Skip to content

baseline_letsencrypt

The cake function baseline_letsencrypt executes the role-letsencrypt-remote, which manages Letsencrypt certificates on Servers using the DNS challange.

This role:

  • Gathers information about certificates already existing on the servers
  • Asks the user for confirmation to proceed if the certificate is absent or the domain names are different in the certificate than in Ansible
  • Aborts automatically if the certificate is not yet due for expiry
  • Installs a python virtualenv with pip packages on the server
  • Aquires a Letsencrypt certificate using the DNS challange by placing temporary TXT records with your Domain provider
  • Installs the certificate below /etc/letsencrypt/live/{{ letsencrypt_domain_names[0] }}/
  • Generates a 4096 Diffie-Hellman key at /etc/letsencrypt/live/{{ letsencrypt_domain_names[0] }}/dh4096.pem (Ansible background task)i

Information

Key Value
Playbook path plays/baseline/letsencrypt.yml
Role https://git.blunix.com/ansible-roles/role-letsencrypt-remote
Tags https://git.blunix.com/ansible-roles/role-letsencrypt-remote/-/tags
Defaults https://git.blunix.com/ansible-roles/role-letsencrypt-remote/-/blob/master/defaults/main.yml
Config file Description
/etc/letsencrypt/live/{{ letsencrypt_domain_names[0] }}/ Contains certificates and Diffie-Hellman file

Example

It is Blunix Stack default that every server gets a Letsencrypt certificate with its own hostname. This certificate is used to encrypt the monitoring-clients (prometheus-exporters) traffic, which is served over the webserver lighttpd. It is commonly the first block in plays/baseline/letsencrypt.yml and should not be modified.

# Generate Letsencrypt certificates that come by default with every server
- name: manage default letsencrypt certificates
  hosts: all
  roles:
    - role: blunix_role-letsencrypt-remote_11.0.0
  vars:
    letsencrypt_domain_names:
      - "{{ inventory_hostname }}.{{ internal_private_domain }}"
    letsencrypt_plugin: route53
    letsencrypt_post_hook: "systemctl restart lighttpd.service"

To generate custom certificates for groups or individual servers, define the relevant variables in inventory/:

inventory/group_vars/util_git.yml:

letsencrypt_domain_names:
  - "git.{{ internal_public_domain }}"
letsencrypt_post_hook: "gitlab-ctl reconfigure && gitlab-ctl restart"

inventory/group_vars/util_monitoring.yml:

letsencrypt_domain_names:
  - "monitoring.{{ internal_private_domain }}"
letsencrypt_post_hook: "systemctl restart nginx.service"

Generate Letsencrypt certificates for git.cus.pub and monitoring.cus.int:

- name: manage custom letsencrypt certificates
  hosts: all
  roles:
    - role: blunix_role-letsencrypt-remote_11.0.0
  vars:
    letsencrypt_plugin: route53
    letsencrypt_renew_days_max: 80
    # The following variables are taken from inventory/
    #letsencrypt_domain_names:
    #letsencrypt_post_hook:

If more than one custom certificate is required, simply add another play for the group of servers. Note that you can not request a certificate for the same domain on multiple servers simultaniously. To process the hosts one after another, use the serial: 1 switch:

- name: manage vhosts.cus.pub letsencrypt certificates for staging
  hosts: "cus-www-stag-web-1,cus-www-stag-lb-1"
  serial: 1
  roles:
    - role: blunix_role-letsencrypt-remote_11.0.0
  vars:
    letsencrypt_domain_names:
      - kibana.cus.pub
    letsencrypt_plugin: route53
    letsencrypt_post_hook: systemctl restart nginx.service