alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

roles/nginx: Switch to acme.sh for Let's Encrypt

Browse Source 
The certbot-auto client that I've been using for a long time is now
only supported if you install it using snap. I don't use snap on my
systems so I decided to switch to the acme.sh client, which is imp-
lemented in POSIX shell with no dependencies. One bonus of this is
that I can start using ECC certificates.

This also configures the .well-known directory so we can use webroot
when installing and renewing certificates. I have yet to understand
how the renewal works with regards to webroot, though. I may have to
update the systemd timers to point to /var/lib/letsencrypt/.well-known.
This commit is contained in:
Alan Orth
2021-03-19 23:39:30 +02:00
parent 65fc52c5e5
commit a34cb1e666
7 changed files with 63 additions and 132 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
roles/nginx/defaults/main.yml
View File

@ -25,10 +25,13 @@ nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:
use_letsencrypt: True
# Directory root for Let's Encrypt certs
letsencrypt_root: /etc/letsencrypt/live
letsencrypt_root: /etc/ssl
# Location of Let's Encrypt's certbot script
letsencrypt_certbot_dest: /opt/certbot-auto
# Location where to save initial acme.sh script. After installation the script
# will automatically create its home in the /root/.acme.sh directory (including
# a copy of the script itself).
letsencrypt_acme_script: /root/acme.sh
letsencrypt_acme_home: /root/.acme.sh
# stable is 1.18.x
# mainline is 1.19.x