Using Letsencrypt in your LA node - AtlasOfLivingAustralia/documentation Wiki

Table of Contents

Intro

We explain here how to use letsencrypt certificates with ALA.

certbot ansible role

You can create an playbook to auto request your letsencrypt certs via the coopdevs.certbot_nginx role. Some sample configuration for some server (where you want to deploy collectory/biocache/bie and webservices):

- hosts: yourserver
  tasks:
  - include_role:
      name: coopdevs.certbot_nginx
    vars:
      domain_name: "{{ item }}"
      letsencrypt_email: [email protected]
      certbot_nginx_cert_name: "{{ item }}"
    with_items:
      - bie.example.org
      - bie-ws.example.org
      - biocache.example.org
      - biocache-ws.example.org
      - collectory.example.org
  tags: letsencrypt

This will request a certificate for each subdomain. Later you can configure the certs in your ansible inventories, and rerun ansible.

Recommendation: Group your LA domains per each server where you will deploy it.

certbot manual installation

If you prefer to do this manually, you have to install certbot, request your certificates, configure the certificates in your inventories, and rerun ansible.

certbot installation

Follow certbot installation instructions for ubuntu to install the certbot ubuntu package.

certbot certifications request

You can request your certificates with something like:

certbot --nginx --cert-name example.org -d core.example.org -d bie.example.org -d biocache-ws.example.org -d biocache.example.org -d collectory.example.org -d images.example.org

If you want to add a new subdomain to an existing certificate:

certbot --nginx --expand --cert-name example.org -d core.example.org -d bie.example.org -d biocache-ws.example.org -d biocache.example.org -d collectory.example.org -d images.example.org -d lists.example.org -d logger.example.org

In some case in better to use certonly like:

certbot certonly --webroot -w /srv/snib.conap.gob.gt/www/ -d snib.conap.gob.gt --cert-name snib

To see your current certificates:

certbot certificates

ALA letsencrypt certificates configuration

Here some sample of how to configure your certs in your ALA inventories:

[all:vars]
ssl=true
ssl_cert_file=fullchain.pem
ssl_key_file=privkey.pem

[bie-hub:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/bie.example.org

[bie-index:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/bie-ws.example.org

A certificate for each subdomain or a certificate for several subdomains

In some cases (*), you can try to simplify your inventories: We recommend to request one certificate with multiple domain for each server/service of your node to simplify our inventories. That is, if you have this subdomains bie.example.org and bie-ws.example.org, instead of request two certificates, is more easy to request one with the two domains.

So instead of configure different vars, like:

[bie-hub:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/bie.example.org
[bie-index:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/bie-ws.example.org
[image-service:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/images.example.org
(...)

you have only one ansible var configuration in some inventory:

[all:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/example.org
(...)

(*) This is useful if you have a small node with few servers so you can request a cert per server with multiple domains.