Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Add Let's Encrypt via certbot-nginx plugin #2

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

WIP: Add Let's Encrypt via certbot-nginx plugin #2

wants to merge 2 commits into from

Conversation

matt17r
Copy link

@matt17r matt17r commented Dec 12, 2020

This PR is completely independent of the proposed changes in #1.

Implementation actually turned out to be fairly simple, mainly following the instructions in https://linuxbuz.com/linuxhowto/install-letsencrypt-ssl-ansible (with a few tweaks to simplify it and combine it with the existing playbook).

  1. The user can specify one or more domains in vars/vars.yml along with an email address to register with
  2. Certbot gets installed via apt
  3. The domains from step 1 get merged into the Nginx config template (templates/nginx_app.conf.j2)
  4. The domains and email address get used in one task to configure certbot and create the certificate
  5. Another Ansible task adds a cron task to renew the certificates as required

@cupnoodle
Copy link
Owner

woah, thanks for this PR! It is possible to add a if statement to check if the user has domain variables set? So that it won't call letsencrypt if there is no domain set, as I sometimes will spin up a server quickly to test some stuff out without needing a domain.

@matt17r
Copy link
Author

matt17r commented Dec 13, 2020 via email

@matt17r
WIP: Add boolean to control whether or not to run certbot
c2d3b85 
Default boolean to false. If you change this to true you are responsible 
for setting up DNS and listing the domains.

You also need to be aware of the [Rate 
Limit](https://letsencrypt.org/docs/rate-limits/) if you're testing this 
repeatedly on the same parent domain
@matt17r matt17r changed the title Add Let's Encrypt via certbot-nginx plugin WIP: Add Let's Encrypt via certbot-nginx plugin Dec 14, 2020
@matt17r
Copy link
Author

matt17r commented Dec 14, 2020

I was trying to figure out a fancy way to detect if the domain list was defined and if so to do different things in the playbook and the template.

While writing out a StackOverflow question it dawned on me there was a much simpler (and clearer) way...

Add a boolean that tells it whether to do those steps or not.

If we set the default to false in the source and people don't change the default, the existing playbook runs identically to before the change (almost, in this version python3-certbot-nginx always gets installed, even if you aren't using it).

We'd just need to document that if you change that value to true, you are responsible for:

  • registering DNS entries for the domains
  • adding the domains and a valid email to var/vars.yml
  • not running afoul of the Let's Encrypt rate limits (which can happen if you run this playbook repeatedly in testing... or if you have too many different servers all registering certificates for the same parent domain)

This also doesn't work if you have an existing wildcard certificate and want to reuse that... perhaps that can be a future enhancement 😉

@matt17r
Copy link
Author

matt17r commented Dec 14, 2020

P.S. I haven't tested the changes I made at all yet... there may be face-palmingly obvious syntax errors... but I think the approach makes sense. What do you think of the general approach?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@matt17r @cupnoodle