AUTOMATED LET’S ENCRYPT SSL INSTALLATION USING ANSIBLE PLAYBOOK

AUTOMATED LET’S ENCRYPT SSL INSTALLATION USING ANSIBLE PLAYBOOK

 

Need a simple SSL which will work in all browsers?

You can get it free from Let’s Encrypt, and you won’t even need to get into multi-step slow domain ownership validation which includes waiting for emails and waiting for Certificate Authority (CA) to react to your requests.

Why and when would one need a certificate in the first place? Well, if you got a WordPress site (replace this with your favorite CMS/framework) which has any kind of authorization form, then you need an SSL, because you probably don’t want usernames and passwords flying over the Internet in plain text.
We must make a remark, that for applications like online shops or pretty much any apps working with various sorts of confidential information, you might need a non-free SSL. There is a number of reasons for that. The main reasons are the following: those certificates are displayed as more secure in clients browsers and you get much better warranty payments for a (very unlikely) case of SSL hack.

Ones who probably benefit the most from Let’s Encrypt fast validation are system administrators of various levels.
Let’s Encrypt allows to use CLI certbots like officially recommended one at https://certbot.eff.org/
for obtaining and even installing certificates on some web servers. With that it’s hard to overcome temptation to automate the process, making it easily repeatable for any number of sites you need. In this demonstration we will use Ansible.

Before we get to action let’s discuss intended application of this role. You can use it with Nginx web server serving sites/domains not yet covered by SSL. It is a good thing if Nginx is configured in Debian/Ubuntu way, where each site has it’s own separate configuration file in $NGINX_HOME/sites_available/ directory. Even though this piece of automation code will try not to alter configuration of domains that are not to be equipped with SSL, it’s a must that you review the code and estimate impact on your server. Even more so, if you already have SSLs configured for any of the sites and/or have a highly customized Nginx config. Ideally, you should try everything out in sandbox environment.

You might need to alter the code according to your specific needs. Ansible is not a programming language and it would be silly to attempt to write code that fits everyone’s needs.
For more in-depth reference on variables and methods used in this Ansible role refer to readme file and code comments. Below we will provide a basic how-to to get you going.

For general purposes host_vars looks like the most convenient storage for SSL parameters. Reasons? There you can have an easily readable YAML file for each host you’re managing, and, hence, you will always be able to see which SSLs are configured and on what hosts.
The names of the files in host_vars directory must correspond to host names defined in inventory file

Vhosts list:

- domain_name: 'ssl-demo3.itsyndicate.org'
le_ssl: True
CSR:
 country: US
 state: Texas
 city: Houston
 street_address: 'Test street 25'
 postal_code: 555444
 organization: ITS
 unit: IT
 email: [email protected]
key_storage: '/etc/ssl/private'
cert_storage: '/etc/ssl/ssl-demo3.itsyndicate.org'
le_email: '[email protected]'
- domain_name: 'ssl-demo4.itsyndicate.org'
le_ssl: True
CSR:
key_storage: '/etc/ssl/private'
cert_storage: '/etc/ssl/ssl-demo4.itsyndicate.org'
le_email: '[email protected]'

In general, to have an SSL generated for a domain you will need to follow a pattern of ‘ssl-demo4.itsyndicate.org‘ domain config:
– add your domain to ‘vhosts‘ list of dictionaries
– set ‘le_ssl‘ variable to True
– set a blank ‘CSR‘ variable (more on this later)
– set ‘key_storage‘ directory for storing private key
– define ‘cert_storage‘ directory in which SSL and CSR will be stored
– define a recovery email

You might also fill CSR fields (ones undefined will default to ‘NA’) like it is shown in case with ‘ssl-demo3.itsyndicate.org‘ domain, but you will still see “NA” and not your data in the certificate once it’s issued. Let’s Encrypt certificates are domain validated, so Let’s Encrypt has no way of checking validity of the provided info. Perceive CSR feature as bonus. Patterns used here might be useful for your code.

To run the role you might use our straightforward playbook or insert the role into existent playbook you might have:

ansible-playbook -i sandbox_hosts example_le_ssl_playbook.yml

You can download role here: https://gitlab.itsyndicate.org/public-area/ansible-letsencrypt

 

About the Author
ITsyndicate contact form

Contact us if you have any questions!