Linux How To

Automate Let’s Encrypt SSL Installation with Ansible for Multiple Domains

- by Hitesh Jethva
Ansible Let's Encrypt

If you are a system administrator and responsible for managing hundreds or thousands of server. Then, you may often need to install Let’s Encrypt SSL on multiple websites. Installing Let’s Encrypt SSL on multiple websites manually is a very lengthy process and not suitable for lazy system admin. This is the place where Ansible comes into the picture.

Ansible is a powerful IT automation tool that allows you to perform a repetitive task in your environment. You could write an Ansible playbook to get this done in a minute and simply invoke the Ansible playbook every time you wish to install the Let’s Encrypt SSL on websites.

In this tutorial, we will learn how to install Let’s Encrypt SSL on multiple domains using Ansible on Ubuntu 20.04.

Prerequisites

  • One Ansible control node: A server running CentOS 8 with Ansible installed and configured. To set up Ansible, please follow my guide on How to Install and Setup Ansible.
  • Two Ansible Target hosts: Two working website hosted with the LAMP stack on Ubuntu 20.04 server.
  • A valid domain name pointed with each server IP.  In this tutorial, we will use web1.linuxbuz.com and web2.linuxbuz.com for both websites.

Create an Inventory File

You will need to create an inventory file to define IP address and SSH credential of both Target hosts.

First, create a directory for your project on the Ansible controller node.

?
1
mkdir letsencrypt

Next, create an inventory file inside the letsencrypt directory:

?
1
nano letsencrypt/inventory.txt

Add the following lines:

?
1
2
host1 ansible_host=192.168.0.10 ansible_user=root ansible_ssh_pass=password
host2 ansible_host=192.168.0.11 ansible_user=root ansible_ssh_pass=password

Save and close the file when you are finished.

Where:

  • ansible_host is the IP address of the Target host.
  • ansible_user is the root user of the Target host.
  • ansible_ssh_pass is the password of the root user on the Target host.

Define a Variable

Next, you will need to define a variable to store your Domain name, Let’s Encrypt plugin information and a valid Email address.

First, create a directory for variable inside your project directory:

?
1
mkdir letsencrypt/vars

Next, create a file named default.yml to define variables:

?
1
nano letsencrypt/vars/default.yml

Add the following lines:

?
1
2
3
4
5
6
7
8
certbot_site_names: {
    host1: "web1.linuxbuz.com",
    host2: "web2.linuxbuz.com",
 }
 
certbot_package: "python3-certbot-apache"
certbot_plugin: "apache"
certbot_mail_address: [email protected]

Save and close the file when you are finished.

Where:

  • certbot_site_names: FQDN name of the websites on which you want to install Let’s Encrypt SSL.
  • certbot_package: Package name of the Certbot client.
  • certbot_plugin: Name of the Certbot plugin.
  • certbot_mail_address: Valid email address.

Note: Replace apache with nginx if your websites are hosted on the Nginx server.

Create a Playbook to Install Let’s Encrypt SSL

Next, you will need to create a playbook inside your project directory to install Let’s Encrypt SSL on both websites.

This playbook will perform the following tasks.

  • Install Python dependencies.
  • Install the Certbot package.
  • Generate Let’s Encrypt SSL and configure Apache to use that SSL.
  • Set Letsencrypt Cronjob for Certificate Auto-Renewal.

To create the main playbook, run the following command:

?
1
nano letsencrypt/playbook.yml

Add the following lines:

?
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
- hosts: all
  vars_files:
    - vars/default.yml
   
  tasks:
  - name : Install Python Package
    apt: name=python3 update_cache=yes state=latest
 
  - name : Install Let's Encrypt Package
    apt: name={{ certbot_package }} update_cache=yes state=latest
 
  - name: Create and Install Cert Using {{ certbot_plugin }} Plugin
    command: "certbot --{{ certbot_plugin }} -d  {{ certbot_site_names[inventory_hostname_short] }} -m {{ certbot_mail_address }} --agree-tos --noninteractive --redirect"
 
   
  - name: Set Letsencrypt Cronjob for Certificate Auto Renewal
    cron: name=letsencrypt_renewal special_time=monthly job="/usr/bin/certbot renew"
    when: ansible_facts['os_family'] == "Debian"

Save and close the file when you are finished.

Your final directory structure for Let’s Encrypt project should look like the following:

?
1
2
3
4
5
/root/letsencrypt/
|-- inventory.txt
|-- playbook.yml
`-- vars
    `-- default.yml

Run Ansible Playbook to Install Let’s Encrypt SSL

I hope you have performed all the above steps correctly. Now, change the directory to your ~/letsencrypt project and run the Ansible playbook with the following command:

?
1
2
cd ~/letsencrypt
ansible-playbook playbook.yml -i inventory.txt

This will install Let’s Encrypt SSL on all websites defined in the vars. Once the playbook has been executed successfully, you should get the following output:

?
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
PLAY [all] ************************************************************************************************************************************
 
TASK [Gathering Facts] ************************************************************************************************************************
ok: [host1]
ok: [host2]
 
TASK [Install Python Package] *****************************************************************************************************************
ok: [host1]
ok: [host2]
 
TASK [Install Let's Encrypt Package] **********************************************************************************************************
ok: [host1]
ok: [host2]
 
TASK [Create and Install Cert Using Apache Plugin] ********************************************************************************************
ok: [host1]
ok: [host2]
 
PLAY RECAP ************************************************************************************************************************************
host1                      : ok=3    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0  
host2                      : ok=5    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0  

You can now able to access your website web1.linuxbuz.com and web2.linuxbuz.com securely using the URL https://your-website.com.

You should also read the following chapters:
      1. Introduction
      2. Lab Setup – Install Ansible
      3. Ansible Inventory
      4. Introduction to YAML
      5. Ansible Playbooks
      6. Ansible Modules
      7. Ansible Variables
      8. Ansible Conditionals and Loops
      9. Ansible Roles
10. Ansible Projects

 

Related Posts

best valheim server hosting

9 Best Valheim Server Hosting According to Reddit

free cloud server

How to Get a Free Server – Step by Step Guide

aws system manager

Introduction to AWS Systems Manager

About Hitesh Jethva

I am Hitesh Jethva Founder and Author at LinuxBuz.com. I felt in love with Linux when i was started to learn Linux. I am a fan of open source technology and have more than 15+ years of experience in Linux and Open Source technologies.

View all posts by Hitesh Jethva