home tools books contact

Automate Let's Encrypt Certificate Install on NGINX

Ansible Automation NGINX

This tutorial will show you how to use Ansible to generate a Let's Encrypt certificate and deploy it to an NGINX server along with a static website. After running the playbook, NGINX will be configured to have an A+ SSL Labs rating.


Before we begin you will need to have installed Ansible on your local machine and have access to a remote Ubuntu server.

The following steps have been tested with Ansible v2.9.11 running on a MacBook Pro with a clean installation of Ubuntu Server 18.04 running as a VM on VMware Fusion*. The steps will also work on a DigitalOcean* droplet. Click here to read how to deploy a droplet using Ansible.

Once you have installed Ansible and have setup your Ubuntu server, add the IP address and the domain name you will generate the certificate for to your DNS server or local hosts file.

The SSL playbook uses Cloudflare DNS to validate the Let’s Encrypt certificate, so you will either have to setup a Cloudflare account or modify the ssl.yml playbook to use a different authentication method.

Step 1: Clone Repository

In previous tutorials, I’ve wrote how to create the playbooks to generate a Let’s Encrypt SSL certificate with Ansible and how to deploy a static website to an NGINX server.

In this tutorial we will use playbooks I’ve already created and published to GitHub.

To get started clone the repo with the following command:

git clone https://github.com/tonymackay/ansible-letsencrypt-nginx
cd ansible-letsencrypt-nginx

Step 2: Create Cloudflare environment variables

Next we need to create a file in a folder called ~/.secrets to store the cloudflare environment variables.

vim ~/.secrets/cloudflare
export CF_EMAIL=<youremail>
export CF_API_TOKEN=<yourtoken>
export CF_ZONE=<yourdomain>

Step 3: Edit the inventory.yml file

Open the inventory.yml and modify the hostname so that it matches the name of your remote Ubuntu server. You will also need to change the username that Ansible will use to login to the system.

Step 4: Edit the vars.yml file

Open the vars.yml and change the domain variable so that it matches the domain name you are going to generate the SSL certificate for. For example, test.graspingtech.com.

Step 5: Copy your public SSH key to the remote server

Use the ssh-copy-id command to copy your public SSH key onto the remote web server. For example:

ssh-copy-id ubuntu@

Step 6: Run the playbooks

Run the playbooks with the following command:


Once the playbooks have finished running, you should be able to browse to the domain specified in the vars.yml file and you should see the SSL certificate has been applied.

Let’s Encrypt NGINX


That’s it. NGINX is installed and configured and you can see the demo website with a Let’s Encrypt SSL certificate applied. The nginx.conf and virtual host files used by the nginx.yml playbook are configured to obtain an A+ SSL Labs rating.

If you want to upload a different website, copy it to the site directory or modify the site-path variable in vars.yml to point to the path of your static site on your machine.

Written by: Tony Mackay