As discussed by Karen Stevenson in her blog article HTTPS Everywhere: Security is Not Just for Banks, it is a good idea to run every website, even small one, encrypted by SSL.
In this article I am going to talk about free SSL options available today. I will outline why it is better to run every website encrypted, even by a free SSL certificate, as opposed to running it on an unencrypted HTTP. In our previous posts Free Auto SSL by cPanel and Comodo for everyone and How to setup your free Comodo SSL by cPanel we outlined an option for shared hosting customers using our cPanel plans.
In 2016, cPanel added an option called AutoSSL, offering free SSL certificates from Comodo domain validated certificates. You can read more about Securing your site; Comodo, cPanel, & AutoSSL in their blog. Since then, cPanel has built an official plugin to integrate LetsEncrypt CA.
The LetsEncrypt CA (certificate authority), allows anyone to obtain and renew free SSL certificate, whether they use a private server or a shared host powered by cPanel. In this article I will show you a way to partially automate this process by using Ansible playbook and certbot in a private server environment. Certbot could be installed without Ansible playbook, however using Ansible would make such installation and configuration easier when you run large number of private servers with variety of operating systems.
For simple single-server installation review the certbot installation page. If you use Ansible to manage your servers or planning to use it, read on.
Before you begin partial automation of SSL certificate installation and renewals, make sure you have the following requirements met:
- You have root access to your private server via SSH or console
- You have Git installed in the environment which will be used to execute ansible playbook.
- You have ansible v2.0 or newer installed. Ansible could be run from the private server itself or any other external server, even your personal computer. Check Ansible installation instructions on how to install it for your OS.
- All domain names that you plan to generate SSL certificate for, have to resolve to their servers. LetsEncrypt uses domain validation, requiring functional DNS configuraiton.
Preparing Ansible playbook to install certbot
To create a playbook, we will be using Certbot ansible role by Jeff Geerling. Simly go to https://github.com/geerlingguy/ansible-role-certbot and clone the certbot role code using git, like so
git clone https://github.com/geerlingguy/ansible-role-certbot.git geerlingguy.certbot
This will clone the certbot ansible role into a folder
Prepare a simple playbook - create a YAML file (for example called certbot.yml) and add the playbook YAML code in.
- hosts: webservers roles: - geerlingguy.certbot
Prepare hosts file. This file will contain your server groups to install certbot in. In the example playbook above we called our hosts group webservers.
place the following code in, updating it for your servers group
[webservers] 192.168.0.10 192.168.0.11 192.168.0.12 192.168.0.13
Execute the playbook
ansible-playbook -i hosts certbot.yml
Once the playbook run successfully, let's generate some free SSL certificates
SSH into your server and execute
# Generate certs, but don't modify Apache configuration (safer). /opt/certbot/certbot-auto --apache certonly
If you use Nginx, replace --apache with --nginx.
Certbot will enter interactive mode, allowing you to select domain names to generate free SSL certificate for. If certbot was unable to identify your vhost domain from working webserver configuration, it will offer you to enter the domain name manually. Alternatively you may tell certbot to ignore interactive mode and pass all required attributes in one command like so:
/opt/certbot/certbot-auto --standalone certonly -w /path/to/webroot -d yourdomainname.com -d www.yourdomainname.com -d moredomainnames.com
When generated, the certificate will be stored in /etc/letsencrypt/live directory. You may inspect that directory to explore how your certificate and private key are named and symlinked.