Let's Encrypt Certificates and certbot#

All websites should use TLS. We use an Ansible role that will automatically install certbot, a free secure certificate from Let's Encrypt, and create a cron job that will automatically renew the certificate.

Installation#

You need to install the role.

cd ansible-playbook
git clone https://github.com/geerlingguy/ansible-role-certbot.git geerlingguy.certbot

Configuration#

To use the role, you need to add the following variables to your local-configure.yml, and substitute your values as needed.

# https://github.com/geerlingguy/ansible-role-certbot#role-variables
# override roles/geerlingguy.certbot/defaults/main.yml
certbot_create_if_missing: true
certbot_admin_email: email@example.com
certbot_auto_renew_options: '--quiet --no-self-upgrade
--pre-hook "service nginx stop" --post-hook "service nginx start"'

certbot_certs:
  - domains:
    - "{{ inventory_hostname }}"

webserver_virtualhosts:
  - hostname: "{{ inventory_hostname }}"
    port: 80
    protocol: http
    extra: return 301 https://$server_name$request_uri;
  - hostname: "{{ inventory_hostname }}"
    default_server: yes
    zodb_path: /Plone
    address: 1.1.1.1
    port: 443
    protocol: https
    certificate:
      key: /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem
      crt: /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem

The above configuration redirects all traffic from http to https, using the extra key mentioned in Web Hosting Options.