add support for using non prod CA

when i run:

/certbot-auto renew  --no-self-upgrade --no-bootstrap

i got :

Requesting to rerun ./certbot-auto with root privileges...
Creating virtual environment...
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in <module>
    main()
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
    symlink=options.symlink)
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
    download=download,
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
    call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
    % (cmd_desc, proc.returncode))
OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2

i've tried all ways in certbot issue #2883. Such as

export LC_ALL="en_US.UTF-8"
export LC_CTYPE="en_US.UTF-8"

, @chani 's answer and so on;

but ,they're didn't work for me

i guess it could be cause by using /opt/eff.org/certbot/venv/bin/python2.7, Could i change the default python2.7 path? Perhaps，there are other solutions ?

Thanks!

For testing playbooks and roles, it would be reasonable to tell certbot to use the staging Let's Encrypt ACME server. Especially when #12 is implemented (and for the work on this as well) since one's test environment may not have valid domain names where legitimate certificates can be requested for.

On the first glance, introducing a certbot_staging_server setting and conditionally applying --staging to certbot commands is easy. That may be enough but we should think of the cronjob and if this becomes inconsistent when the setting eventually changes.

Current

  galaxy_tags:
    - networking
    - system
    - web

Should certbot and letsencrypt not be added to the tags?

Hey !

On first launch, I'd like to run the cerbot-auto command in order to download certificates and so. However, it's not possible to do it directly from ansible, I'm obliged to connect manually and launch the script.

Do you have any workaround for this ?

Thanks a lot !

I have set up this role for auto-renewal, but noticed a few days ago that the cron doesn't auto-renew correctly. When I dry-run, I see that it's because ports 80/443 are already in use. Is there a way to make auto-renew cron stop/restart service like what this role does when creating new certs?

Some context of my current setup, if this helps:

In requirements.yml:

- src: geerlingguy.certbot
  version: 3.0.0

In playbooks.yml:

- role: geerlingguy.certbot
  become: yes
  tags: certbot

In my host vars file:

## https://github.com/geerlingguy/ansible-role-certbot

# Certbot auto-renew cron job configuration (for certificate renewals).
certbot_auto_renew_user: jeremie

# Parameters used when creating new Certbot certs.
certbot_create_if_missing: yes
certbot_admin_email: "{{ admin_email }}"
certbot_certs:
  - domains:
    - [redacted]

# Ubuntu 16.04 does not have certbot package.
# To install from source (on older OSes or if you need a specific or newer
# version of Certbot), set this variable to `yes` and configure other options.
certbot_install_from_source: yes

When I run /opt/certbot/certbot-auto renew --dry-run (as mentioned in the README):

Requesting to rerun /opt/certbot/certbot-auto with root privileges...
[sudo] password for jeremie:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/[redacted].conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for [redacted]
Cleaning up challenges
Attempting to renew cert ([redacted]) from /etc/letsencrypt/renewal/[redacted].conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/[redacted]/fullchain.pem (failure)

When I run /opt/certbot/certbot-auto renew:

Requesting to rerun /opt/certbot/certbot-auto with root privileges...
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/[redacted].conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for [redacted]
Cleaning up challenges
Attempting to renew cert ([redacted]) from /etc/letsencrypt/renewal/[redacted].conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/[redacted]/fullchain.pem (failure)

HI all,

I see a weird error when run playbook on Centos 7.6.
It's happend when certbot setup task is execute, just only happend on Centos 7, both 2 method: from source and from packages.It' still setup complete certbot but show error on ansible, i must add ignore_error to continue playbook.

When i setup certbot manually,it working correctly.
Somebody get it and help me resolve this problem?

As the title says...

So, Ubuntu (18.04 at least) installs a cronjob and makes use of renewal-hooks directories. I can't find much documentation about it, but there is a bug report here: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1706409

There is some documentation on about the renewal-hooks directories:
https://certbot.eff.org/docs/using.html#renewing-certificates

I'm thinking about how I can tackle it, probably not install the cronjob from the role and simply install the hooks with a separate role for now, but may this can be handled by the role somehow.

Any ideas on this?

Current

fixed on master

https://github.com/geerlingguy/ansible-role-certbot/blob/master/defaults/main.yml#L3

What about cloning a tag https://github.com/certbot/certbot/releases?

Is there any support for haproxy coming anytime soon?

Maybe use https://github.com/diafygi/acme-tiny?

So currently this playbook does not handle renewal automatically since it is standalone only?

In the readme it says:
These services will only be stopped the first time a new cert is generated.

So when the cron job runs to renew, does it automatically reload my nginx config to load the new certs? or will the cron job fail if the nginx service is running at the time the cron job runs the renew?

I've setup certbot using this playbook and now I'm configuring nginx by following this gist I found. In the gist is the following code:

# Required for LE certificate enrollment using certbot
   location '/.well-known/acme-challenge' {
	default_type "text/plain";
	root /var/www/html;
   }

Do I need to add that code to my nginx.conf file?
Dry runs are successfull with this command:
sudo certbot renew --dry-run --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"

1.0.1 was fine, but 2.0.0 now tries to install certbot from a nonexistent package:

TASK [geerlingguy.certbot : Install Certbot.] **********************************
task path: /home/vagrant/ansible_roles/geerlingguy.certbot/tasks/install-with-package.yml:2
Running apt
Using module file /usr/local/lib/python2.7/dist-packages/ansible/modules/core/packaging/os/apt.py
<default> ESTABLISH LOCAL CONNECTION FOR USER: vagrant
<default> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1491407981.55-237155168955842 `" && echo ansible-tmp-1491407981.55-237155168955842="` echo $HOME/.ansible/tmp/ansible-tmp-1491407981.55-237155168955842 `" ) && sleep 0'
<default> PUT /tmp/tmpT2DDiu TO /home/vagrant/.ansible/tmp/ansible-tmp-1491407981.55-237155168955842/apt.py
<default> EXEC /bin/sh -c 'chmod u+x /home/vagrant/.ansible/tmp/ansible-tmp-1491407981.55-237155168955842/ /home/vagrant/.ansible/tmp/ansible-tmp-1491407981.55-237155168955842/apt.py && sleep 0'
<default> EXEC /bin/sh -c 'sudo -H -S -n -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-zzdsaslvowworpjodacmvyeijanjjlrc; /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1491407981.55-237155168955842/apt.py; rm -rf "/home/vagrant/.ansible/tmp/ansible-tmp-1491407981.55-237155168955842/" > /dev/null 2>&1'"'"' && sleep 0'
fatal: [default]: FAILED! => {
    "changed": false, 
    "failed": true, 
    "invocation": {
        "module_args": {
            "allow_unauthenticated": false, 
            "autoremove": false, 
            "cache_valid_time": 0, 
            "deb": null, 
            "default_release": null, 
            "dpkg_options": "force-confdef,force-confold", 
            "force": false, 
            "install_recommends": null, 
            "name": "certbot", 
            "only_upgrade": false, 
            "package": [
                "certbot"
            ], 
            "purge": false, 
            "state": "present", 
            "update_cache": false, 
            "upgrade": null
        }
    }, 
    "msg": "No package matching 'certbot' is available"
}

A server may host various domains.
That's why each cert_item from certbot_certs contains a list of domains.
But not all these domains may have their nameserver at the same provider (for DNS challenge), or some may use DNS (eg: cloudflare ones) and other HTTP.

For that reason, certbot_create_command could be an optional attribute of each cert_item the global value being only used as a default/fallback.

In standalone mode, the cron job to auto-renew doesn't respect the list of services to stop from certbot_create_standalone_stop_services and as such fails when a web server is already bound to ports: 80,443.

when using ansible-role-certbot, the following error occurs:

ERROR! no action detected in task. This often indicates a misspelled module name, or incorrect module path.

The error appears to have been in '/roles/geerlingguy.certbot/tasks/main.yml': line 2, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

---
- import_tasks: include-vars.yml
  ^ here


The error appears to have been in '/roles/geerlingguy.certbot/tasks/main.yml': line 2, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

---
- import_tasks: include-vars.yml
  ^ here

Tested with the example playbook from Readme.md
(ansible 2.3.2.0, macOS High Sierra 10.13.2)

Do I need to install anything before this task is executed?

TASK [letsencrypt : Ensure certbot-auto is executable.] ************************
fatal: [default]: FAILED! => {"changed": false, "msg": "file (/opt/certbot/certbot-auto) is 
absent, cannot continue", "path": "/opt/certbot/certbot-auto", "state": "absent"}

I get the following warning when using the module when using ansible 2.8.0

Will this be fixed or should i find another solution / fix it myself?

Maybe just using something as simple as https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04

According https://certbot.eff.org/#ubuntuxenial-nginx

sudo apt-get install letsencrypt 

and according https://certbot.eff.org/#centosrhel7-nginx

sudo yum install epel-release
sudo yum install certbot

While searching for a solution, I came came across both the acme_certificate module and your role here.

I had assumed that your role would be using that module (i.e. it would simply be providing a nicer interface, defaults, etc.), but it appears as though it's not, and I can't find any reference to you using it.

I'm assuming that you either didn't know about it, it didn't exist yet, or you have some other reason for not including it. In any case, would you kindly provide some information about this on the project page here? A sentence/paragraph or so explaining the use cases would be fantastic. For example, would it make more sense to use that module now because it's native?

I'm trying to decide which way to go, and any insight you have would be helpful.

After the work in #12 and #38, this role supports using Certbot's --standalone server for generating certs, which is great and perfectly adequate if you're either:

1. Generating the cert on the first bootstrap of a server (since it's not causing an outage, it's just prepping for the first webserver startup).
2. Okay with a few seconds of webserver downtime when you generate a new cert (note that there's no downtime during renewals).

However, some of the examples in #12's comments showed how certbot's --webroot option might be used with either Apache or Nginx to allow running webservers to not have to be stopped before a cert is generated.

Examples:

• #12 (comment)
• #12 (comment) (specific to Apache)

See docs: https://certbot.eff.org/docs/using.html#webroot

Certbot's installer seems to fail on Amazon Linux currently, because there is no /etc/redhat-release file on the server.

See: https://community.letsencrypt.org/t/help-with-certbot-on-the-new-amazon-linux-2/49399/5

certbot-auto uses /etc/issue and various /etc/*release files to determine the system it’s on. On Amazon Linux 2, certbot-auto doesn’t recognize the layout as it has changed from previous versions.

I’ve included instructions of how to make certbot-auto try installation on Amazon Linux 2 below, however, if you’re able to enable the EPEL7 repo as this article 75 suggests, I’d encourage you install Certbot from there. Recent versions of Certbot are packaged in EPEL7 and using this repository should be preferred over certbot-auto.

If you want to use certbot-auto though, the problem is that previously for Amazon Linux /etc/issue contained the string “Amazon Linux” but it doesn’t anymore. To make certbot-auto try the Amazon Linux bootstrapping, you can add “Amazon Linux” to /etc/issue or create the file /etc/redhat-release. Red Hat and Amazon Linux bootstrapping are identical.

This was originally reported to me by @tylerturk when he was adding in this Certbot role to be used in an Ansible meetup lab; see these tasks, which basically touch /etc/redhat-release if it doesn't exist.

I'm not sure if this is something that I want to add as a 'feature' to this role (basically, something that detects if it's running on Amazon Linux, and touches that file if so...), or if I just want to document it in this issue, leave it open a while, then close it at some point arbitrarily in the future.

Hello,

Ability to add extra cronjob parameters would be nice, for example --pre-hook "service nginx stop" --post-hook "service nginx start".

Regards,
R

Edited: I sent a PR: #27

Package certbot is currently available only in jessie-backports on Debian 8. That means certbot installation using package manager requires configuring that repository first - I used role jnv.debian-backports for that. It would be great if this role did it automatically or it was mentioned in the docs.

It also requires specifying default release for apt - I just replaced line:
package: "name={{ certbot_package }} state=present"
with:
apt: "name={{ certbot_package }} default_release=jessie-backports state=present"
in tasks/install-with-package.yml, but it is not very portable I guess.

I'm leery of letting automated software that's out of my control from managing my own config files, especially when it comes to crypto. While many people are better off letting LE/Certbot do everything for them (many of these people hand-edit config files on their servers—gasp!), I'd rather let Certbot work on cert redemption/renewal, and then I'll work on the actual Apache config.

I'd like to document my process, at least, so I can see where it's more automatable... and so others can see how simple/better the process is for further automation if we use Ansible to the greatest extent possible.

Getting error: letsencrypt: error: unrecognized arguments: --quiet

root@some-server:/tmp# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04 LTS
Release:        16.04
Codename:       xenial

root@some-server:/tmp# letsencrypt --version
letsencrypt 0.4.1

The repo is now certbot/certbot. This role should still work because they still provide letsencrypt-auto, etc., but would be good to update it. I might do that eventually. For now, I'm just filing an issue.

I just installed this Ansible certbot playbook for my Laravel Lemp Playbooks Stedding. Then I had to move on integrating it with Nginx. For that I use your playbook for Nginx as well. I realized doing

apt install python-certbot-nginx

and then run the Certbot plugin using:

certbot --nginx

took care of everything. Only now when I run my whole package Nginx will overwrite all this with what I have now in vhost and the standard nginx.conf. So I guess I could setup a separate template called roles/nginx/templates/domain. Then I could call it inside my vars/main.yml with

nginx_conf_template: "{{ playbook_dir }}/templates/my.conf.j2"

Then to make it extend the basic nginx.conf I could add

{% extends 'roles/geerlingguy.nginx/templates/nginx.conf.j2' %}

At least I think this would be the way. And then add the details. But how?

Certbot now added:

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/domain.com,/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot
ssl_session_cache shared:le_nginx_SSL:1m; # managed by Certbot
ssl_session_timeout 1440m; # managed by Certbot

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # managed by Certbot
ssl_prefer_server_ciphers on; # managed by Certbot

ssl_ciphers "xxxxxxx"; # managed by Certbot



    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

}

And when I provision again this will now be wiped out due to the basic nginx.conf settings. And that I do not want..
Should I just add that code as Certbot added and use my {{ domain }} variable there to load the domain path? I do not think that is quite it... I mean, the ssl_ciphers that I would generate using certbot only would also have to be added somehow..right?

*Update
Other option would be of course to add another post LEMP installation task and just

apt install python-certbot-nginx

and then run the Certbot plugin using:

certbot --nginx

That would install things again. And as long as this does not happen too often the certificates should be added and working without any issues. Did see in Root Trelllis though that it is all managed with Ansible and I would prefer that. And that gets me back to the first option.

Hi,
thank you for this great role, especially for the handling of already created certs and so on. This is now much better in the current version of the role.

I have one mention or "issue" with the current version.
In combination with a nginx role creating multiple vhosts, wouldn´t it be better to notify nginx to reload after the whole ansible run?

In my case I run into restarting-errors because there are multiple vhosts with ssl and ansible reloads immediately after the first cert-creation. But then the cert files for the other vhosts are missing.

best,
Christian

Add deployhook support

While there might be a demand to install the latest certbot version directly from GitHub, personally I like to install as much software as possible from distribution's package management.

Would you accept a PR adding the possibility to configure if one wants to use git or package?

Rationale: Some might use Ansible to bootstrap their hosts but do not regularly execute Ansible afterwards nor use ansible-pull. In this case the cloned git repository is barely updated, even with certbot_keep_updated: yes. This is bad, especially when urgent security updates are required. A package from the distribution's package management is probably automatically updated by unattended-upgrades or dnf-automatic.

Hello!

I'm running into what I believe to be a an unexpected issue with the defaults for certs.

Running without certbot_create_standalone_stop_services: [] fails on our CentOS 7 server not having nginx already installed with the message

Could not find the requested service nginx: host

Is this intended behaviour?
I'd argue that it should by default not try to restart any service not provided by me.

Since defaults/main.yml is using the '>' (folded block scalar, see https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html) syntax, one gets an error:

TASK [geerlingguy.certbot : Generate new certificate if one doesn't exist.] ******************************************************************************************************************************************************************************************************************************************************************************** fatal: [xxx-xxx]: FAILED! => {"changed": true, "cmd": "\"certbot certonly --standalone --noninteractive --agree-tos --email [email protected] -d xxx.xxx.xxx\"", "delta": "0:00:00.001942", "end": "2018-10-02 08:00:25.388877", "msg": "non-zero return code", "rc": 127, "start": "2018-10-02 08:00:25.386935", "stderr": "/bin/sh: 1: certbot certonly --standalone --noninteractive --agree-tos --email [email protected] -d xxx.xxx.xxx: not found", "stderr_lines": ["/bin/sh: 1: certbot certonly --standalone --noninteractive --agree-tos --email [email protected] -d igniti-xxx.xxx.xxx: not found"], "stdout": "", "stdout_lines": []}

This is due to the quotes being migrated to the new syntax. Pull request with the change incoming.

Occurence verified with:
ansible version: 2.6.5
geerlingguy.nginx 3.1.0

Greetings,
Mario

When I use the role with ansible 2.8.0 on Ubuntu 18.04.2, include_vars is loading playbook_root/vars/Debian.yml instead of playbook_root/roles/certbot/vars/default.yml.

Because of this, the role is failing with error

The task includes an option with an undefined variable. The error was: 'certbot_package' is undefined

Hello,
I'm seeing: E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied) from the "Install Certbot." task. Any thoughts? I don't understand what variables I need to set up. What is the lock file for?

I'm using Ubuntu Xenial.

Thanks!

Description

The role is currently not able to detect that a domain has been added for a certificate. Thus if we add a new domain to our list, nothing happens (generation is skipped).

What I would expect: the domain list change is detected and Certbot is run again (for e.g. for a renewal including the added domains).

Could we add a way to test for any change in the domain list and issue again the certificate when the list changed?

How to reproduce

First run the role with a domain list containing one to N items:

certbot_certs:
  - domains:
    - example1.com
    - example2.com

(Let the configuration being applied)

Then re-run the role after adding one to N domains:

certbot_certs:
  - domains:
    - example1.com
    - example2.com
    - example3.com
    - example4.com

(Here the certification will be skipped, resulting on example3.com and example4.com not being part of the certificate)

Implementation

This is due to the condition detecting that a certificate exists: it only checks we have a certificate of the name of the first domain.

This condition should be able to detect whether current existing certificate (if any) covers the same domains as the one provided by the role variables.

I am trying to run renewal manually, to see if it's actually running and unfortunately it's erring :/

When running:
sudo /opt/certbot/certbot-auto renew --quiet --no-self-upgrade

Im getting the following stacktrace:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in <module>
    main()
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
    symlink=options.symlink)
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
    download=download,
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
    call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
    % (cmd_desc, proc.returncode))
OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 1

It seems to be related to certbot issue #2883.

Current version according galaxy is 0.1.0 while it is 0.2.1 according github

If you try to override certbot_package with something like certbot_package: certbot-dns-route53 you have no way to change the fact for certbot_script it might just be better to set it as a variable instead of using set_fact?

How can I auto run certbot and apache on install & updates of the virtual machines?

I've added certbot and from source. But the issue is setting up apache with SSL and then actually running the config THEN running cert bot THEN running and setting up SSL.

apache_vhosts:
  # Additional properties:
  # 'serveradmin, serveralias, allow_override, options, extra_parameters'.
  - servername: "xxx.com"
    documentroot: "/var/www/html"

apache_vhosts_ssl:
  - servername: "xxx.com"
    documentroot: "/var/www/html"
    certificate_file: "/etc/letsencrypt/live/xxx.com/cert.pem"
    certificate_key_file: "/etc/letsencrypt/live/xxx.com/privkey.pem"
    certificate_chain_file: "/etc/letsencrypt/live/xxx.com/fullchain.pem"

This was the config I was going with (using your apache config too). But if you run w/ cert_file like that, it will crash because apache wont start w/o the file.

After installing on the 2nd run I get the Clone Certbot into configured directory. task failing with:

Local modifications exist in repository (force=no).

Is this because certbot-auto has been made executable? Should the git task use force?

Right now the renew command that's able to be set for cron is not configurable:

- name: Add cron job for certbot renewal (if configured).
  cron:
    name: Certbot automatic renewal.
    job: "{{ certbot_script }} renew --quiet --no-self-upgrade"
    minute: "{{ certbot_auto_renew_minute }}"
    hour: "{{ certbot_auto_renew_hour }}"
    user: "{{ certbot_auto_renew_user }}"

The options should be configurable, maybe using a certbot_auto_renew_options var.

As the title says...

Hi there!

Thanks for this role, it's very useful :)

I'm having a bit of a hard time trying to make my playbook completely idempotent when certbot_create_standalone_stop_services points to a web server. The problem I have is that the first time I set up the server, either the geerlingguy.nginx role fails because nginx can't find the certs (because the certbot role hasn't been run yet) or geerlingguy.certbot fails because it can't find nginx (because it hasn't been isntalled yet), depending on the order of execution of said roles.

It's easy to solve manually, of course: I removed the vhost def that included the path to the keyfiles from the yml and ran the playbook with roles in the following order:

• geerlingguy.nginx
• geerlingguy.certbot

This way, nginx doesn't complain about a non-existent file and the role runs succesfully, and the certbot role correctly generates the keys and then restarts nginx. I can then edit the playbook and add the reference to the keys after it runs the first time.

Another possibility would be to generate the certs before setting up the web server, but then I'd need to tell the certbot role to only restart nginx if the service is present. Must be something easy to do with ansible, but I'd like to check if there's a config option or if perhaps I'm using the role in the wrong way.

Am I missing something? Any insights appreciated!

The cronjob adds

letsencrypt renew --quiet --no-self-upgrade

Why are we using letsencrypt vs the newer certbot commands?

Is it:

• Installing (or not installing) from source
• backwards compatibility
• not using the certbot/certbot package
• apt/yum inconsistances with distributed binaries

I have notes from the original letencrypt/certbot commands before it forked from EFF. The certbot/certbot instructions now say:

Until May 2016, Certbot was named simply letsencrypt or letsencrypt-auto, depending on install method. Instructions on the Internet, and some pieces of the software, may still refer to this older name.

So I started updating notes to use the "certbot" command. However it is confusing now that some machines are using this Ansible role. I guess I need to keep track of which machines exactly are using the new certbot stuff vs Ansible to solve this problem.

Is there anything preventing this ansible role from using certbot commands so we can have consistency with the manually servers?

Should I always install from source so things are consistent?

The --quiet option doesn't work with "letsencrypt"

To solve this problem I have made 2 very simple templates for use as a pre and post hook.

/etc/letsencrypt/renewal-hooks/pre/stop_services:

#!/bin/bash

{% for item in certbot_create_standalone_stop_services %}
echo "stopping service {{ item }}"
{% if ansible_service_mgr == 'systemd' %}
systemctl stop {{ item }}
{% elif ansible_service_mgr == 'upstart' %}
initctl stop {{ item }}
{% elif ansible_service_mgr == 'openrc' %}
rc-service {{ item }} stop
{% else %}
service {{ item }} stop
{% endif %}
{% endfor %}

/etc/letsencrypt/renewal-hooks/post/start_services:

#!/bin/bash

{% for item in certbot_create_standalone_stop_services %}
echo "starting service {{ item }}"
{% if ansible_service_mgr == 'systemd' %}
systemctl start {{ item }}
{% elif ansible_service_mgr == 'upstart' %}
initctl start {{ item }}
{% elif ansible_service_mgr == 'openrc' %}
rc-service {{ item }} start
{% else %}
service {{ item }} start
{% endif %}
{% endfor %}

If wanted I could write a small patch to implement this and make it a little more robust.