As discussed by Karen Stevenson in her blog article HTTPS Everywhere: Security is Not Just for Banks, it is a good idea to run every website, even small one, encrypted by SSL.
Why free SSL
In this article, I am going to talk about free SSL options available today. I will outline why it is better to run every website encrypted by a free SSL certificate, as opposed to running it on an unencrypted HTTP. In our previous posts Free Auto SSL by cPanel and Comodo for everyone and How to setup your free Comodo SSL by cPanel we outlined an option for shared hosting customers using our cPanel plans.
Free SSL in cPanel. Comodo and LetsEncrypt
In 2016, cPanel added an option called AutoSSL, offering the free SSL certificates from Comodo domain validated certificates. You can read more about Securing your site; Comodo, cPanel, & AutoSSL in their blog. Since then, cPanel has built an official plugin to integrate LetsEncrypt CA.
The LetsEncrypt CA (CA stands for “Certificate Authority”), allows anyone to obtain and renew free SSL certificates, whether you use a private server or a shared host powered by cPanel. In this article, I will show you a way to partially automate this process by using Ansible playbook and certbot in a private server environment. Certbot could be installed without Ansible playbook, however using Ansible would make such installation and configuration easier when you run a large number of private servers with a variety of operating systems.
For simple single-server installation review the certbot installation page. If you use Ansible to manage your servers or planning to use it, read on.
Prerequisites to get free SSL to work in your server
Before you begin the certificate installation and the automation of SSL certificate renewals, make sure you have the following requirements met:
- You have root access to your private server via SSH or console
- You have Git installed in the environment which will be used to execute ansible playbook.
- You have ansible v2.0 or newer installed. Ansible could be run from the private server itself or any other external server, even your personal computer. Check Ansible installation instructions on how to install it for your OS.
- All domain names that you plan to generate SSL certificate for, have to resolve to their servers. LetsEncrypt uses domain validation, requiring functional DNS configuration.
Preparing Ansible playbook to install certbot
To create a playbook, we will be using Certbot ansible role by Jeff Geerling. Simply go to https://github.com/geerlingguy/ansible-role-certbot and clone the certbot role code using git, like so
git clone https://github.com/geerlingguy/ansible-role-certbot.git geerlingguy.certbot
This will clone the certbot ansible role into a geerlingguy.certbot
folder.
Prepare a simple playbook – create a YAML file (for example called certbot.yml) and add the playbook YAML code in.
- hosts: webservers roles: - geerlingguy.certbot
Prepare hosts file. This file will contain your server groups to install certbot in. In the example playbook above we called our hosts group webservers.
vim hosts
place the following code in, updating it for your servers group
[webservers] 192.168.0.10 192.168.0.11 192.168.0.12 192.168.0.13
Execute the Ansible playbook to install Certbot in multiple servers
ansible-playbook -i hosts certbot.yml
Once the playbook run successfully, let’s generate some free SSL certificates
SSH into your server and execute
# Generate certs, but don't modify Apache configuration (safer). /opt/certbot/certbot-auto --apache certonly
If you use Nginx, replace --apache
with `–nginx`.
Certbot will enter interactive mode, allowing you to select domain names to generate free SSL certificate for. If certbot was unable to identify your vhost domain from working webserver configuration, it will offer you to enter the domain name manually. Alternatively, you may tell certbot to ignore interactive mode and pass all required attributes in one command like so:
/opt/certbot/certbot-auto --standalone certonly -w /path/to/webroot -d yourdomainname.com -d www.yourdomainname.com -d moredomainnames.com
When generated, the certificate will be stored in `/etc/letsencrypt/live` directory. You may inspect that directory to explore how your certificate and private key are named and symlinked.