Role to setup Let's Encrypt certificates
| Variable | Default value | Description |
|---|---|---|
| letsencrypt_domain | {{ ansible_fqdn }} |
Primary domain to get certificate for |
| letsencrypt_domain_extra | [] |
List of extra domains to get certificate for |
| letsencrypt_port | "80" | Port for webserver to listen on (if using standalone mode) |
| letsencrypt_base_dir | /root/.acme.sh |
Directory to install the acme.sh client to |
| letsencrypt_staging | True |
Whether to use the staging CA |
| letsencrypt_issue_mode | webroot |
Whether to use webroot or standalone mode (see below) |
| letsencrypt_install_mode | install |
Whether to install or deploy the certificate |
| letsencrypt_webroot | /var/www/letsencrypt |
The directory to use as webroot (if using webroot mode) |
| letsencrypt_issue | empty | Pre/post/renew commands for certificate issurance |
| letsencrypt_install | see defaults/main.yml | Where to install the certificate to (if installing) |
| letsencrypt_reloadcmd | Empty | Command to execute after installing new certificates (if installing) |
| letsencrypt_deploy | Empty | Hooks to use (if using deploy mode) |
| letsencrypt_force | False |
Force-renew certificate. Useful when switching from staging to production |
For certificate issurance, this role supports a "standalone" mode, where a webserver will be started and a "webroot" mode where the webserver is already expected to be running. An example webroot configuration for NGINX might look like this:
server {
listen [::]:80 ipv6only=off default_server;
server_name {{ ansible_fqdn }};
location ^~ /.well-known/acme-challenge {
default_type text/plain;
alias {{ letsencrypt_webroot }}/.well-known/acme-challenge;
}
...
}
Certificates can either be "installed", that is, copied to some location and
optionally executing a "reload" command or "deployed". Deployment means that
special care is required, this repository includes deploy scripts for
ejabberd, freeipa and our mailserver role. Have a look at the respective shell
file in files for pointers.
GPLv3, except for the Let's Encrypt CA roots in files, which are, as far as
we understand, in the public domain.