This role installs certbot in a virtualenv with automated certificate renewal.
Running certbot as a non-root user and in a virtualenv provides extra security.
httpd:
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
Alias /.well-known/acme-challenge /srv/www/certbot/.well-known/acme-challenge
# ...
</VirtualHost>
# Uncomment after certificate has been requested
#<VirtualHost *:443>
# ServerName www.example.com
# ServerAlias example.com
#
# SSLEngine On
# SSLCertificateFile /opt/certbot/ssl/live/www.example.com/cert.pem
# SSLCertificateKeyFile /opt/certbot/ssl/live/www.example.com/privkey.pem
#
# Alias /.well-known/acme-challenge /srv/www/certbot/.well-known/acme-challenge
#
# # ...
#</VirtualHost>
NGINX:
server {
server_name www.example.com example.com;
listen 80;
# Uncomment after certificate has been requested
#listen 443 ssl;
#
#ssl_certificate /opt/certbot/ssl/live/www.example.com/fullchain.pem;
#ssl_certificate_key /opt/certbot/ssl/live/www.example.com/privkey.pem;
location /.well-known/acme-challenge/ {
root /srv/www/certbot;
}
#...
}
Successfully issued certificates are automatically renewed by cron.
# umask 002
# mkdir -p /srv/www/certbot/.well-known
# chown certbot:certbot /srv/www/certbot/.well-known
$ sudo su - certbot -s /bin/bash
$ cd /opt/certbot; . venv/bin/activate
(venv)$ certbot certonly --config-dir ssl --work-dir ssl --logs-dir ssl --webroot -w /srv/www/certbot -d www.example.com -d example.com