-
Notifications
You must be signed in to change notification settings - Fork 2
Using Letsencrypt in your LA node
- Intro
- certbot ansible role
- certbot manual installation
- ALA letsencrypt certificates configuration
- ALA generic certificates configuration
We explain here how to use letsencrypt certificates with ALA.
You can create a playbook to auto request your letsencrypt certs via the coopdevs.certbot_nginx role. Some sample configuration for some server (where you want to deploy collectory/biocache/bie and web services):
- hosts: yourserver
tasks:
- include_role:
name: coopdevs.certbot_nginx
vars:
domain_name: "{{ item }}"
letsencrypt_email: support@example.org
certbot_nginx_cert_name: "{{ item }}"
with_items:
- bie.example.org
- bie-ws.example.org
- biocache.example.org
- biocache-ws.example.org
- collectory.example.org
tags: letsencrypt
This will request a certificate for each subdomain. Later you can configure the certs in your ansible inventories, and rerun ansible.
Recommendation: Group your LA domains per each server where you will deploy it.
If you prefer to do this manually, you have to install certbot, request your certificates, configure the certificates in your inventories, and rerun ansible.
Follow certbot installation instructions for ubuntu to install the certbot ubuntu package.
You can request your certificates with something like:
certbot --nginx --cert-name example.org -d core.example.org -d bie.example.org -d biocache-ws.example.org -d biocache.example.org -d collectory.example.org -d images.example.org
If you want to add a new subdomain to an existing certificate:
certbot --nginx --expand --cert-name example.org -d core.example.org -d bie.example.org -d biocache-ws.example.org -d biocache.example.org -d collectory.example.org -d images.example.org -d lists.example.org -d logger.example.org
In some case in better to use certonly like:
certbot certonly --webroot -w /srv/snib.conap.gob.gt/www/ -d snib.conap.gob.gt --cert-name snib
To see your current certificates:
certbot certificates
Here some sample of how to configure your certs in your ALA inventories:
[all:vars]
ssl=true
ssl_cert_file=fullchain.pem
ssl_key_file=privkey.pem
[bie-hub:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/bie.example.org
[bie-index:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/bie-ws.example.org
In some cases, you can try to simplify your inventories: We recommend to request one certificate with multiple domain for each server/service of your node to simplify our inventories. That is, if you have these subdomains bie.example.org and bie-ws.example.org, instead of request two certificates, is easier to request one with the two domains.
So instead of configure different vars, like:
[bie-hub:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/bie.example.org
[bie-index:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/bie-ws.example.org
[image-service:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/images.example.org
(...)
you have only one ansible var configuration in some inventory:
[all:vars]
ssl_certificate_server_dir=/etc/letsencrypt/live/example.org
(...)
The configuration of SSL if you don't use letsencrypt is not very different. You should put your certs in some /etc/mycerts in your servers, and configure your inventories to point to them.
[all:vars]
# full chain:
ssl_cert_file=dados.gbif.pt.pem
# priv key
ssl_key_file=dados.gbif.pt.key
ssl_certificate_server_dir=/etc/mycerts/ # here you should copy all the certs files on each vm
(...)
And ala-install will configure your nginx with the correct path to your certs. If nginx does not restart correctly, just review the vhost configuration and the certs in that server.
Index
- Wiki home
- Community
- Getting Started
- Support
- Portals in production
- ALA modules
- Demonstration portal
- Data management in ALA Architecture
- DataHub
- Customization
- Internationalization (i18n)
- Administration system
- Contribution to main project
- Study case