ansible role certbot
0.3.0
Star us on GitHub — it motivates us a lot!
Install and manage certbot
Ansible >= 2.10
ansible-galaxy install claranet.certbot
| Variable | Default value | Description |
|---|---|---|
| certbot_packages | ['certbot', 'python3-pip'] | Package name |
| certbot_webroot | /var/www/letsencrypt | Directory for http challenges |
| certbot_auto_renew | true | Enable certificate renew |
| certbot_auto_renew_user | root | User to configure certificate renew |
| certbot_auto_renew_hour | 3 | Cron job hour for renew |
| certbot_auto_renew_minute | 30 | Cron job minutes for renew |
| certbot_auto_renew_option | --quiet --no-self-upgrade | Options for renew command |
| certbot_certs | [] | See defaults/main.yml for details |
| certbot_staging_enabled | true | Use letsencrypt staging |
| certbot_create_command | certbot certonly --webroot ... | See defaults/main.yml for details |
| certbot_plugins | [] | List of plugins to install using pip |
| certbot_plugins_pip_executable | pip3 | pip executable to use to install certbot plugins |
| certbot_reload_services_before_enabled | true | Reload certbot_reload_services before configuring certbot |
| certbot_reload_services_after_enabled | true | Reload certbot_reload_services after configuring certbot |
| certbot_reload_services | [] | List of services to reload |
N/A
Before using this challenge type, your server must have a public IP and a DNS record zone pointing to it.
Before configuring certbot to issue a certificate, you must setup your webserver in order to handle certbot http challenges.
Alias /.well-known/acme-challenge/ "/var/www/letsencrypt/.well-known/acme-challenge/"<Directory "/var/www/letsencrypt">AllowOverride None Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require all granted</Directory>
certbot_certs: - email: "[email protected]"certbot_webroot: "/var/www/letsencrypt"domains: - "lamp-01.clara.net" - "lamp-02.clara.net"certbot_reload_services: - apache2
location /.well-known/acme-challenge/ {
alias /var/www/letsencrypt/.well-known/acme-challenge/;
}certbot_certs: - email: "[email protected]"certbot_webroot: "/var/www/letsencrypt"domains: - "lamp-01.clara.net" - "lamp-02.clara.net"certbot_reload_services: - nginx
--cert-name option like this to avoid creating a new certificate for each ansible run :
--cert-name "{{ _certbot_cert_item.domains | first | regex_replace('^*.(.*)$'certbot_certs: - email: "[email protected]" domains: - "*.molecule.clara.net"- email: "[email protected]" domains: - "lamp-01.clara.net"- "lamp-02.clara.net"certbot_reload_services: - nginxcertbot_create_command: >- certbot certonly --dns-route53 {{ '--staging --break-my-certs' if certbot_staging_enabled else '' }} --noninteractive --agree-tos --email {{ _certbot_cert_item.email | default(certbot_admin_email) }} --cert-name "{{ _certbot_cert_item.domains | first | regex_replace('^*.(.*)$', 'wildcard.1') }}" --expand -d {{ _certbot_cert_item.domains | join(',') }}certbot_plugins: - certbot-dns-route53==1.22.0
--- - hosts: all roles: - claranet.certbot
Mozilla Public License Version 2.0
