I'm trying to get a let's encrypt certificate for my domain with Ansible.
I have been reading https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-ansible-on-ubuntu-18-04 which is a bit outdated and https://docs.ansible.com/ansible/latest/collections/community/crypto/acme_certificate_module.html#ansible-collections-community-crypto-acme-certificate-module .
My playbook is a mix of what I have found in the tutorial mentioned and the documentation.
---
-
name: "Create required directories in /etc/letsencrypt"
file:
path: "/etc/letsencrypt/{{ item }}"
state: directory
owner: root
group: root
mode: u=rwx,g=x,o=x
with_items:
-
name: Generate let's encrypt account key
openssl_privatekey:
path: "/etc/letsencrypt/account/account.key"
-
name: Generate let's encrypt private key with the default values (4096 bits, RSA)
openssl_privatekey:
path: "/etc/letsencrypt/keys/domain.me.key"
-
name: Generate an OpenSSL Certificate Signing Request
community.crypto.openssl_csr:
path: "/etc/letsencrypt/csrs/domain.me.csr"
privatekey_path: "/etc/letsencrypt/keys/domain.me.key"
common_name: www.domain.me
Create challenge
-
name: Create a challenge for domain.me using an account key file.
acme_certificate:
acme_directory: "https://acme-v02.api.letsencrypt.org/directory"
acme_version: 2
account_key_src: "/etc/letsencrypt/account/account.key"
account_email: "email@mail.com"
terms_agreed: yes
challenge: "http-01"
src: "/etc/letsencrypt/csrs/domain.me.csr"
dest: "/etc/letsencrypt/certs/domain.me.crt"
fullchain_dest: "/etc/letsencrypt/certs/domain.me-fullchain.crt"
register: acme_challenge_domain_me
-
name: "Create .well-known/acme-challenge directory"
file:
path: "project/dir/path/.well-known/acme-challenge"
state: directory
owner: root
group: root
mode: u=rwx,g=rx,o=rx
-
name: "Implement http-01 challenge files"
copy:
content: "{{ acme_challenge_domain_me['challenge_data'][item]['http-01']['resource_value'] }}"
dest: "project/dir/path/{{ acme_challenge_domain_me['challenge_data'][item]['http-01']['resource'] }}"
with_items:
- "domain.me"
- "www.domain.me"
when: acme_challenge_domain_me is changed and domain_name|string in acme_challenge_domain_me['challenge_data']
-
name: Let the challenge be validated and retrieve the cert and intermediate certificate
acme_certificate:
acme_directory: "https://acme-v02.api.letsencrypt.org/directory"
acme_version: 2
account_key_src: "/etc/letsencrypt/account/account.key"
account_email: "email@mail.com"
challenge: "http-01"
src: "/etc/letsencrypt/csrs/domain.me.csr"
cert: "/etc/letsencrypt/certs/domain.me.crt"
fullchain: "/etc/letsencrypt/certs/domain.me-fullchain.crt"
chain: "{/etc/letsencrypt/certs/domain.me-intermediate.crt"
remaining_days: "60"
data: "{{ acme_challenge_domain_me }}"
when: acme_challenge_domain_me is changed
When I run the playbook, I'm getting this error:
fatal: [web_server]: FAILED! =>
{
"changed": false,
"msg": "Failed to validate challenge for dns:www.domain.me: Status is \"invalid\". Challenge http-01: Error urn:ietf:params:acme:error:connection: \"xxx.xxx.x.ip: Fetching http://www.domain.me/.well-known/acme-challenge/NRkTQSpAVbWtjFNq206YES55lEoHHinHUn9cjR7vm7k: Connection refused\".",
"other": {
"authorization": {
"challenges": [
{
"error": {
"detail": "xxx.xxx.x.ip: Fetching http://www.domain.me/.well-known/acme-challenge/NRkTQSpAVbWtjFNq206YES55lEoHHinHUn9cjR7vm7k: Connection refused",
"status": 400,
"type": "urn:ietf:params:acme:error:connection"
},
"status": "invalid",
"token": "NRkTQSpAVbWtjFNq206YES55lEoHHinHUn9cjR7vm7k",
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/103702154687/UdA36w",
"validated": "2022-04-30T16:01:32Z",
"validationRecord": [
{
"addressUsed": "xxx.xxx.x.ip",
"addressesResolved": ["xxx.xxx.x.ip"],
"hostname": "www.domain.me",
"port": "80",
"url": "http://www.domain.me/.well-known/acme-challenge/NRkTQSpAVbWtjFNq206YES55lEoHHinHUn9cjR7vm7k"
}
]
}
],
"expires": "2022-05-07T15:57:28Z",
"identifier": {
"type": "dns",
"value": "www.domain.me"
},
"status": "invalid",
"uri": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/103702154687"},
"identifier": "dns:www.domain.me"
}
}
Command UFW status gives:
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
80 ALLOW Anywhere
5432/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
5432/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
The nginx configuration is :
upstream project {
server unix:///tmp/project.sock;
}
server {
listen 443 ssl;
server_name www.domain.me;
ssl_certificate /etc/letsencrypt/certs/domain.me.crt;
ssl_certificate_key /etc/letsencrypt/keys/domain.me.key;
listen 80;
server_name domain.me www.domain.me;
charset utf-8;
client_max_body_size 4M;
return 302 https://$server_name$request_uri;
# Serving static files directly from Nginx without passing through uwsgi
location /app/static/ {
alias /home/admin/project/app/static/;
}
location / {
# kill cache
add_header Last-Modified $date_gmt;
add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
if_modified_since off;
expires off;
etag off;
uwsgi_pass project;
include /home/admin/project/uwsgi_params;
}
#location /404 {
# uwsgi_pass project;
# include /home/admin/project/uwsgi_params;
#}
}
Could you help me understand where the problem is coming from and how to solve it?
I'm not sure if my mistakes are coming from the playbook, Nginx settings, or somewhere else, so apologize if the question isn't perfectly targeted.
It's my first time doing this, so please include details and explanations to help me understand.
Thank you.