Install, configure and run acmetool to generate Let's Encrypt TLS certificates.
acmetool will be configured to use its redirector mode. It will listen on
port 80 and redirect (HTTP 308) anything
that is not a challenge request.
See acme on GitHub for details.
-
become: trueis required as most actions need to be run as root, the rest is run underacmewhich will be created by the role. -
You need to open port 80/TCP for
acmetoolto serve challenges. -
As the
redirectormode is used by default, no HTTP server is required to run. You can install whatever server you want to run after running this role so it can use the generated certificates. -
Chose your provider and set its API endpoint in
acmetool_server, see below. -
The
cronpackage is required for automatic renewal.
# Address used to register domains with LetsEncrypt.
acmetool_email: "contact@example.com"
# space-separated list of domains to register.
acmetool_domains: "www.example.com example.com"# CA server. This defaults to the acme-staging server for testing purposes.
# You will need to change this to the production server :
# https://acme-v01.api.letsencrypt.org/directory
acmetool_server: "https://acme.example.com/directory"
# Change this to RSA if your server does not support EC keys (eg. murmur).
acmetool_key_type: "ecdsa"
# If you don't trust acmetool to run hooks as root (sudo), set this to false.
acmetool_enable_hooks: falseSee the defaults for the complete list.
- hosts: all
roles:
- { role: "L-P.acmetool", become: true }Because on Debian services are automatically enabled and started with their
default configuration when installed, nginx will fail to install and leave
dpkg in a semi-broken state.
To avoid this you can run the following play between the installation of
acmetool and nginx. It will only run if nginx is not yet configured.
- hosts: all
become: true
tasks:
- name: Stop acmetool
tags: "nginx"
command: "service acmetool stop"
args:
creates: "/etc/nginx/nginx.conf"You can adapt this for any other service that fails the same way.
MIT