---
myst:
html_meta:
"description": ""
"property=og:description": ""
"property=og:title": ""
"keywords": ""
---
(letsencrypt-certbot)=
# Let's Encrypt Certificates and certbot
All websites should use TLS.
We use an Ansible role that will automatically install [certbot](https://certbot.eff.org/), a free secure certificate from [Let's Encrypt](https://letsencrypt.org), and create a cron job that will automatically renew the certificate.
## Installation
You need to install the role.
```shell
cd ansible-playbook
git clone https://github.com/geerlingguy/ansible-role-certbot.git geerlingguy.certbot
```
## Configuration
To use the role, you need to add the following variables to your `local-configure.yml`, and substitute your values as needed.
```yaml
# https://github.com/geerlingguy/ansible-role-certbot#role-variables
# override roles/geerlingguy.certbot/defaults/main.yml
certbot_create_if_missing: true
certbot_admin_email: email@example.com
certbot_auto_renew_options: '--quiet --no-self-upgrade
--pre-hook "service nginx stop" --post-hook "service nginx start"'
certbot_certs:
- domains:
- "{{ inventory_hostname }}"
webserver_virtualhosts:
- hostname: "{{ inventory_hostname }}"
port: 80
protocol: http
extra: return 301 https://$server_name$request_uri;
- hostname: "{{ inventory_hostname }}"
default_server: yes
zodb_path: /Plone
address: 1.1.1.1
port: 443
protocol: https
certificate:
key: /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem
crt: /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
```
The above configuration redirects all traffic from `http` to `https`, using the `extra` key mentioned in {ref}`web-hosting-options`.
```{seealso}
[Read documentation of the role geerlingguy.certbot](https://github.com/geerlingguy/ansible-role-certbot).
```