LetsEncrypt wildcard + Ansible

2018-07-09

When LetsEncrypt announced the availability of wildcard certs, I knew I wanted in. In my homelab, in order to get SSL up and running, I’d been running Caddy, since it automagically gets a cert by doing DNS validation. However, that’s an extra step that can complicate things. With a wildcard cert, I can even put SSL places I couldn’t previously - such as my router and my FreeNAS box.

How To Do

Obtaining a wildcard cert

Due to popular demand, I’ll provide some basic steps to get your wildcart cert. I’m assuming you’re running Ubuntu or Debian, but you can probably adapt these directions as needed.

Prerequisites: apt install python-pip python-dev build-essential python-yaml libffi5-dev

Remove any old certbots you may have installed - apt remove certbot.

Finally, install stuff: pip install certbot certbot-dns-$provider. In my case, $provider = cloudflare

Then, create a file /etc/letsencrypt/$provider.ini and chmod 600 it. Inside it looks something like

## Cloudflare API credentials used by Certbot
dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567

Then, you can run certbot certonly --dns-$provider --dns-$provider-credentials /etc/letsencrypt/cloudflare.ini *.yourdomain.com and it should be good!

Step 1 is of course to obtain your wildcard cert. I’ll offer a few tips, but I’ll leave this exercise up to the reader. I use the official latest certbot, but it does have to have support for your DNS provider - in my case, Cloudflare. The documentation for certbot should be able to get you up and running. Also, make sure you setup a cronjob to auto-renew the cert.

Next, since I run Ansible as a non-root user, I needed a way to get my user to read the otherwise unreadable certs. So, being slightly lazy, I did a chgrp -R sudo /etc/letsencrypt/archive/$domain && chmod g+rx /etc/letsencrypt/archive/$domain && chmod g+r /etc/letsencrypt/archive/$domain/*. Then, the files remain accessible to any user who’s a member of sudo. Not super elegant, but it works.

Finally, the “hard” part - the Ansible playbook. To help out with this, I created a host group in my inventory - something like this:

[wildcard_hosts]
foo.cmdcentral.xyz      ssl_cert_path=/etc/pki/tls/certs/ca.crt ssl_key_path=/etc/pki/tls/private/ca.key
bar.cmdcentral.xyz      ssl_all_path=/etc/lighttpd/server.pem
baz.cmdcentral.xyz      ssl_cert_path=/etc/certificates/wildcard.crt ssl_key_path=/etc/certificates/wildcard.key
foowho.cmdcentral.xyz   ssl_cert_path=/etc/ssl/fullchain1.pem ssl_key_path=/etc/ssl/privkey1.pem

Then, here’s the playbook. Note that if it fires the “Restart web servers” handler, it’ll “error” on any web server that isn’t running/doesn’t exist. That’s okay, though, as it’ll still try and restart others, until it finds and restarts the one you want. Ansible experts, teach me how to do this better!

---
- hosts: wildcard_hosts
  become: yes
  become_method: sudo

  tasks:
  - name: copy updated cert
    copy:
      backup: yes
      dest: "{{ ssl_cert_path }}"
      src: /etc/letsencrypt/live/$domain/fullchain.pem
    notify: Restart web servers
    when: ssl_cert_path is defined

  - name: copy updated private key
    copy:
      backup: yes
      dest: "{{ ssl_key_path }}"
      src: /etc/letsencrypt/live/$domain/privkey.pem
    notify: Restart web servers
    when: ssl_key_path is defined

  - name: copy concatenated cert + private key
    assemble:
      backup: yes
      dest: "{{ ssl_all_path }}"
      src: /etc/letsencrypt/live/$domain/
      remote_src: no
      regexp: "(fullchain\\.pem|privkey\\.pem)"
    notify: Restart web servers
    when: ssl_all_path is defined

  handlers:
  - name: Restart web servers
    service:
      name: "{{ item }}"
      state: restarted
    with_items:
      - nginx
      - apache2
      - httpd
      - lighttpd
    ignore_errors: yes

Finally, I set up a cronjob in my user’s crontab (crontab -e as user) to run this playbook automatically, so hosts get the updated cert if it exists:

## m h  dom mon dow   command # every monday at 5am
  0 5  *   *   1 /usr/bin/ansible-playbook /home/bschafer/ansible/wildcard.yml > /home/bschafer/log/wildcard.log 2>&1

Enter your instance's address