Jakub Sokołowski
17986a8090
Service might not yet exist. Signed-off-by: Jakub Sokołowski <jakub@status.im> |
||
|---|---|---|
| defaults | ||
| meta | ||
| tasks | ||
| templates | ||
| .gitignore | ||
| LICENSE | ||
| README.md | ||
README.md
Description
Installs and configures Certbot (for Let's Encrypt).
Requirements
If installing from source, Git is required. You can install Git using the geerlingguy.git role.
Generally, installing from source (see section Source Installation from Git) leads to a better experience using Certbot and Let's Encrypt, especially if you're using an older OS release.
Configuration
Controls how Certbot is installed. Available options are 'package', 'snap', and 'source'.
certbot_admin_email: 'admin@example.org'
certbot_auto_renew: true
certbot_auto_renew_user: 'www-data'
certbot_auto_renew_frequency: 'daily'
certbot_auto_renew_options: "--quiet --no-self-upgrade"
certbot_certs:
- domains: 'something.example.org'
The email address used to agree to Let's Encrypt's TOS and subscribe to cert-related notifications. This should be customized and set to an email address that you or your organization regularly monitors.
By default, this role configures a systemd timer to run under the provided user every day. The defaults run certbot renew (or certbot-auto renew). The account used should be a non-root account.
Standalone Certificate Generation
Services that should be stopped while certbot runs it's own standalone server on ports 80 and 443. Other valid values might be apache2, or any other serivce that might use these ports.
certbot_create_standalone_stop_services:
- nginx
These services will only be stopped the first time a new cert is generated.
Certbot certificate auto-renewal
You can test the auto-renewal (without actually renewing the cert) with the command:
/opt/certbot/certbot renew --dry-run
See full documentation and options on the Certbot website.
License
MIT / BSD
Author Information
This role was created in 2016 by Jeff Geerling, author of Ansible for DevOps.