Generate Let's Encrypt SSL Certificates with Ansible and Cloudflare
This tutorial will show you how to create an Ansible playbook that makes it easy to automate the creation and renewal of Let’s Encrypt SSL certificates.
What is Let’s Encrypt?
Let’s Encrypt is a non-profit certificate authority that provides SSL certificates for free. Let’s Encrypt certificates are valid for 90 days and the validation is done using HTTP or DNS which means you can automate the creation process.
This is better than the old way of email validation and having to manually apply certificates because it saves time and reduces the chances of making mistakes or forgetting to renew the certificate.
For this tutorial, we will use DNS as the method of validation by creating an Ansible task that automatically updates the Cloudflare DNS record. If you don’t use Cloudflare, you can still get an idea of how to generate the SSL from this playbook.
Create Ansible Playbook
Create a file called ssl.yml and add the following:
Assign your domain name to the crt_common_name variable and any extra subdomains you want to include in the certificate to the crt_subject_alt_name variable.
Since the playbook is using Cloudflare DNS to validate the Let’s Encrypt certificate, you will also need to assign your Cloudflare API credentials to the cloudflare_* variables. You can either assign them directly in the playbook or pass them in via environment variables by running the commands below before running the playbook:
Run the Ansible playbook with the following command:
After running the playbook. The playbook will create a new folder called certs and the generated keys and certificates will be stored inside it.
That’s all there is to it. After running the playbook, you should have a certs folder containing your SSL certificate. Now you can use another playbook to deploy and install the certificate to your web or application server.
If you ever need to renew the certificate, you can run this playbook again and the new certificate will replace the existing one.