commit b131d264fd64abdab7dd2a5169d36e2106ca5154 Author: vincent Date: Thu Apr 9 13:30:30 2020 +0200 fix submodule issue diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..4275cf3 --- /dev/null +++ b/LICENSE @@ -0,0 +1,20 @@ +The MIT License (MIT) + +Copyright (c) 2017 Jeff Geerling + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..a720e0d --- /dev/null +++ b/README.md @@ -0,0 +1,140 @@ +# Ansible Role: Certbot (for Let's Encrypt) + +[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-certbot.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-certbot) + +Installs and configures Certbot (for Let's Encrypt). + +## Requirements + +If installing from source, Git is required. You can install Git using the `geerlingguy.git` role. + +Generally, installing from source (see section `Source Installation from Git`) leads to a better experience using Certbot and Let's Encrypt, especially if you're using an older OS release. + +## Role Variables + +The variable `certbot_install_from_source` controls whether to install Certbot from Git or package management. The latter is the default, so the variable defaults to `no`. + + certbot_auto_renew: true + certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}" + certbot_auto_renew_hour: "3" + certbot_auto_renew_minute: "30" + certbot_auto_renew_options: "--quiet --no-self-upgrade" + +By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account. + +### Automatic Certificate Generation + +Currently there is one built-in method for generating new certificates using this role: `standalone`. Other methods (e.g. using nginx or apache and a webroot) may be added in the future. + +**For a complete example**: see the fully functional test playbook in [molecule/default/playbook-standalone-nginx-aws.yml](molecule/default/playbook-standalone-nginx-aws.yml). + + certbot_create_if_missing: false + certbot_create_method: standalone + +Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. Set the method used for generating certs with the `certbot_create_method` variable—current allowed values include: `standalone`. + + certbot_admin_email: email@example.com + +The email address used to agree to Let's Encrypt's TOS and subscribe to cert-related notifications. This should be customized and set to an email address that you or your organization regularly monitors. + + certbot_certs: [] + # - email: janedoe@example.com + # domains: + # - example1.com + # - example2.com + # - domains: + # - example3.com + +A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`. + + certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}" + +The `certbot_create_command` defines the command used to generate the cert. + +#### Standalone Certificate Generation + + certbot_create_standalone_stop_services: + - nginx + +Services that should be stopped while `certbot` runs it's own standalone server on ports 80 and 443. If you're running Apache, set this to `apache2` (Ubuntu), or `httpd` (RHEL), or if you have Nginx on port 443 and something else on port 80 (e.g. Varnish, a Java app, or something else), add it to the list so it is stopped when the certificate is generated. + +These services will only be stopped the first time a new cert is generated. + +### Source Installation from Git + +You can install Certbot from it's Git source repository if desired. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8). + + certbot_install_from_source: false + certbot_repo: https://github.com/certbot/certbot.git + certbot_version: master + certbot_keep_updated: true + +Certbot Git repository options. To install from source, set `certbot_install_from_source` to `yes`. This clones the configured `certbot_repo`, respecting the `certbot_version` setting. If `certbot_keep_updated` is set to `yes`, the repository is updated every time this role runs. + + certbot_dir: /opt/certbot + +The directory inside which Certbot will be cloned. + +### Wildcard Certificates + +Let's Encrypt supports [generating wildcard certificates](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579), but the process for generating and using them is slightly more involved. See comments in [this pull request](https://github.com/geerlingguy/ansible-role-certbot/pull/60#issuecomment-423919284) for an example of how to use this role to maintain wildcard certs. + +Michael Porter also has a walkthrough of [Creating A Let’s Encrypt Wildcard Cert With Ansible](https://www.michaelpporter.com/2018/09/creating-a-wildcard-cert-with-ansible/), specifically with Cloudflare. + +## Dependencies + +None. + +## Example Playbook + + - hosts: servers + + vars: + certbot_auto_renew_user: your_username_here + certbot_auto_renew_minute: "20" + certbot_auto_renew_hour: "5" + + roles: + - geerlingguy.certbot + +See other examples in the `tests/` directory. + +### Manually creating certificates with certbot + +_Note: You can have this role automatically generate certificates; see the "Automatic Certificate Generation" documentation above._ + +You can manually create certificates using the `certbot` (or `certbot-auto`) script (use `letsencrypt` on Ubuntu 16.04, or use `/opt/certbot/certbot-auto` if installing from source/Git. Here are some example commands to configure certificates with Certbot: + + # Automatically add certs for all Apache virtualhosts (use with caution!). + certbot --apache + + # Generate certs, but don't modify Apache configuration (safer). + certbot --apache certonly + +If you want to fully automate the process of adding a new certificate, but don't want to use this role's built in functionality, you can do so using the command line options to register, accept the terms of service, and then generate a cert using the standalone server: + + 1. Make sure any services listening on ports 80 and 443 (Apache, Nginx, Varnish, etc.) are stopped. + 2. Register with something like `certbot register --agree-tos --email [your-email@example.com]` + - Note: You won't need to do this step in the future, when generating additional certs on the same server. + 3. Generate a cert for a domain whose DNS points to this server: `certbot certonly --noninteractive --standalone -d example.com -d www.example.com` + 4. Re-start whatever was listening on ports 80 and 443 before. + 5. Update your webserver's virtualhost TLS configuration to point at the new certificate (`fullchain.pem`) and private key (`privkey.pem`) Certbot just generated for the domain you passed in the `certbot` command. + 6. Reload or restart your webserver so it uses the new HTTPS virtualhost configuration. + +### Certbot certificate auto-renewal + +By default, this role adds a cron job that will renew all installed certificates once per day at the hour and minute of your choosing. + +You can test the auto-renewal (without actually renewing the cert) with the command: + + /opt/certbot/certbot-auto renew --dry-run + +See full documentation and options on the [Certbot website](https://certbot.eff.org/). + +## License + +MIT / BSD + +## Author Information + +This role was created in 2016 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/). diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..fe1c98f --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,40 @@ +--- +# Certbot auto-renew cron job configuration (for certificate renewals). +certbot_auto_renew: true +certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}" +certbot_auto_renew_hour: "3" +certbot_auto_renew_minute: "30" +certbot_auto_renew_options: "--quiet --no-self-upgrade" +certbot_nginx_conf_path: /etc/nginx/conf.d/ +# Parameters used when creating new Certbot certs. +certbot_force: false +certbot_create_if_missing: false +certbot_create_method: standalone +certbot_admin_email: email@example.com +certbot_cert_name: "" +certbot_certs: [] +# - email: janedoe@example.com +# domains: +# - example1.com +# - example2.com +# - domains: +# - example3.com +certbot_create_command: >- + {{ certbot_script }} certonly --standalone --noninteractive --agree-tos + {% if certbot_cert_name %} --cert-name {{certbot_cert_name}} {%endif%} --email {{ cert_item.email | default(certbot_admin_email) }} + -d {{ cert_item.domains | join(',') }} + +certbot_create_standalone_stop_services: + - nginx + # - apache + # - varnish + +# To install from source (on older OSes or if you need a specific or newer +# version of Certbot), set this variable to `yes` and configure other options. +certbot_install_from_source: false +certbot_repo: https://github.com/certbot/certbot.git +certbot_version: master +certbot_keep_updated: true + +# Where to put Certbot when installing from source. +certbot_dir: /opt/certbot diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..e9b4a60 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,33 @@ +--- +dependencies: [] + +galaxy_info: + author: geerlingguy + description: "Installs and configures Certbot (for Let's Encrypt)." + company: "Midwestern Mac, LLC" + license: "license (BSD, MIT)" + min_ansible_version: 2.4 + platforms: + - name: EL + versions: + - 6 + - 7 + - name: Fedora + versions: + - all + - name: Ubuntu + versions: + - all + - name: Debian + versions: + - all + galaxy_tags: + - networking + - system + - web + - certbot + - letsencrypt + - encryption + - certificates + - ssl + - https diff --git a/tasks/create-cert-standalone.yml b/tasks/create-cert-standalone.yml new file mode 100644 index 0000000..6bf8188 --- /dev/null +++ b/tasks/create-cert-standalone.yml @@ -0,0 +1,41 @@ +--- +- name: Check if certificate already exists. + stat: + path: /etc/letsencrypt/live/{% if certbot_cert_name %}{{certbot_cert_name}}{% else %}{{ cert_item.domains | first | replace('*.', '') }}{% endif %}/cert.pem + register: letsencrypt_cert + + +- name: Stop services to allow certbot to generate a cert. + service: + name: "{{ item }}" + state: stopped + when: not letsencrypt_cert.stat.exists or (certbot_force) + ignore_errors: yes + with_items: "{{ certbot_create_standalone_stop_services }}" + +- name: Generate new certificate if one doesn't exist. + command: "{{ certbot_create_command }}" + when: not letsencrypt_cert.stat.exists or certbot_force + +- name: Generate Diffie-Hellman parameters + openssl_dhparam: + path: /etc/letsencrypt/ssl-dhparams.pem + size: 2048 + +- name: ensure conf.d exist + file: + path: "{{ certbot_nginx_conf_path }}" + state: directory + +- name: create nginx config ssl file + template: + dest: "{{ certbot_nginx_conf_path }}/{% if certbot_cert_name %}{{certbot_cert_name}}{% else %}{{ cert_item.domains | first | replace('*.', '') }}{% endif %}.ssl" # required. Location to render the template to on the remote machine. + src: nginx_ssl_config.j2 # required. Path of a Jinja2 formatted template on the Ansible controller. This can be a relative or absolute path. + +- name: Start services after cert has been generated. + service: + name: "{{ item }}" + state: started + when: not letsencrypt_cert.stat.exists or (certbot_force) + ignore_errors: yes + with_items: "{{ certbot_create_standalone_stop_services }}" diff --git a/tasks/include-vars.yml b/tasks/include-vars.yml new file mode 100644 index 0000000..0a70e50 --- /dev/null +++ b/tasks/include-vars.yml @@ -0,0 +1,8 @@ +--- +- name: Load a variable file based on the OS type, or a default if not found. + include_vars: "{{ item }}" + with_first_found: + - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml" + - "{{ ansible_distribution }}.yml" + - "{{ ansible_os_family }}.yml" + - "default.yml" diff --git a/tasks/install-from-source.yml b/tasks/install-from-source.yml new file mode 100644 index 0000000..daee685 --- /dev/null +++ b/tasks/install-from-source.yml @@ -0,0 +1,17 @@ +--- +- name: Clone Certbot into configured directory. + git: + repo: "{{ certbot_repo }}" + dest: "{{ certbot_dir }}" + version: "{{ certbot_version }}" + update: "{{ certbot_keep_updated }}" + force: true + +- name: Set Certbot script variable. + set_fact: + certbot_script: "{{ certbot_dir }}/certbot-auto" + +- name: Ensure certbot-auto is executable. + file: + path: "{{ certbot_script }}" + mode: 0755 diff --git a/tasks/install-with-package.yml b/tasks/install-with-package.yml new file mode 100644 index 0000000..10490ff --- /dev/null +++ b/tasks/install-with-package.yml @@ -0,0 +1,7 @@ +--- +- name: Install Certbot. + package: "name={{ certbot_package }} state=present" + +- name: Set Certbot script variable. + set_fact: + certbot_script: "{{ certbot_package }}" diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..0b9a5ac --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- import_tasks: include-vars.yml + +- import_tasks: install-with-package.yml + when: not certbot_install_from_source + +- import_tasks: install-from-source.yml + when: certbot_install_from_source + +- include_tasks: create-cert-standalone.yml + with_items: "{{ certbot_certs }}" + when: + - certbot_create_if_missing + - certbot_create_method == 'standalone' + loop_control: + loop_var: cert_item + +- import_tasks: renew-cron.yml + when: certbot_auto_renew + diff --git a/tasks/renew-cron.yml b/tasks/renew-cron.yml new file mode 100644 index 0000000..394a30e --- /dev/null +++ b/tasks/renew-cron.yml @@ -0,0 +1,8 @@ +--- +- name: Add cron job for certbot renewal (if configured). + cron: + name: Certbot automatic renewal. + job: "{{ certbot_script }} renew {{ certbot_auto_renew_options }}" + minute: "{{ certbot_auto_renew_minute }}" + hour: "{{ certbot_auto_renew_hour }}" + user: "{{ certbot_auto_renew_user }}" diff --git a/templates/nginx_ssl_config.j2 b/templates/nginx_ssl_config.j2 new file mode 100644 index 0000000..5bd4299 --- /dev/null +++ b/templates/nginx_ssl_config.j2 @@ -0,0 +1,10 @@ +ssl_certificate /etc/letsencrypt/live/{% if certbot_cert_name %}{{certbot_cert_name}}{% else %}{{ cert_item.domains | first | replace('*.', '') }}{% endif %}/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/{% if certbot_cert_name %}{{certbot_cert_name}}{% else %}{{ cert_item.domains | first | replace('*.', '') }}{% endif %}/privkey.pem; +ssl_session_cache shared:le_nginx_SSL:10m; +ssl_session_timeout 1440m; +ssl_session_tickets off; +ssl_protocols TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers off; +ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; +ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; \ No newline at end of file diff --git a/vars/Ubuntu-16.04.yml b/vars/Ubuntu-16.04.yml new file mode 100644 index 0000000..83cf124 --- /dev/null +++ b/vars/Ubuntu-16.04.yml @@ -0,0 +1,2 @@ +--- +certbot_package: letsencrypt diff --git a/vars/default.yml b/vars/default.yml new file mode 100644 index 0000000..d88f2dc --- /dev/null +++ b/vars/default.yml @@ -0,0 +1,2 @@ +--- +certbot_package: certbot