Manage SSL Certificates with Let's Encrypt

[vialcollet]

Hi and thanks a lot for this great role.
I have manage to handle let's encrypt. I am a beginner with Ansible so let me know what you think of the approach and I can submit a pull request if you want.
The main issue is that we need a valid nginx configuration (with valid certificates) in order to use the webroot validation.

My approach is the following (we should add a variable to activate this):

• Adjust the nginx configuration template
• Let RocketChat role generating self-signed certificates.
• Then I use a role from thefinn93 (https://github.com/thefinn93/ansible-letsencrypt) to install Let's Encrypt, request the certificate and setup the automatic renewal.
• Then I delete the self-signed certificates and symlink Let's Encrypt certificates.

Changes in rocket_chat.conf.j2 (in the ssl server section):

 location ~ /.well-known { 

 root /var/www/letsencrypt;
 allow all;                
 }                         

Then my playbook:

---
  - name: Apply the RocketChat.Server role to all chat_servers
    vars:
      rocket_chat_automatic_upgrades: true
      rocket_chat_tarball_sha256sum: 316673b6e11993b32f0499ef3a28316f3780d23a7c5a756f07211edaa727b982
      letsencrypt_webroot_path: /var/www/letsencrypt
      letsencrypt_email: [email protected]
      # letsencrypt_server: https://acme-staging.api.letsencrypt.org/directory
      letsencrypt_server: https://acme-v01.api.letsencrypt.org/directory
      rocket_chat_ssl_generate_certs: true
    hosts: chat_servers
    pre_tasks:
      - name: Create let's encrypt root folder
        file: path=/var/www/letsencrypt state=directory mode=0775
    roles:
      - RocketChat.Server
      - letsencrypt
    tasks:
      - name: Delete self-signed certificates
        file: path={{ item }} state=absent
        with_items:
        - '{{rocket_chat_ssl_key_path }}'
        - '{{ rocket_chat_ssl_cert_path }}'
      - name: "symlink to Let's Encrypt key: {{rocket_chat_ssl_key_path }}"
        file: src='/etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem' dest={{ rocket_chat_ssl_key_path }} state=link
      - name: "Symlink to Let's Encrypt certificate: {{ rocket_chat_ssl_cert_path }}"
        file: src='/etc/letsencrypt/live/{{ ansible_fqdn }}/fullchain.pem' dest={{ rocket_chat_ssl_cert_path }} state=link
        notify: Reload the Nginx service

[cmacrae]

Hi again @vialcollet 👋

Awesome, this is good to hear - this is something I've been wanting to implement for a while.
I should get some time to go over this properly today, bit busy at the moment, but I have some initial thoughts about this:

Due to the flexibility of the role, and the different services it deploys, it cannot depend on other roles.
So far, I've written it in such a way that it supports deployment of the necessary services at what could be considered a "basic" level. User's have the option to either use this role's basic deployment of said services, or if they desire more fine-grained/sophisticated control of a service, they can opt out of this role deploying the service with a simple variable setting, then use another role to manage it.

I'd like to take the same approach with Let's Encrypt, being that I would implement my own code for the deployment, and expose a variable that allows user's to stick with my deployment code, or use another role.

Considering you've been kind enough to share this with me - I'd like to ask you, as a user, what your thoughts would be on the above? This is really the approach I'd like to take, but I'll value any insight you may have on the matter :)

[vialcollet]

Hi @cmacrae

I really like your approach. I know there is a lot of debate around whether ansible roles should be highly specialized on a service or cover a full solution. In the case of Let's Encrypt you might also want to setup a cron job for the renewal.
My (recent) experience on this is related to... Sensu stack installation :) And I have to say that the work you have done in this area is absolutely fantastic. I am using it myself! So once you understand the role and its variables you can very quickly deploy your stack. Much more quickly than if you have to interface roles to build the solution. With the sensu example, I am still trying to get graphite and grafana into the picture for example...
So I would encourage you to go in this direction.
This being said you don't necessarily need to set TheFinn93's roles as a direct dependancy by rather adjust your role to make it fit with the Let's Encrypt one.
I have seen a role with nice integration of the Let's Encrypt role from Thefinn93. I used it to deploy a JitsuMeet server. You can check here:
Here is my resulting playbook with his role:

- name: Configure jitsi-meet server.
  hosts: jitsi_servers
  vars:
    # Change this to match the DNS entry for your host IP.
    jitsi_meet_server_name: '{{ ansible_fqdn }}'
  roles:
    - role: letsencrypt
      become: yes
      letsencrypt_email: "[email protected]"
      letsencrypt_cert_domains:
        - "{{ jitsi_meet_server_name }}"
      tags: letsencrypt

    - role: freedomofpress.jitsi-meet
      jitsi_meet_ssl_cert_path: "/etc/letsencrypt/live/{{ jitsi_meet_server_name }}/fullchain.pem"
      jitsi_meet_ssl_key_path: "/etc/letsencrypt/live/{{ jitsi_meet_server_name }}/privkey.pem"
      become: yes
      tags: jitsi

What do you think?
I am happy to dig further with you. But don't forget I am an Ansible beginner (happy beginner though).

[cmacrae]

Hey @vialcollet - thanks so much for your response. That's great to hear about your explorations into my Sensu role. I definitely agree this is a good approach.

I've got a very busy schedule at the moment, but I'm hoping I may get some time to implement this either this week, or the next - so just hang in there 👍

[xenithorb]

@vialcollet

I know there is a lot of debate around whether ansible roles should be highly specialized on a service or cover a full solution.

This was always a "Rocket.Chat in a box" as far as I'm concerned, so I don't see any issues with implementing here. I think I'll work on this soon

[xenithorb]

Anyone want to give https://github.com/RocketChat/Rocket.Chat.Ansible/tree/letsencrypt a shot?

[vialcollet]

Hi there.
Did anyone make some progress on this?

[xenithorb]

Yep. It was completed some time ago on this branch: https://github.com/RocketChat/Rocket.Chat.Ansible/tree/travis_build_test_WIP

I use this branch on my personal server.

It's been a while since I updated it though, life happened in the meantime as it always does and I forgot about where I left this. Thanks for reminding me - I'll put merging this to master and updating the documentation on my to-do list.

[aoyawale]

@xenithorb thank you for adding lestencrypt. I'm looking forward to when it gets added to master. I use ansible heavily and have been debating between rocketchat or mattermost. So far I'm liking rocketchat.

[aoyawale]

this worked for me so I say its good to go.

[xenithorb]

My hold up on releasing this to master is the documentation. The README is a bit much on this one |:

(My other hold-up was disappearing for several months, back now though!)

[aoyawale]

no problem. I can try to help with the README. Is there any specific way you need it?

[xenithorb]

d55bd81...9fd1bc1

Bit of stuff to go over... If you want to submit some PRs to change the README to reflect the new variable names and such that would be great. I'm terrible at documentation.

I still plan on breaking apart:

1. travis_build test 569b417
2. WIP: Let's Encrypt support! 7ded192

By rebasing. But I shouldn't change the code too much...., but those commits need to be documented better and clarified. Most of that I plan on doing myself, but the README.md tables are tedious

[xenithorb]

Closing this since the working implementation is on develop

[xenithorb]

@jlozadad please join me here: #51