Let’s Encrypt certificates for HTTPS¶
Introduction¶
Let’s Encrypt is a non-profit service provising free TLS (HTTPS) certificates with automated installation process. This chapter shows how to integrate Let’s Encrypt for HTTPS certificates with websauna.ansible playbook and Nginx.
These instructions will set up a cron job that automatically updates Lets Encrypt certificates before their 3 months expiration time is up.
Installation¶
You need ansible-letsencrypt
role that is known to be compatible with Websauna playbook. In the folder where you have playbook.yml
file create or append requirements.yml
with the contents:
- src: git+https://github.com/websauna/ansible-letsencrypt.git
name: ansible-letsencrypt
Then install the requirement:
ansible-galaxy install -r requirements.yml
Setting up a playbook¶
Here are the main settings you need to change. See fully functional playbook example.
Important variables:
- letsencrypt: on
- ssl: on
# Let's encrypt parameters
- server_name: letsencrypt.websauna.org # Your server fully qualified domain name
- letsencrypt_webroot_path: /var/www/html
- letsencrypt_email: [email protected] # Your email
- letsencrypt_cert_domains:
- "{{ server_name }}"
- letsencrypt_renewal_command_args: '--renew-hook "service nginx restart"' # Ubuntu 14.04 nginx restart
- nginx_ssl_certificate_path: "/etc/letsencrypt/live/{{ server_name }}/cert.pem"
- nginx_ssl_certificate_path_key: "/etc/letsencrypt/live/{{ server_name }}/privkey.pem"
New role letsencrypt
as:
roles:
# ...
- { role: Stouts.python, become: yes, become_user: root }
- {role: ansible-letsencrypt, tags: 'letsencrypt'}
- { role: websauna.site, tags: ['site'] } # Core site update logic
# ...
Rerun full playbook to make changes effective.