Let’s Encrypt certificates for HTTPS

Introduction

Let’s Encrypt is a non-profit service provising free TLS (HTTPS) certificates with automated installation process. This chapter shows how to integrate Let’s Encrypt for HTTPS certificates with websauna.ansible playbook and Nginx.

These instructions will set up a cron job that automatically updates Lets Encrypt certificates before their 3 months expiration time is up.

Installation

You need ansible-letsencrypt role that is known to be compatible with Websauna playbook. In the folder where you have playbook.yml file create or append requirements.yml with the contents:

- src: git+https://github.com/websauna/ansible-letsencrypt.git
  name: ansible-letsencrypt

Then install the requirement:

ansible-galaxy install -r requirements.yml

Setting up a playbook

Here are the main settings you need to change. See fully functional playbook example.

Important variables:

- letsencrypt: on
- ssl: on

# Let's encrypt parameters
- server_name: letsencrypt.websauna.org  # Your server fully qualified domain name
- letsencrypt_webroot_path: /var/www/html
- letsencrypt_email: [email protected]  # Your email
- letsencrypt_cert_domains:
  - "{{ server_name }}"
- letsencrypt_renewal_command_args: '--renew-hook "service nginx restart"'  # Ubuntu 14.04 nginx restart
- nginx_ssl_certificate_path: "/etc/letsencrypt/live/{{ server_name }}/cert.pem"
- nginx_ssl_certificate_path_key: "/etc/letsencrypt/live/{{ server_name }}/privkey.pem"

New role letsencrypt as:

roles:
  # ...
  - { role: Stouts.python, become: yes, become_user: root }
  - {role: ansible-letsencrypt, tags: 'letsencrypt'}
  - { role: websauna.site, tags: ['site'] }  # Core site update logic
  # ...

Rerun full playbook to make changes effective.