Role Detail


Installs and configures Certbot (for Let's Encrypt).
Type Ansible
Minimum Ansible Version 2.0
Installation $ ansible-galaxy install geerlingguy.certbot
Last Commit 2017-10-31 15:09:03 PM UTC
Last Imported 2017-10-31 15:16:03 PM UTC
Version History
Version Release Date
2.0.1 2017-10-31 15:09:03 PM
2.0.0 2017-04-05 02:42:02 AM
1.0.1 2017-01-31 04:34:04 AM
1.0.0 2017-01-21 21:37:09 PM
0.2.1 2016-08-29 02:19:02 AM
0.2.0 2016-07-11 03:27:03 AM
0.1.0 2016-03-08 16:49:04 PM
Supported Platforms
Platform Version
Debian etch
Debian jessie
Debian lenny
Debian sid
Debian squeeze
Debian stretch
Debian wheezy
EL 6
EL 7
Fedora 16
Fedora 17
Fedora 18
Fedora 19
Fedora 20
Fedora 21
Fedora 22
Fedora 23
Fedora 24
Fedora 25
Fedora 26
Ubuntu artful
Ubuntu lucid
Ubuntu maverick
Ubuntu natty
Ubuntu oneiric
Ubuntu precise
Ubuntu quantal
Ubuntu raring
Ubuntu saucy
Ubuntu trusty
Ubuntu utopic
Ubuntu vivid
Ubuntu wily
Ubuntu xenial
Ubuntu yakkety
Ubuntu zesty
Last 10 Imports
Completed Status
2017-10-31 15:16:03 PM UTC SUCCESS
2017-10-31 15:13:03 PM UTC SUCCESS
2017-10-31 15:13:03 PM UTC SUCCESS
2017-10-06 11:15:11 AM UTC SUCCESS
2017-09-30 10:05:10 AM UTC SUCCESS
2017-09-07 18:24:06 PM UTC SUCCESS
2017-09-07 18:20:06 PM UTC SUCCESS
2017-09-07 08:05:08 AM UTC SUCCESS
2017-09-06 23:59:11 PM UTC SUCCESS
2017-09-06 23:50:11 PM UTC SUCCESS

Ansible Role: Certbot (for Let's Encrypt)

Build Status

Installs and configures Certbot (for Let's Encrypt).


If installing from source, Git is required. You can install Git using the geerlingguy.git role.

Role Variables

The variable certbot_install_from_source controls whether to install Certbot from Git or package management. The latter is the default, so the variable defaults to no.

certbot_auto_renew: true
certbot_auto_renew_user: "{{ ansible_user }}"
certbot_auto_renew_hour: 3
certbot_auto_renew_minute: 30
certbot_auto_renew_options: "--quiet --no-self-upgrade"

By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run certbot renew (or certbot-auto renew) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.

Source Installation from Git

You can install Certbot from it's Git source repository if desired. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).

certbot_install_from_source: no
certbot_version: master
certbot_keep_updated: yes

Certbot Git repository options. To install from source, set certbot_install_from_source to yes. This clones the configured certbot_repo, respecting the certbot_version setting. If certbot_keep_updated is set to yes, the repository is updated every time this role runs.

certbot_dir: /opt/certbot

The directory inside which Certbot will be cloned.



Example Playbook

- hosts: servers

    certbot_auto_renew_user: your_username_here
    certbot_auto_renew_minute: 20
    certbot_auto_renew_hour: 5

    - geerlingguy.certbot

Creating certificates with certbot

After installation, you can create certificates using the certbot (or certbot-auto) script (use letsencrypt on Ubuntu 16.04, or use /opt/certbot/certbot-auto if installing from source/Git. Here are some example commands to configure certificates with Certbot:

# Automatically add certs for all Apache virtualhosts (use with caution!).
certbot --apache

# Generate certs, but don't modify Apache configuration (safer).
certbot --apache certonly

If you want to fully automate the process of adding a new certificate, you can do so using the command line options to register, accept the terms of service, and then generate a cert using the standalone server:

  1. Make sure any services listening on port 80 (Apache, Nginx, Varnish, etc.) are stopped.
  2. Register with something like certbot register --agree-tos --email []
  • Note: You won't need to do this step in the future, when generating additional certs on the same server.
  1. Generate a cert for a domain whose DNS points to this server: certbot certonly --noninteractive --standalone -d -d
  2. Re-start whatever was listening on port 80 before.
  3. Update your webserver's virtualhost TLS configuration to point at the new certificate (fullchain.pem) and private key (privkey.pem) Certbot just generated for the domain you passed in the certbot command.
  4. Restart your webserver so it uses the new HTTPS virtualhost configuration.

Certbot certificate auto-renewal

By default, this role adds a cron job that will renew all installed certificates once per day at the hour and minute of your choosing.

You can test the auto-renewal (without actually renewing the cert) with the command:

/opt/certbot/certbot-auto renew --dry-run

See full documentation and options on the Certbot website.



Author Information

This role was created in 2016 by Jeff Geerling, author of Ansible for DevOps.