Sets up SSL certificate signed by Let's Encrypt using acme-tiny
- Uses acme-tiny for better code auditability.
- Doesn't run acme-tiny as root.
- Provides an nginx snippet that is easily included in your configs for challenges.
- Automatically renew certificates every 30 days.
- Ansible 2.0+
- A working nginx installation. Recommended role: ansible-nginx.
First of all, look at comments in vars/main.yml
for details on how each variable works. This
is how your role invocation will look like:
- hosts: webserver
roles:
- role: ansible-acme-nginx
acme_ssl_base_folder: /opt/mysslstuff
acme_challenges_folder_path: "{{ ssl_base_folder }}/challenges"
acme_domains:
- example.com
- www.example.com
This role should be ran before you provision your website, otherwise, you won't have your SSL certs available.
Preferably, before you run this role, you have a fully configured-and-running
nginx that is configured with a "catchall" configuration that answers to ACME
challenges locations (make sure that it points to our
acme_challenges_folder_path
, where we'll actually meet the challenges!).
The ansible-nginx role does that with minimal configuration.
However, catchall configs have lower priority than your more specific server
blocks, that is why you'll need to change your nginx config for every site to
include the acme_well_known.conf
snippet that is also create by this role and
placed in /etc/nginx/snippets
. You can see an example in my
ansible-wordpress role. This snippet adds a
location pointing to acme_challenges_folder_path
. With this snippet in place,
you won't ever need to shutdown your webserver in order to answer your ACME
challenge.
The principle is: if your website has never been provisioned before, our catch all nginx conf is there to answer ACME challenges. Otherwise, in case of regular cert updates, it your website's nginx conf's responsibility to answer ACME challenge, which is done easily by including the provided snippet.