Uses Ansible Role: Let's Encrypt private networks to:
- Setup Let's Encrypt ACME client on local Debian/Ubuntu Linux server
control.example.com
and sign/renew certificates. - Deploy them to local Linux or Windows proxy-/webservers:
utm.example.com
,nginx.example.com
,msx.example.com
andiis.example.com
. - Automate certificate cycle on local Debian/Ubuntu Linux server
control.example.com
as Ansible Control Machine.
- Ansible >= 2.5, (Docs)
letsencrypt
role requirements
- Make sure all Windows servers are pre-configured for remote management with Ansible (Wiki).
- Make sure Sophos UTM is pre-configured for Ansible Role: Let's Encrypt (Wiki).
- Make sure Windows Server which running Spiceworks Network Monitor is pre-configured (Wiki).
$ sudo su
mkdir /opt/letsencrypt
cd /opt/letsencrypt
mkdir certs
chmod 0700 certs
git clone --recursive https://github.com/rembik/ansible-letsencrypt-example.git provision
cd provision
After getting repository and setting local certificate-exchange directory, create a file which contains your Ansible vault password and create an vault
file for every needed vars
file (Docs).
$ touch .vault
chmod 0600 .vault
$ ansible-vault create /host_vars/control_example_com/vault
$ ansible vault create ...
Run the playbook to setup the Let's Encrypt ACME clients and sign/renew all certificates:
$ ansible-playbook letsencrypt.yml --vault-password-file .vault -t setup,certificate
Now initial import the certificates which should be deployed to Sophos UTM and get there needed references ref
and ref_ca
(see Wiki).
Finally, when the config of all the inventory files is completed, run the certificate deployment process with the playbook:
$ ansible-playbook letsencrypt.yml --vault-password-file .vault -t deploy
After initial plays the automated certificate cycle for your private network is finished.
See ansible-letsencrypt-example Wiki for troubleshooting.