certbot, which is used for Let's Encrypt.

Requirements

If you're installing Certbot from source, you'll need Git. You can install Git using the geerlingguy.git role.

Role Variables

The variable certbot_install_from_source determines if Certbot will be installed from Git or through a package manager. By default, it installs from a package manager, so it is set to no.

certbot_auto_renew: true
certbot_auto_renew_user: "{{ ansible_user }}"
certbot_auto_renew_hour: 3
certbot_auto_renew_minute: 30

By default, this role sets up a cron job that runs every day at 3:30 AM under the user specified in your Ansible playbook. It's better to set a different user and time to renew certificates during low-traffic times and avoid using the root user.

Installation from Git Source

You can choose to install Certbot from its Git repository if needed. This can be useful for older systems that may not have Certbot packages (like CentOS < 7, Ubuntu < 16.10, and Debian < 8).

certbot_install_from_source: no
certbot_repo: https://github.com/certbot/certbot.git
certbot_version: master
certbot_keep_updated: yes

To install from source, change certbot_install_from_source to yes. This will clone the specified certbot_repo and respect the certbot_version setting. If certbot_keep_updated is set to yes, the repository will be updated each time the role runs.

certbot_dir: /opt/certbot

This is the directory where Certbot will be installed.

DNS Providers

If you use a DNS service like Cloudflare, you can set these variables:

certbot_dns_provider: cloudflare
certbot_dns_credentials:
    api_token: your_dns_provider_api_token
certbot_dns_provider_propagation_seconds: 60

The options for certbot_dns_credentials depend on your DNS provider. Check certbot --help all for details.

Dependencies

None.

Example Playbook

- hosts: servers

  vars:
    certbot_auto_renew_user: your_username_here
    certbot_auto_renew_minute: 20
    certbot_auto_renew_hour: 5
    # certbot_agree_tos: "--agree-tos" # Uncomment this line to agree to the terms
  roles:
    - geerlingguy.certbot

After installation, you can create certificates using the certbot script, which is installed in the directory you specified earlier. Here are some example commands to set up certificates:

# Automatically add certificates for all Apache virtual hosts (use carefully).
/opt/certbot/certbot-auto --apache

# Create certificates without changing Apache configuration (safer).
/opt/certbot/certbot-auto --apache certonly

By default, this role creates a cron job that will renew all certificates once a day at the specified time.

You can test the auto-renewal without actually renewing the certificates using:

/opt/certbot/certbot-auto renew --dry-run

You can find more documentation and options on the Certbot website.

License

MIT / BSD

Author Information

• This role was created in 2016 by Jeff Geerling, author of Ansible for DevOps.
• It has been modified and maintained by Galaxy Europe.