Using Letsencrypt in your LA node - AtlasOfLivingAustralia/documentation GitHub Wiki
We explain here how to use letsencrypt
certificates with ALA.
You can create an playbook to auto request your letsencrypt
certs via the coopdevs.certbot_nginx role. Some sample configuration for some server (where you want to deploy collectory
/biocache
/bie
and webservices):
- hosts: yourserver
tasks:
- include_role:
name: coopdevs.certbot_nginx
vars:
domain_name: "{{ item }}"
letsencrypt_email: [email protected]
certbot_nginx_cert_name: "{{ item }}"
with_items:
- bie.example.org
- bie-ws.example.org
- biocache.example.org
- biocache-ws.example.org
- collectory.example.org
tags: letsencrypt
This will request a certificate for each subdomain. Later you can configure the certs in your ansible
inventories, and rerun ansible
.
Recommendation: Group your LA domains per each server where you will deploy it.
If you prefer to do this manually, you have to install certbot
, request your certificates, configure the certificates in your inventories, and rerun ansible
.
Follow certbot installation instructions for ubuntu to install the certbot
ubuntu package.
You can request your certificates with something like:
certbot --nginx --cert-name example.org -d core.example.org -d bie.example.org -d biocache-ws.example.org -d biocache.example.org -d collectory.example.org -d images.example.org
If you want to add a new subdomain to an existing certificate:
certbot --nginx --expand --cert-name example.org -d core.example.org -d bie.example.org -d biocache-ws.example.org -d biocache.example.org -d collectory.example.org -d images.example.org -d lists.example.org -d logger.example.org
In some case in better to use certonly
like:
certbot certonly --webroot -w /srv/snib.conap.gob.gt/www/ -d snib.conap.gob.gt --cert-name snib
To see your current certificates:
certbot certificates
Here some sample of how to configure your certs in your ALA inventories:
[all:vars]
ssl=true
ssl_cert_file=fullchain.pem
ssl_key_file=privkey.pem
[bie-hub:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/bie.example.org
[bie-index:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/bie-ws.example.org
In some cases (*), you can try to simplify your inventories: We recommend to request one certificate with multiple domain for each server/service of your node to simplify our inventories. That is, if you have this subdomains bie.example.org and bie-ws.example.org, instead of request two certificates, is more easy to request one with the two domains.
So instead of configure different vars, like:
[bie-hub:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/bie.example.org
[bie-index:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/bie-ws.example.org
[image-service:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/images.example.org
(...)
you have only one ansible var configuration in some inventory:
[all:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/example.org
(...)
(*) This is useful if you have a small node with few servers so you can request a cert per server with multiple domains.