- Notifications
You must be signed in to change notification settings - Fork3
Let's Encrypt + Cloudflare (DNS verification) + Configure Various Stuff
License
kandsten/leclocovast
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Let'sEncrypt +CloudFlare +ConfigureVariousStuff
Register and/or refresh Let's Encrypt certificates, proving ownership via CloudFlaremanaged DNS rather than via HTTP. Will also install and/or refresh said certificates onVarious Stuff. Uses Ansible to do so.
- Ubiquity EdgeRouter - tested with X SFP, may work with others as well
- Ubiquity UniFi controller - tested on Ubuntu
- VMWare ESXi
- Hass.io
- Plex - tested on Ubuntu
- Proxmox
Rationale as follows:
- I run various services on a LAN.
- I prefer to have working TLS wherever possible.
- I'm too lazy to manually refresh certs for a number of services every 90 days.
- I don't fancy letting the Internet at large connect to said services, necessitating DNS based verification.
- I don't particularly fancy maintaining certbot installs (and CloudFlare API keys) on more than one host.
Use Ansible to manage the certs in one location and distribute them to wherever they need tobe, restart services as necessary.
There may be some rough edges. It Works For me™. Your setup might be just ever so slightlydifferent.
If you think this makes sense, then you may or may not find this useful. If you don't thinkthis makes sense, I wish you luck in finding something that scratches your particular itchin a better fashion.
Copy files from thesample-conf/ directory to the repo root, edit contents to fit yoursetup.
As the playbook is setup to tie roles to inventory groups, you don't want to change thegroup names found in the sample inventory.
Thecertbot role will register certs for every host in the inventory. As such, you'llwant to enter the FQDN, even if you normally use the plain hostname for SSH/Ansible.
Verify that the code does nothing nefarious. This thing is fetching certificates on yourbehalf and you're handing it your CloudFlare API key. You don't do that without readingthe code first.
...right?
- Ansible (tested with 2.4)
- Certbot
- Working SSH pubkey authentication for the devices you wish to handle certs for
ansible-playbook -i inventory.yml playbook.ymlThe Certbot module managing CloudFlare is a bit on the slower side. If you need toregister or renew certs, give it some time to finish.
Do note that this playbook will run Certbot with the --agree-tos flag. Please read andunderstand theSubscriber Agreement, or a herd ofrabid tigers will surely devour your firstborn. You have been warned.
I don't particularly expect any contributions, but if you have something you think fits,feel free to shoot me a pull request.
- Kriss Andsten -kandsten
This project is licensed under the MIT License - see theLICENSE.txt file for details
- Various Stack Overflow posts, forum posts and random tidbits.
- CloudFlare, whose services I've been mooching off of for years and for being my employer crush.
- Let's Encrypt, for finally ensuring that free/libre certs are a thing and not horriblybotching the job like those who came before.