AUTOMATED LET’S ENCRYPT SSL INSTALLATION USING ANSIBLE PLAYBOOK

AUTOMATED LET’S ENCRYPT SSL INSTALLATION USING ANSIBLE PLAYBOOK

Need a simple SSL which will work in all browsers?

You can get it free from Let’s Encrypt, and you won’t even need to get into multi-step slow domain ownership validation which includes waiting for emails and waiting for Certificate Authority (CA) to react to your requests.

Why and when would one need a certificate in the first place? Well, if you got a WordPress site (replace this with your favorite CMS/framework) which has any kind of authorization form, then you need an SSL, because you probably don’t want usernames and passwords flying over the Internet in plain text.
We must make a remark, that for applications like online shops or pretty much any apps working with various sorts of confidential information, you might need a non-free SSL. There is a number of reasons for that. The main reasons are the following: those certificates are displayed as more secure in clients browsers and you get much better warranty payments for a (very unlikely) case of SSL hack.

Ones who probably benefit the most from Let’s Encrypt fast validation are system administrators of various levels.
Let’s Encrypt allows to use CLI certbots like officially recommended one at https://certbot.eff.org/
for obtaining and even installing certificates on some web servers. With that it’s hard to overcome temptation to automate the process, making it easily repeatable for any number of sites you need. In this demonstration we will use Ansible.

REQUIREMENTS TO BEGIN THE WORK

DNS record pointing to IP of the server with the domains, which SSL will be installed and configured for
– Correct version of Ansible – it should be 2.3.2.0. To check it you can execute the following command in your CLI:

ansible --version

OS: Ubuntu 16.04 installed on the target server
SSH key uploaded to the target server
Python-minimal installed on the target server
Nginx web-server, working from www-data folder
Catalogue structure on the target server should be as follows:

├── conf.d
├── fastcgi.conf
├── fastcgi_params
├── koi-utf
├── koi-win
├── mime.types
├── nginx.conf
├── proxy_params
├── scgi_params
├── sites-available
    └── default
├── sites-enabled
    └── default -> /etc/nginx/sites-available/default

IMPORTANT FILES

– Conf.d – temporary configuration files for Let’s Encrypt are kept here
– Sites-available – configs of available websites
– Sites-enabled – connected websites

Also you should enable these strings in nginx.conf:

##
    # Virtual Host Configs
    ##
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

CONFIGURATION

Hosts file:

cat hosts
[all]
letsencrypt-test ansible_ssh_host=174.138.95.167 ansible_ssh_user=root

cat host_vars/letsencrypt-test

ssl_domains:
  - ssl-demo3.itsyndicate.org
  - ssl-demo4.itsyndicate.org

le_email: [email protected]

ssl_domains – list of domains you want SSL to be installed and configured for
le_email – e-mail address for Let’s Encrypt notifications

PLAYBOOK LAUNCH

ansible-playbook -i hosts example_le_ssl_playbook.yml

You can download role here: https://gitlab.itsyndicate.org/public-area/ansible-letsencrypt

About the Author
ITsyndicate contact form

Contact us if you have any questions!