Automated LetsEncrypt SSL installation with Ansible

Need a simple SSL which will work in all browsers?

LetsEncrypt SSL is your choice! Even more, you won't even need to get into multi-step slow domain ownership validation which includes waiting for emails and waiting for Certificate Authority (CA) to react to your requests.

Why and when would one need an SSL certificate in the first place? Well, if you got a WordPress site (replace this with your favorite CMS/framework) that has any kind of authorization form, then you need an SSL because you probably don't want usernames and passwords flying over the Internet in plain text.

Besides we should also make a remark, that for applications like online shops or pretty much any apps working with various sorts of confidential information, you might need a non-free SSL.

There is a number of reasons for that. The main reasons are the following:

• those certificates are displayed as more secure in clients browsers
• you get much better warranty payments for a (very unlikely) case of SSL hack

The ones who probably benefit the most from LetsEncrypt fast validation are system administrators of various levels. Above all Let's Encrypt allows using CLI certbots like the officially recommended one at certbot.eff.org for obtaining and even installing certificates on some web servers.

As a result, it's hard to overcome the temptation to automate the process, making it easily repeatable for any number of sites you need.

Automated setup of LetsEncrypt SSL on your website

In this demonstration, we will use Ansible as a configuration management tool. Likewise, for automation purposes, you can use many other similar tools like Chef, Puppet, and maybe even Bash :D We prefer to use Ansible, as it's very flexible in the borders of this task and doesn't require many additional configurations compared to other alternatives.

Requirements to begin

• DNS record pointing to the IP of the server with the domains, which you will install and configure SSL for
• Correct version of Ansible - it should be 2.9. To check it you can execute the following command in your CLI:

ansible --version

• OS: Ubuntu 22.04 installed on the target server
• SSH key uploaded to the target server
• Python-minimal installed on the target server
• Nginx web-server, working from www-data folder

Catalogue structure on the target server should be as follows:

yaml
Copy
1├── conf.d
2├── fastcgi.conf
3├── fastcgi_params
4├── koi-utf
5├── koi-win
6├── mime.types
7├── nginx.conf
8├── proxy_params
9├── scgi_params
10├── sites-available
11    └── default
12├── sites-enabled
13    └── default -> /etc/nginx/sites-available/default

Important files

• Conf.d - temporary configuration files for LetsEncrypt SSL are kept here
• Sites-available - configs of available websites
• Sites-enabled - connected websites

Also you should enable these strings in nginx.conf:

shell
Copy
1##
2# Virtual Host Configs
3##
4include /etc/nginx/conf.d/*.conf;
5include /etc/nginx/sites-enabled/*;

Configuration

• Hosts file:

yaml
Copy
1[all]
2letsencrypt-test ansible_ssh_host=174.138.95.167 ansible_ssh_user=root
3cat host_vars/letsencrypt-test
4ssl_domains:
5 - ssl-demo3.itsyndicate.org
6 - ssl-demo4.itsyndicate.org
7le_email: notify@itsyndicate.org

• ssl_domains - list of domains you want SSL to be installed and configured for
• le_email - e-mail address for LetsEncrypt SSL notifications

Playbook launch

yaml
Copy
1ansible-playbook -i hosts example_le_ssl_playbook.yml

You can download the role here: https://gitlab.itsyndicate.org/public-area/ansible-letsencrypt

Note that any SSL won't fully protect your website from various attacks and possible hacks. There're other numerous security approaches and standards that you should review in order to be sure, that your website and server are protected.

We're talking about this topic in one of our articles.