Using Letsencrypt in your LA node - AtlasOfLivingAustralia/documentation GitHub Wiki

• Intro
• certbot ansible role
• certbot manual installation
  • certbot installation
  • certbot certifications request
• ALA letsencrypt certificates configuration
  • A certificate for each subdomain or a certificate for several subdomains

We explain here how to use letsencrypt certificates with ALA.

You can create an playbook to auto request your letsencrypt certs via the coopdevs.certbot_nginx role. Some sample configuration for some server (where you want to deploy collectory/biocache/bie and webservices):

- hosts: yourserver
  tasks:
  - include_role:
      name: coopdevs.certbot_nginx
    vars:
      domain_name: "{{ item }}"
      letsencrypt_email: [email protected]
      certbot_nginx_cert_name: "{{ item }}"
    with_items:
      - bie.example.org
      - bie-ws.example.org
      - biocache.example.org
      - biocache-ws.example.org
      - collectory.example.org
  tags: letsencrypt

This will request a certificate for each subdomain. Later you can configure the certs in your ansible inventories, and rerun ansible.

Recommendation: Group your LA domains per each server where you will deploy it.

If you prefer to do this manually, you have to install certbot, request your certificates, configure the certificates in your inventories, and rerun ansible.

Follow certbot installation instructions for ubuntu to install the certbot ubuntu package.

You can request your certificates with something like:

certbot --nginx --cert-name example.org -d core.example.org -d bie.example.org -d biocache-ws.example.org -d biocache.example.org -d collectory.example.org -d images.example.org

If you want to add a new subdomain to an existing certificate:

certbot --nginx --expand --cert-name example.org -d core.example.org -d bie.example.org -d biocache-ws.example.org -d biocache.example.org -d collectory.example.org -d images.example.org -d lists.example.org -d logger.example.org

In some case in better to use certonly like:

certbot certonly --webroot -w /srv/snib.conap.gob.gt/www/ -d snib.conap.gob.gt --cert-name snib

To see your current certificates:

certbot certificates

Here some sample of how to configure your certs in your ALA inventories:

[all:vars]
ssl=true
ssl_cert_file=fullchain.pem
ssl_key_file=privkey.pem

[bie-hub:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/bie.example.org

[bie-index:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/bie-ws.example.org

In some cases (*), you can try to simplify your inventories: We recommend to request one certificate with multiple domain for each server/service of your node to simplify our inventories. That is, if you have this subdomains bie.example.org and bie-ws.example.org, instead of request two certificates, is more easy to request one with the two domains.

So instead of configure different vars, like:

[bie-hub:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/bie.example.org
[bie-index:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/bie-ws.example.org
[image-service:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/images.example.org
(...)

you have only one ansible var configuration in some inventory:

[all:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/example.org
(...)

(*) This is useful if you have a small node with few servers so you can request a cert per server with multiple domains.