Write a post

Automating SSL Encryption for Your Servers with LetsEncrypt and Ansible

Published Jan 24, 2017
Automating SSL Encryption for Your Servers with LetsEncrypt and Ansible

This tutorial was originally posted by the author on another website. This version has been edited for clarity and may appear different from the original post.


Let's Encrypt is probably one of the most well-known authority supplying free green seal certificates. In this article, I will share how I make use of letsencrypt as part of a server's provisioning process.

I have tried out a wide range of clients for Let's Encrypt: certbot-auto, letsencrypt-cli, simple_le, and few other from Let's Encrypt's client list.

However, my number one choice, at least for now, is:
https://github.com/lukas2511/letsencrypt.sh. If I were to describe tge client in a few words, it'd simply be: “it just works.”

I use Ansible for my automation scenarios and have wrapped letsencrypt.sh into a role play at https://github.com/softasap/sa-lets-encrypt

Here's an example of using existing installations, assuming you have existing website — you specify what domain names you plan to use and the path to the nginx config:

    - hosts: dev

      vars:
        - root_dir: "{{playbook_dir}}"
        - my_domains:
          - {
            names: "voronenko.net www.voronenko.net",
            nginx_config: "/etc/nginx/sites-available/voronenko_net"
            }

      pre_tasks:
        - debug: msg="Pre tasks section"

      roles:

        - {
            role: "sa-lets-encrypt",
            le_domains: "{{my_domains}}",
            option_run_once: true,
            option_setup_cron: true
          }

      tasks:
        - debug: msg="Tasks section"

This is longer example of a new installation — you install nginx, configure your website, and apply letsencrypt play.

    ---
    - hosts: www
      vars:
        - root_dir: "{{playbook_dir}}"
        - my_domains:
          - {
            names: "voronenko.net www.voronenko.net",
            nginx_config: "/etc/nginx/sites-available/voronenko_net"
            }

      pre_tasks:
        - debug: msg="Pre tasks section"

      roles:

        - {
            role: "sa-nginx"
          }
        - {
            role: "sa-include",
            include_file: "{{root_dir}}/demosite.yml"
          }
        - {
            role: "sa-lets-encrypt",
            le_domains: "{{my_domains}}",
    #        le_ca: "https://acme-staging.api.letsencrypt.org/directory",
            option_run_once: true,
            option_setup_cron: true
          }

      tasks:
        - debug: msg="Tasks section"

Refer to the standalone example in the box-example folder.

Digital Ocean

Here's what the result will look like for an example in DigitalOcean — you get the clean OS:

SSL encryption

Once the droplet is ready, configure the DNS for it.

SSL encryption

GoDaddy

See the example below for GoDaddy:

SSL encryption

Ping the host to ensure that the DNS was successfully propagated.

SSL encryption

Adjust play to specify box address.

Wait for provisioning to complete.

SSL encryption

How letsencrypt.sh works

Take a look at how letsencrypt.sh works.

It creates links to the current certificates so you can safely refer them from the nginx config. Role installs cron job to ensure that the certificate is updated before it expires. However, you would need to reload your webserver in case the underlying certificate has been updated.

SSL encryption

Now you can safely refer to the SSL certificates in your web config.

ssl encryption

Check the Seal

Last step — check for the green sealed certificate in the browser.

SSL encryption

That's it!

If you're using other web servers, your PRs and comments are always welcomed.

Discover and read more posts from Vyacheslav
get started
Enjoy this post?

Leave a like and comment for Vyacheslav

Automating Network Mastering Scenarios for Amazon VPC with Ansible
Deploying a Ruby Application with Ansible
Ansible Automation: A Comprehensive Guidebook