emsearcy/README.md

## README.md

      
    Raw
  

              README.md
            
          
    certbot

This role installs certbot in a virtualenv with automated certificate renewal.
Running certbot as a non-root user and in a virtualenv provides extra security.
Web server configuration

httpd:
<VirtualHost *:80>
    ServerName www.example.com
    ServerAlias example.com

    Alias /.well-known/acme-challenge /srv/www/certbot/.well-known/acme-challenge

    # ...
</VirtualHost>

# Uncomment after certificate has been requested
#<VirtualHost *:443>
#    ServerName www.example.com
#    ServerAlias example.com
#
#    SSLEngine On
#    SSLCertificateFile    /opt/certbot/ssl/live/www.example.com/cert.pem
#    SSLCertificateKeyFile /opt/certbot/ssl/live/www.example.com/privkey.pem
#
#    Alias /.well-known/acme-challenge /srv/www/certbot/.well-known/acme-challenge
#
#    # ...
#</VirtualHost>

NGINX:
server {
    server_name www.example.com example.com;

    listen 80;
    # Uncomment after certificate has been requested
    #listen 443 ssl;
    #
    #ssl_certificate     /opt/certbot/ssl/live/www.example.com/fullchain.pem;
    #ssl_certificate_key /opt/certbot/ssl/live/www.example.com/privkey.pem;

    location /.well-known/acme-challenge/ {
        root /srv/www/certbot;
    }

    #...
}

Requesting new certificates

Successfully issued certificates are automatically renewed by cron.
# umask 002
# mkdir -p /srv/www/certbot/.well-known
# chown certbot:certbot /srv/www/certbot/.well-known
$ sudo su - certbot -s /bin/bash
$ cd /opt/certbot; . venv/bin/activate
(venv)$ certbot certonly --config-dir ssl --work-dir ssl --logs-dir ssl --webroot -w /srv/www/certbot -d www.example.com -d example.com


## debian.yml
---

- name: install dependencies (Debian/Ubuntu)
  apt: pkg={{item}} state=latest
  with_items:
    - python-virtualenv
    - python
    - python-dev
    - gcc
    - dialog
    - libssl-dev
    - libffi-dev
    - ca-certificates
    - libaugeas0
    - augeas-lenses

## el.yml
---

- name: install dependencies (EL)
  yum: pkg={{item}} state=latest
  with_items:
    - gcc
    - dialog
    - augeas-libs
    - openssl
    - openssl-devel
    - libffi-devel
    - redhat-rpm-config
    - ca-certificates
    - python
    - python-devel
    - python-virtualenv
    - python-tools
    - python-pip

## main.yml
---

- include: debian.yml
  when: ansible_os_family == 'Debian'

- include: el.yml
  when: ansible_os_family == 'RedHat'

- name: create certbot user
  user: name=certbot

- name: create certbot directory
  file: path=/opt/certbot state=directory owner=certbot group=certbot mode=0700

- name: create ssl directory
  file: path=/opt/certbot/ssl state=directory owner=certbot group=certbot mode=0700

- name: create certbot venv
  shell: virtualenv /opt/certbot/venv creates=/opt/certbot/venv

- name: update certbot venv
  shell: . /opt/certbot/venv/bin/activate; pip install --upgrade pip setuptools

- name: install certbot
  shell: . /opt/certbot/venv/bin/activate; pip install --upgrade certbot creates=/opt/certbot/venv/bin/certbot

- name: add MAILTO cron env
  cron: env=yes name=MAILTO value=root cron_file=certbot user=certbot

- name: add certbot cron
  cron: \
    name="renew certbot certs"
    minute=0
    weekday=3
    hour=20
    user=certbot
    cron_file=certbot
    job="bash -c 'source /opt/certbot/venv/bin/activate; certbot renew --quiet --config-dir /opt/certbot/ssl --work-dir /opt/certbot/ssl --logs-dir /opt/certbot/ssl'"
	---

	- name: install dependencies (Debian/Ubuntu)
	apt: pkg={{item}} state=latest
	with_items:
	- python-virtualenv
	- python
	- python-dev
	- gcc
	- dialog
	- libssl-dev
	- libffi-dev
	- ca-certificates
	- libaugeas0
	- augeas-lenses
	---

	- name: install dependencies (EL)
	yum: pkg={{item}} state=latest
	with_items:
	- gcc
	- dialog
	- augeas-libs
	- openssl
	- openssl-devel
	- libffi-devel
	- redhat-rpm-config
	- ca-certificates
	- python
	- python-devel
	- python-virtualenv
	- python-tools
	- python-pip
	---

	- include: debian.yml
	when: ansible_os_family == 'Debian'

	- include: el.yml
	when: ansible_os_family == 'RedHat'

	- name: create certbot user
	user: name=certbot

	- name: create certbot directory
	file: path=/opt/certbot state=directory owner=certbot group=certbot mode=0700

	- name: create ssl directory
	file: path=/opt/certbot/ssl state=directory owner=certbot group=certbot mode=0700

	- name: create certbot venv
	shell: virtualenv /opt/certbot/venv creates=/opt/certbot/venv

	- name: update certbot venv
	shell: . /opt/certbot/venv/bin/activate; pip install --upgrade pip setuptools

	- name: install certbot
	shell: . /opt/certbot/venv/bin/activate; pip install --upgrade certbot creates=/opt/certbot/venv/bin/certbot

	- name: add MAILTO cron env
	cron: env=yes name=MAILTO value=root cron_file=certbot user=certbot

	- name: add certbot cron
	cron: \
	name="renew certbot certs"
	minute=0
	weekday=3
	hour=20
	user=certbot
	cron_file=certbot
	job="bash -c 'source /opt/certbot/venv/bin/activate; certbot renew --quiet --config-dir /opt/certbot/ssl --work-dir /opt/certbot/ssl --logs-dir /opt/certbot/ssl'"