Certificates¶

Web certificates are generated using Certbot. Certbot is a tool to obtain certificates from Lets Encrypt. Certificates are staged inside the reverse proxy server folder /data/certs. There is a folder for each host. An Ansible playbook is used to wrap Certbot commands to generate certificates.

Certificate Generation¶

Certificates are generated using the Ansible playbook playbooks/certs/generate_certs.yml. The certbot (or letsencrypt) folder is located in the /data/letsencrypt folder of the host specified in the [certs] group. This is typically the main reverse proxy host.

The playbook uses the rproxy_setup_sites list variable for the hostname it needs to pass to the certbot command. The value of the server_name field shown here is what the playbook passes to Certbot. Multiple sites may be specified in an inventory when required.

rproxy_setup_sites:
  - server_name: homelab.refol.us
    port: 80
    proxy_pass: "http://{{ global_ip_addresses['redmine-0'] }}"
    allow_list:
      - 192.168.0.0/24
      - 192.168.2.0/24
      - 24.105.250.200
      - 70.107.117.124
    restricted: false

Certificate Staging¶

Certificates are staged using the Ansible playbook playbooks/certs/stage_certs.yml. This playbook copies the privkey.pem and fullchain.pem files from the Letsencrypt folder into the specific host folder under /data/certs. These files are referenced NGINX host file (e.g. /data/nginx/sites-available/homelab.refol.us.conf).

    ssl_certificate /data/certs/homelab.refol.us/fullchain.pem;
    ssl_certificate_key /data/certs/homelab.refol.us/privkey.pem;

Example¶

The following example shows how to generate certificates for homelab.refol.us and stage them for use.

INV=inventory/redmine/inventory.ini
ansible-playbook -i $INV playbooks/certs/generate_certs.yml -k
ansible-playbook -i $INV playbooks/certs/stage_certs.yml -k

Debugging Certificate Request Errors¶

In case of errors during the cert renewal request, open the /data/letsencrypt/log/letsencrypt.log file in rproxy-0.