| [14706] | 1 | --- |
|---|
| 2 | # tasks to enable letsencrypt on Ubuntu |
|---|
| 3 | # |
|---|
| 4 | # This role expects that you run `nginx` as webserver. |
|---|
| 5 | # This role works on Ubuntu machines. |
|---|
| 6 | # This role expects the following vars to be set: |
|---|
| 7 | # - `letsencrypt_email` Email address of cert manager |
|---|
| 8 | # - `letsencrypt_domains` List of domains to maintain |
|---|
| 9 | # comma-separated, no blanks |
|---|
| 10 | # - `letsencrypt_expand_domains` - true or false |
|---|
| 11 | # if true, new domains are added |
|---|
| 12 | # to the already existing list of |
|---|
| 13 | # certs |
|---|
| 14 | # |
|---|
| 15 | - name: "enable letsencrypt PPA" |
|---|
| 16 | become: yes |
|---|
| 17 | apt_repository: |
|---|
| 18 | repo: 'ppa:certbot/certbot' |
|---|
| 19 | state: present |
|---|
| 20 | notify: update package cache |
|---|
| 21 | |
|---|
| 22 | - name: "install certbot" |
|---|
| 23 | become: yes |
|---|
| 24 | apt: |
|---|
| 25 | name: certbot |
|---|
| 26 | state: present |
|---|
| 27 | |
|---|
| 28 | - name: "register account" |
|---|
| 29 | become: yes |
|---|
| 30 | command: certbot register -m "{{ letsencrypt_email }}" --non-interactive --agree-tos -vv |
|---|
| 31 | args: |
|---|
| [16581] | 32 | creates: '/etc/letsencrypt/accounts/acme-v??.api.letsencrypt.org/directory/*/private_key.json' |
|---|
| [14706] | 33 | |
|---|
| [15568] | 34 | - name: "stop webserver" |
|---|
| 35 | become: yes |
|---|
| 36 | service: |
|---|
| 37 | name: nginx |
|---|
| 38 | state: stopped |
|---|
| 39 | |
|---|
| [14706] | 40 | # For first time creation of certs. Later on use the below task or renewal |
|---|
| 41 | - name: "create initial certs" |
|---|
| 42 | become: yes |
|---|
| 43 | command: certbot certonly --standalone --non-interactive -d "{{ letsencrypt_domains }}" --pre-hook "sudo service nginx stop" --post-hook "sudo service nginx start" -m "{{ letsencrypt_email }}" --agree-tos --rsa-key-size 4096 |
|---|
| 44 | args: |
|---|
| 45 | creates: '/etc/letsencrypt/live/*/cert.pem' |
|---|
| 46 | |
|---|
| 47 | # in case additional domains must be added to the already existing ones |
|---|
| 48 | - name: "create certs (expand list of domains)" |
|---|
| 49 | become: yes |
|---|
| 50 | command: certbot certonly --standalone --non-interactive -d "{{ letsencrypt_domains }}" --pre-hook "sudo service nginx stop" --post-hook "sudo service nginx start" -m "{{ letsencrypt_email }}" --agree-tos --expand --rsa-key-size 4096 |
|---|
| 51 | when: letsencrypt_expand_domains |
|---|
| 52 | |
|---|
| [15568] | 53 | - name: "start webserver" |
|---|
| 54 | become: yes |
|---|
| 55 | service: |
|---|
| 56 | name: nginx |
|---|
| 57 | state: restarted |
|---|
| 58 | |
|---|
| [14706] | 59 | # Cron task for renewal is installed automatically by the Ubuntu package |
|---|
