Skip to main content
DevOps

Return to Answer

deleted 205 characters in body
Source Link
conspicillatus
conspicillatus
  • 181
  • 2

Others have pointed it out already; Certbot makes it easy to handle certificates while acme_certificate module is more flexible and transparent.

Acquire Certificate

To request the ssl certificate with acme_certificate, there are good examples on DigitalOcean or on Reddit. These examples boil down to following tasks:

  1. Ensure you have a private key for your acme account. (module openssl_privatekey)
  2. Ensure you have a private key for your certificate. (module openssl_privatekey)
  3. Ensure you have a certificate signing request. (module openssl_csr)
  4. Then a challenge is requested from letsencrypt. (module `acme_certificate')
  5. One of the challenges dns-01, http-01 or tls-alpn-01 is implemented.
  6. The certficate from letsencrypt is requested. (module `acme_certificate')
  7. (optional) The challenge implementation is removed.
  8. The server configuration is updated with the ssl certificates.

With Certbot you can have all these steps in one handy command. They provide instructions for any platform.

sudo certbot --nginx

Module acme_certificate is Ansible native and a playbook with all these steps is only written once. The tasks in the playbook are transparent and you have the certificates and keys for your server configuration at hand. With Certbot you have to know the directory /etc/letsencrypt/live/my.domain.com wherein those artifacts are generated.

Renew Certificate

A crucial point is the responsibility for certificate renewal. Above Certbot command has already created a cron job which checks the validity of the certificate and renews it if required. If the certificate is managed with Ansible you have to run an Ansible playbook for renewal.

Letsencrypt certificates are valid for 90 days, so the renewal process gets automated. For the renewal, above Ansible playbook works, it does the renewal as well. However, during the first 30 days a challenge respones is cached at letsencrypt and no new challenge is returned at task (4). So, executed a second time during the first 30 days, above playbook requires some conditions. Additionally, itit is advised to create a new csr (3) and certificate key (2) when a certificate is renewed. Handling these requirementsthis properly, the playbook will grow quite a bit.

AboveOn Ubuntu, above certbot command, has already created a cron job which handles certificate renewal, so nothing else needs to be done.

Conclusion

There are roles in Ansible Galaxy for Certbot and acme_certificate module. Personally, I favourlike acme_certificate module for its transparency and because it's an Ansible native solutions over playbooks containing bash commandssolution. However, I run Ansible from my personal notebook and I do not want to remember running a playbook for certificate renewal. Therefore, I preferhave installed Certbot which runs on the host and does the renewal without any an external trigger.

Others have pointed it out already; Certbot makes it easy to handle certificates while acme_certificate module is more flexible and transparent.

Acquire Certificate

To request the ssl certificate with acme_certificate, there are good examples on DigitalOcean or on Reddit. These examples boil down to following tasks:

  1. Ensure you have a private key for your acme account. (module openssl_privatekey)
  2. Ensure you have a private key for your certificate. (module openssl_privatekey)
  3. Ensure you have a certificate signing request. (module openssl_csr)
  4. Then a challenge is requested from letsencrypt. (module `acme_certificate')
  5. One of the challenges dns-01, http-01 or tls-alpn-01 is implemented.
  6. The certficate from letsencrypt is requested. (module `acme_certificate')
  7. (optional) The challenge implementation is removed.
  8. The server configuration is updated with the ssl certificates.

With Certbot you can have all these steps in one handy command. They provide instructions for any platform.

sudo certbot --nginx

Module acme_certificate is Ansible native and a playbook with all these steps is only written once. The tasks in the playbook are transparent and you have the certificates and keys for your server configuration at hand. With Certbot you have to know the directory /etc/letsencrypt/live/my.domain.com wherein those artifacts are generated.

Renew Certificate

A crucial point is the responsibility for certificate renewal. Above Certbot command has already created a cron job which checks the validity of the certificate and renews it if required. If the certificate is managed with Ansible you have to run an Ansible playbook for renewal.

Letsencrypt certificates are valid for 90 days, so the renewal process gets automated. For the renewal, above Ansible playbook works, it does the renewal as well. However, during the first 30 days a challenge respones is cached at letsencrypt and no new challenge is returned at task (4). So, executed a second time during the first 30 days, above playbook requires some conditions. Additionally, it is advised to create a new csr (3) and certificate key (2) when a certificate is renewed. Handling these requirements properly, the playbook will grow quite a bit.

Above certbot command, has already created a cron job which handles certificate renewal, so nothing else needs to be done.

Conclusion

There are roles in Ansible Galaxy for Certbot and acme_certificate module. Personally, I favour Ansible native solutions over playbooks containing bash commands. However, I run Ansible from my personal notebook and I do not want to remember running a playbook for certificate renewal. Therefore, I prefer Certbot which runs on the host and does the renewal without any external trigger.

Others have pointed it out already; Certbot makes it easy to handle certificates while acme_certificate module is more flexible and transparent.

Acquire Certificate

To request the ssl certificate with acme_certificate, there are good examples on DigitalOcean or on Reddit. These examples boil down to following tasks:

  1. Ensure you have a private key for your acme account. (module openssl_privatekey)
  2. Ensure you have a private key for your certificate. (module openssl_privatekey)
  3. Ensure you have a certificate signing request. (module openssl_csr)
  4. Then a challenge is requested from letsencrypt. (module `acme_certificate')
  5. One of the challenges dns-01, http-01 or tls-alpn-01 is implemented.
  6. The certficate from letsencrypt is requested. (module `acme_certificate')
  7. (optional) The challenge implementation is removed.
  8. The server configuration is updated with the ssl certificates.

With Certbot you can have all these steps in one handy command. They provide instructions for any platform.

sudo certbot --nginx

Module acme_certificate is Ansible native and a playbook with all these steps is only written once. The tasks in the playbook are transparent and you have the certificates and keys for your server configuration at hand. With Certbot you have to know the directory /etc/letsencrypt/live/my.domain.com wherein those artifacts are generated.

Renew Certificate

A crucial point is the responsibility for certificate renewal. Above Certbot command has already created a cron job which checks the validity of the certificate and renews it if required. If the certificate is managed with Ansible you have to run an Ansible playbook for renewal.

Letsencrypt certificates are valid for 90 days, so the renewal process gets automated. For the renewal, above Ansible playbook works, it does the renewal as well. However, it is advised to create a new csr (3) and certificate key (2) when a certificate is renewed. Handling this properly, the playbook will grow quite a bit.

On Ubuntu, above certbot command has already created a cron job which handles certificate renewal, so nothing else needs to be done.

Conclusion

There are roles in Ansible Galaxy for Certbot and acme_certificate module. Personally, I like acme_certificate module for its transparency and because it's an Ansible native solution. However, I run Ansible from my personal notebook and do not want to remember running a playbook for certificate renewal. Therefore, I have installed Certbot which runs on the host and does the renewal without an external trigger.

Source Link
conspicillatus
conspicillatus
  • 181
  • 2

Others have pointed it out already; Certbot makes it easy to handle certificates while acme_certificate module is more flexible and transparent.

Acquire Certificate

To request the ssl certificate with acme_certificate, there are good examples on DigitalOcean or on Reddit. These examples boil down to following tasks:

  1. Ensure you have a private key for your acme account. (module openssl_privatekey)
  2. Ensure you have a private key for your certificate. (module openssl_privatekey)
  3. Ensure you have a certificate signing request. (module openssl_csr)
  4. Then a challenge is requested from letsencrypt. (module `acme_certificate')
  5. One of the challenges dns-01, http-01 or tls-alpn-01 is implemented.
  6. The certficate from letsencrypt is requested. (module `acme_certificate')
  7. (optional) The challenge implementation is removed.
  8. The server configuration is updated with the ssl certificates.

With Certbot you can have all these steps in one handy command. They provide instructions for any platform.

sudo certbot --nginx

Module acme_certificate is Ansible native and a playbook with all these steps is only written once. The tasks in the playbook are transparent and you have the certificates and keys for your server configuration at hand. With Certbot you have to know the directory /etc/letsencrypt/live/my.domain.com wherein those artifacts are generated.

Renew Certificate

A crucial point is the responsibility for certificate renewal. Above Certbot command has already created a cron job which checks the validity of the certificate and renews it if required. If the certificate is managed with Ansible you have to run an Ansible playbook for renewal.

Letsencrypt certificates are valid for 90 days, so the renewal process gets automated. For the renewal, above Ansible playbook works, it does the renewal as well. However, during the first 30 days a challenge respones is cached at letsencrypt and no new challenge is returned at task (4). So, executed a second time during the first 30 days, above playbook requires some conditions. Additionally, it is advised to create a new csr (3) and certificate key (2) when a certificate is renewed. Handling these requirements properly, the playbook will grow quite a bit.

Above certbot command, has already created a cron job which handles certificate renewal, so nothing else needs to be done.

Conclusion

There are roles in Ansible Galaxy for Certbot and acme_certificate module. Personally, I favour Ansible native solutions over playbooks containing bash commands. However, I run Ansible from my personal notebook and I do not want to remember running a playbook for certificate renewal. Therefore, I prefer Certbot which runs on the host and does the renewal without any external trigger.