Merge pull request #504 from mikeashley/letsencrypt

Let's Encrypt support

README.md

@@ -54,37 +54,15 @@ What You’ll Need
 
 1.  A VPS (or bare-metal server if you wanna ball hard). My VPS is hosted at [Linode](http://www.linode.com/?r=45405878277aa04ee1f1d21394285da6b43f963b). You’ll probably want at least 512 MB of RAM between Apache, Solr, and PostgreSQL. Mine has 1024.
 2.  [64-bit Debian 7](http://www.debian.org/) or an equivalent Linux distribution. (You can use whatever distro you want, but deviating from Debian will require more tweaks to the playbooks. See Ansible’s different [packaging](http://docs.ansible.com/ansible/list_of_packaging_modules.html) modules.)
-3.  A wildcard SSL certificate. You can either buy one or self-sign if you want to save money.
-4.  A [Tarsnap](http://www.tarsnap.com) account with some credit in it. You could comment this out if you want to use a different backup service. Consider paying your hosting provider for backups or using an additional backup service for redundancy.
+3.  A [Tarsnap](http://www.tarsnap.com) account with some credit in it. You could comment this out if you want to use a different backup service. Consider paying your hosting provider for backups or using an additional backup service for redundancy.
 
-Installation
-------------
-
-### 1. Get a wildcard SSL certificate
-
-Generate a private key and a certificate signing request (CSR):
-
-    openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -sha256 -out mycert.csr
-
-Purchase a wildcard cert from a certificate authority, such as [Positive SSL](https://positivessl.com) or [AlphaSSL](https://www.alphassl.com). You will provide them with the contents of your CSR, and in return they will give you your signed public certificate. Place the certificate in `roles/common/files/wildcard_public_cert.crt`.
-
-Download your certificate authority’s combined cert to `roles/common/files/wildcard_ca.pem`. You can also download the intermediate and root certificates separately and concatenate them together in that order.
-
-Lastly, test your certificate:
-
-    openssl verify -verbose -CAfile roles/common/files/wildcard_ca.pem roles/common/files/wildcard_public_cert.crt
-
-#### Self-signed SSL certificate
+You do not need to acquire an SSL certificate.  The SSL certificates you need will be obtained from [Let's Encrypt](https://letsencrypt.org/) automatically when you deploy your server.
 
-Purchasing SSL certs, and wildcard certs specifically, can be a significant financial burden. It is possible to generate a self-signed SSL certificate (i.e. one that isn’t signed by a Certificate Authority) that is free of charge by nature. However, since a self-signed cert has no CA chain that can confirm its authenticity, some services might behave erratically when using such a certificate.
 
-To create a self-signed SSL cert, run the following commands:
-
-    openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -sha256 -out mycert.csr
-    openssl x509 -req -days 365 -in mycert.csr -signkey roles/common/files/wildcard_private.key -out roles/common/files/wildcard_public_cert.crt
-    cp roles/common/files/wildcard_public_cert.crt roles/common/files/wildcard_ca.pem
+Installation
+------------
 
-### 2. Get a Tarsnap machine key
+### 1. Get a Tarsnap machine key
 
 If you haven’t already, [download and install Tarsnap](https://www.tarsnap.com/download.html), or use `brew install tarsnap` if you use [Homebrew](http://brew.sh).
 
@@ -92,7 +70,7 @@ Create a new machine key for your server:
 
     tarsnap-keygen --keyfile roles/tarsnap/files/decrypted_tarsnap.key --user me@example.com --machine example.com
 
-### 3. Prep the server
+### 2. Prep the server
 
 For goodness sake, change the root password:
 
@@ -115,7 +93,7 @@ Authorize your ssh key if you want passwordless ssh login (optional):
 
 Your new account will be automatically set up for passwordless `sudo`.
 
-### 4. Configure your installation
+### 3. Configure your installation
 
 Modify the settings in `vars/user.yml` to your liking. If you want to see how they’re used in context, just search for the corresponding string.
 
@@ -167,6 +145,22 @@ For Git hosting, copy your public key into place:
 
 Finally, replace the TODOs in the file `hosts`. If your SSH daemon listens on a non-standard port, add a colon and the port number after the IP address. In that case you also need to add your custom port to the task `Set firewall rules for web traffic and SSH` in the file `roles/common/tasks/ufw.yml`.
 
+### 4. Set up DNS
+
+If you’ve just bought a new domain name, point it at [Linode’s DNS Manager](https://library.linode.com/dns-manager) or similar. Most VPS services (and even some domain registrars) offer a managed DNS service that you can use for this at no charge. If you’re using an existing domain that’s already managed elsewhere, you can probably just modify a few records.
+
+Create `A` or `CNAME` records which point to your server's IP address:
+
+* `example.com`
+* `mail.example.com`
+* `autoconfig.example.com` (for email client automatic configuration)
+* `read.example.com` (for Wallabag)
+* `news.example.com` (for Selfoss)
+* `cloud.example.com` (for ownCloud)
+* `git.example.com` (for cgit)
+
+Verify that the `subdomains` variable in `vars/user.yml` matches the list of subdomains you have just set up.
+
 ### 5. Run the Ansible Playbooks
 
 First, make sure you’ve [got Ansible 1.6+ installed](http://docs.ansible.com/intro_installation.html#getting-ansible).
@@ -183,21 +177,9 @@ You might find that it fails at one point or another. This is probably because s
 
 The `dependencies` tag just installs dependencies, performing no other operations. The tasks associated with the `dependencies` tag do not rely on the user-provided settings that live in `vars/user.yml`. Running the playbook with the `dependencies` tag is particularly convenient for working with Docker images.
 
-### 6. Set up DNS
-
-If you’ve just bought a new domain name, point it at [Linode’s DNS Manager](https://library.linode.com/dns-manager) or similar. Most VPS services (and even some domain registrars) offer a managed DNS service that you can use for this at no charge. If you’re using an existing domain that’s already managed elsewhere, you can probably just modify a few records.
-
-Create `A` records which point to your server's IP address:
-
-* `example.com`
-* `mail.example.com`
-* `autoconfig.example.com` (for email client automatic configuration)
-* `read.example.com` (for Wallabag)
-* `news.example.com` (for Selfoss)
-* `cloud.example.com` (for ownCloud)
-* `git.example.com` (for cgit)
+### 6. Finish DNS set-up
 
-Create a `MX` record for `example.com` which assigns `mail.example.com` as the domain’s mail server.
+Create an `MX` record for `example.com` which assigns `mail.example.com` as the domain’s mail server.
 
 To ensure your emails pass DKIM checks you need to add a `txt` record. The name field will be `default._domainkey.EXAMPLE.COM.` The value field contains the public key used by OpenDKIM. The exact value needed can be found in the file `/etc/opendkim/keys/EXAMPLE.COM/default.txt` it’ll look something like this:
 

roles/common/DESIGN.md

@@ -0,0 +1,29 @@
+# Design Description for Common Role
+
+## Let's Encrypt Support
+
+[Let's Encrypt](https://letsencrypt.org) (LE) is an automated certificate authority that provides free SSL certificates that are trusted by all major browsers.  LE certificates are used by Sovereign instead of purchased certificates from authorities like RapidSSL in order to reduce the out-of-pocket cost of deploying Sovereign and avoid end-user problems with self-signed certificates.
+
+### Design approach
+
+The Let's Encrypt service uses DNS to look up domains being registered and then contact the client to verify. For this to work, DNS records must be configured before the playbook is run the first time.
+
+A single certificate is created using Let's Encrypt with SANs used for the subdomains.  At deploy-time, a script is used to query DNS for known subdomains, build a list of the subset that is registered, and use it when making the certificate request of Let's Encrypt.
+
+Several packages need access to the private key. Not all are run as root. An example is Prosody (XMPP). Such users are added to the ssl-cert group, and /etc/letsencrypt is set up to allow keys to be read by ssl-cert.
+
+Certificates and private keys are backed up using tarsnap.
+
+Certificate renewal is done automatically using cron. The cron script must be aware of private key copies and update them as well. Services that depend on new keys must also be bounced. It is up to roles that rely on keys to modify the cron script (preferably using `lineinfile` or something similar) to accomplish this.
+
+### Testing support
+
+An isolated VM deployed with Vagrant is used for testing. The Let's Encrypt service cannot be used to get keys for it, since it is not bound with DNS. A self-signed wildcard key is therefore used for testing. The wildcard key, certificate, and chain are installed in the same way that Let's Encrypt keys are installed.
+
+### Alternative approaches
+
+Another way to generate certificates is to generate one certificate per domain and expect each module that uses a subdomain to generate its own certificate for the subdomain.
+
+This was prototyped. The common role included a parameterized task list that could be invoked by modules that needed to generate a key. The certificate renewal script run by cron could be modified to update all the certificates in the `live` directory.
+
+This approach was rejected due to complexity. This would have been the first time modules needed to invoke a task list from another module. Managing multiple certificates is also more complicated.

roles/common/files/etc_cron-monthly_letsencrypt-renew

@@ -0,0 +1,21 @@
+#!/bin/bash
+# Renew all live certificates with LetsEncrypt.  This needs to run at least
+# once every three months.
+
+# Given a certificate file returns "domain1,domain2"
+# https://community.letsencrypt.org/t/help-me-understand-renewal-config/7115
+function getDomains() {
+        openssl x509 -text -in "$1" |
+        grep -A1 "Subject Alternative Name:" | tail -n1 |
+        tr -d ' ' | tr -d 'DNS:'
+}
+
+service apache2 stop
+for c in `ls /etc/letsencrypt/live`; do
+  domains=$(getDomains /etc/letsencrypt/live/$c/cert.pem)
+  /root/letsencrypt/letsencrypt-auto --renew certonly -c /etc/letsencrypt/cli.conf --domains=$domains
+done
+service apache2 start
+
+# Services that rely on LE certificates will need restarted.
+

roles/common/files/letsencrypt-gencert

@@ -0,0 +1,8 @@
+#!/bin/bash
+d="$1"
+for i in www mail autoconfig read news cloud git; do
+  if (getent hosts $i.$1 > /dev/null); then
+    d="$d,$i.$1";
+  fi
+done
+/root/letsencrypt/letsencrypt-auto certonly -c /etc/letsencrypt/cli.conf --domains $d

roles/common/files/wildcard_ca.pem

@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDPjCCAiYCCQDcHVzv6JwhEzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJB
-VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
-cyBQdHkgTHRkMRowGAYDVQQDFBEqLnNvdmVyZWlnbi5sb2NhbDAeFw0xMzExMDIx
-OTI4NDlaFw0xNDExMDIxOTI4NDlaMGExCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpT
-b21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAY
-BgNVBAMUESouc292ZXJlaWduLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEArpXru3ZQKl+OVlBar2yziN5ZiVSbt6QYuJtTUmMAfAtGsPobueyI
-6XLG6QcFNCWNqUd3fa15GPYluFA5Ot7bPAoo3UQXJvM9n/tQ2YWPjPgxaV4sCKrI
-yw7UF+f2NwtUVdj1wHB0x7bh9asNv+ZDC5O2ze8dn09CS7Puh13bsVFm1iapngrr
-C6ctethJF67A/mRa7UzqHzesAznkgaWfhDLyygNX0PzI5ywVAKbgvxUWndPx3oY6
-yx5jrfk+opMUUnDu9AqhthTPaKK1s3JXJBOW2R/rlgYokfO7VBDkRv/ty3B1BnmS
-xdOV/01f5JJdgfLlR6PNd2FMmMoCesg9YwIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
-AQAX5KZYIYcMuHRdsd/EKwee+pzp0irs1dqbNwYJIj3HS8Zx/qd+LET4irQbY72N
-9Z2s0UTSngy4axlyItKrn+k26FUnSW80W8GMb/dEIyKg5Vnu+zLKnKj85dGUBSAP
-AzhNyqkwiY5BFFy/tvuFBvjxle9vkBNZrmtsh/PktzaW3BNrYaE9xDMYesT9xi73
-aKFMIryVZWzZKmMaJhcMcMarWzAvLftV+0VfJV3EWtzpEbjEu3mIsoBZvD0uGqbU
-Llt1yeYyBrcdIbDQZgeRHhrJjC8yx0iqvj5WmnEp8hk6YtqdwGGTJxkpUtxFT/dO
-+0vEpa88MmGGUdXZ4NWI2IYe
+MIIDPjCCAiYCCQCIBIL0qFYY5DANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJB
+VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
+cyBQdHkgTHRkMRowGAYDVQQDDBEqLnNvdmVyZWlnbi5sb2NhbDAeFw0xNjAxMDkw
+OTU4MzNaFw0xNzAxMDgwOTU4MzNaMGExCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApT
+b21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAY
+BgNVBAMMESouc292ZXJlaWduLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA1Z12KXbGOq70H9rxgH+uBF2MSil5xTcxQKFpUhFOu0kIVoQ7Sa2n
+FPKYDC5aTKE7ajgO4cER44WgtBnEXGs7MHQEJL2tT0ETiDfTqSEhTpsXSzCxl7bo
+AZIrw9ntJKvTm4Ot04MXsUqeZyr6gk5XMOilluZWTLzbunigKOJItyM3VBRnLWZi
+ScznIkbKLGt2WjGIaENOR4cw+wwzOmH0UVxGtGWo/jklGtBZG8mb+fF8rH6L6VBa
+nIYHBGlg8Gy0eK430jMD/y2zqlOzY4gE5/BlwaxEupuzL+jtiYGyr7G1tUksQ49v
+UNimlAzUINB6bYnIk0MwpIxB0xECj0nz2wIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
+AQCEVVrT1ktgvA3CwuIr+/BWRfILIHyayy3FxIwF8wBymAwQiT/09JuNDsLuI2/t
+eOY9BZsaJ9BtGA7dajbwKDX83Z+WXcv2AwxbAhxUnpBCQF0MNT9Vh7ixE0rXbXeg
+bvy5D4n1MWTBaPK+MpuEEV5m/dRZOFIgf6AWDCB7QixWm7N2BGjqni5kr2EuqYw8
+JqxXXtTDTBA8BKMLxPRER+w39zD8fQouTn1pI8nVba/WdX1NlchzFrex6ByvKWQG
+joSPd39d68NNyytwmv5LWOQ2Shsk0d0UV9eoFrctPJh8cL4BPfNS7NQR12u55zn0
+NR+SN5v9/7fn+/KF1UZq5Jao
 -----END CERTIFICATE-----

roles/common/files/wildcard_private.key

@@ -1,27 +1,28 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEArpXru3ZQKl+OVlBar2yziN5ZiVSbt6QYuJtTUmMAfAtGsPob
-ueyI6XLG6QcFNCWNqUd3fa15GPYluFA5Ot7bPAoo3UQXJvM9n/tQ2YWPjPgxaV4s
-CKrIyw7UF+f2NwtUVdj1wHB0x7bh9asNv+ZDC5O2ze8dn09CS7Puh13bsVFm1iap
-ngrrC6ctethJF67A/mRa7UzqHzesAznkgaWfhDLyygNX0PzI5ywVAKbgvxUWndPx
-3oY6yx5jrfk+opMUUnDu9AqhthTPaKK1s3JXJBOW2R/rlgYokfO7VBDkRv/ty3B1
-BnmSxdOV/01f5JJdgfLlR6PNd2FMmMoCesg9YwIDAQABAoIBADm/oYAavJ2nif+H
-CNgqDqDhW6CPegqenwbBaihAUzK00CdOM8mmMgt2SdFe3xvGqDssRpwtu3bEROnY
-r3WHreEIQ0gdc8MQhnvat32cLkWk+0MtQUeEpnJ0bzeRJOJEPxs+btu+1wIQvmFy
-uVOWqOq1a6xmwdemcfl0hRwFsdvO00MefOWgJpmBGBTBKuvhg1rUPP8xkHlD98ga
-+vpxG0vS5d2vHKa5FxcbbMaV9kxqjsc1Sm79zWlomwdmE5u0dUIIfNV1+VOmPqW2
-tjeD+JDieyX3uOKFpRTk7/5rOJd5hzHukIeUpl0n9mC/mY8lvoFAttszeTEwjkv0
-EhRBjaECgYEA3Rz8AoWJLDC63wfz3mUhtXzFxrxok85cNT35ohT9btnKyLKykvAE
-BCfHeYg8cwFFv0oUXpK9HWOqoJhsYN79+WYA1QE9n0XXAGl1K1/FlKsoAH3h5GAf
-CHGLsq6rEY3ixBmqEiKCWjNXgKeoMg9V/gjTNudWYqLvcsgMoD9vJbkCgYEAyiGi
-QZUa7pGFSa3+kPJo9wx6FylsAVnBluQETZpPdXSB43cTnfUlGj50OHAwFKwD4MP1
-Z+3mTW3+iedpEo3BWs47onanI9DSe6XcUUMXreP+aStJYOkQ3Sl5wr5A61NFF/yr
-+bdKEzXNXB5My5hbFLuSUtsXNVmVr6B7pz2wyfsCgYEAiXKyCVM/IPQtxeSoqM+O
-88VbIB4QmAjIcuRSoHmRzO2fy8ChlwuSQ48Cxb51bTwWQkHnhZ6L5pAFCg2WGWWk
-1Pqee8popvCAJSZpCoxfQvpeRGf8Gr3RrKsAnxNLDf94PlSBzwIaq72MoFIYEP5N
-gzuzKEcIAQqt9Fj82ER2cCkCgYEAnaEFC+ffjNRnAUJzF04zlRVh0NY4qAT691Ty
-FiKUfKBS+rRN1Azs1j6GG81BcZ2DmLC4nEfmJdP1gE26nwF1G/9geh3V0hRzUIHU
-Ansz6CO4rwNWwgB/ajmB/uCnd90EMOSWqLLLTZfTglcOxGcYAF8WiQ7aVnx6Qu//
-/jgZuikCgYB10Gf8Wl/TcWVBTwbDbA50VqZpUWXkcF+oo/w4FfI2f74TEQVkIs9m
-4SVhrtSAz3z2tuBEDB8SM2Uwe00/JSrbuOTvGcVTq64LDgH5fL38Hw8+7IvAZEOx
-26mAS685K1pq0HvvCuwzSIAjpo55tso3phG/YxC+DD11DglhL1SpBA==
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDVnXYpdsY6rvQf
+2vGAf64EXYxKKXnFNzFAoWlSEU67SQhWhDtJracU8pgMLlpMoTtqOA7hwRHjhaC0
+GcRcazswdAQkva1PQROIN9OpISFOmxdLMLGXtugBkivD2e0kq9Obg63TgxexSp5n
+KvqCTlcw6KWW5lZMvNu6eKAo4ki3IzdUFGctZmJJzOciRsosa3ZaMYhoQ05HhzD7
+DDM6YfRRXEa0Zaj+OSUa0FkbyZv58XysfovpUFqchgcEaWDwbLR4rjfSMwP/LbOq
+U7NjiATn8GXBrES6m7Mv6O2JgbKvsbW1SSxDj29Q2KaUDNQg0HpticiTQzCkjEHT
+EQKPSfPbAgMBAAECggEBAMcozbgO4vZnk3f3u13grK+pQFkMnll/Ac6OLxGyzULT
+7pArLNOesb5YB+ajeNElKa34ofdc+H62YYRI2ciIuWCNaiePKHxR4hIIarCvEMym
+0Grr9UfL4jdEvsUU84JTKTE+7dvbx0UmmtT5PyIqRCR3Y5tzGVbmZb5PJJO5la4X
+1Q8ZQHYvdFh52VXVpetp66yFpCu/EI8u9VSEBakvILpZ3yxjhskEXD18E304wn1e
+Ky+sBde6zUtXRc1rKxAzeQ/JyF1+1+xr8nI1kGryqXdNl/4S3JsdB5nL54U0pHaL
+XfLMZvRTVqKAsyjqLQzYE0bRnJz9sev85nu0J1sp/GECgYEA8Gi2izJmxpb3oDC7
+Eu388TeFOYrdg6AsXFkmKT5ssTRRT4ju03RrGWC8NlOJRhQxJloCICgmBWHLFWBG
+2OVGgOYhUr7/V12f/D2GICUcJ9SKkDbzKe0ACDPq9tzauVd9H8fY9gQfvhn0AA0v
+qG0+guGElxS+holIpbDP7VV0PykCgYEA43fp3VtneBHL4E4iZVBQaIBGMYOmE8v3
+cKSTCBgCU3jnbio85NHybI1Fw15cAXDOIsOlKescLyTw/IgRb3PbObNvpD8STS8d
+wVqen2Ir/mrsxWVn57jlSV5viGnIoI873YVJ9fl5pr/KbJ5A8//EnJwQLDq6MmQR
+zPMovp51L2MCgYEA0/rQ8t4HR5Z4VDSDz8YvYZaeD0YF2nkShH9LKdTUTFAgXiwU
+wjkF8oOckZ6JDVTinbmB5E7ib55yTq/s6HUJ/MBuo6KsTaHNXsH1EUUHlYtQfqcl
+NFO40oLM7M2CwyiEuNAj25F5V8tUnfMCkdV56DfoDLuK3+APQaItRU0zSjkCgYAW
+KGgvl+fMWm9xuiq/k8NBar1rtVdINmY0ItPvxeb0GqLwqEymPY1P5bMWBOsReNub
+p1M/checwAx5jQelw7NnO4N0jHBL9HsBisJI5FdEwUWvNOGaQPiU3Q4gS62vdkRu
+n71EqLig9a3SRtgs7I1KdClfJZldr0HMpSMi7myb4QKBgQDgeh5oDgypNBdMY4un
+Wpax1Mxse49T883Z3lIlVq+U7ZwnWLWfohSZK/kXUrolbdmo4z8yAlNKUO421sAF
+SWUWFAabEMnLq2ilv6WIG4i1ubFr4/DBV4fGcaYNMOxIENRDItn7RacddZ1EQVfC
+WBcstgic1QXyMJ+2LoC0LHdgCQ==
+-----END PRIVATE KEY-----

roles/common/files/wildcard_public_cert.crt

@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDPjCCAiYCCQDcHVzv6JwhEzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJB
-VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
-cyBQdHkgTHRkMRowGAYDVQQDFBEqLnNvdmVyZWlnbi5sb2NhbDAeFw0xMzExMDIx
-OTI4NDlaFw0xNDExMDIxOTI4NDlaMGExCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpT
-b21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAY
-BgNVBAMUESouc292ZXJlaWduLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEArpXru3ZQKl+OVlBar2yziN5ZiVSbt6QYuJtTUmMAfAtGsPobueyI
-6XLG6QcFNCWNqUd3fa15GPYluFA5Ot7bPAoo3UQXJvM9n/tQ2YWPjPgxaV4sCKrI
-yw7UF+f2NwtUVdj1wHB0x7bh9asNv+ZDC5O2ze8dn09CS7Puh13bsVFm1iapngrr
-C6ctethJF67A/mRa7UzqHzesAznkgaWfhDLyygNX0PzI5ywVAKbgvxUWndPx3oY6
-yx5jrfk+opMUUnDu9AqhthTPaKK1s3JXJBOW2R/rlgYokfO7VBDkRv/ty3B1BnmS
-xdOV/01f5JJdgfLlR6PNd2FMmMoCesg9YwIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
-AQAX5KZYIYcMuHRdsd/EKwee+pzp0irs1dqbNwYJIj3HS8Zx/qd+LET4irQbY72N
-9Z2s0UTSngy4axlyItKrn+k26FUnSW80W8GMb/dEIyKg5Vnu+zLKnKj85dGUBSAP
-AzhNyqkwiY5BFFy/tvuFBvjxle9vkBNZrmtsh/PktzaW3BNrYaE9xDMYesT9xi73
-aKFMIryVZWzZKmMaJhcMcMarWzAvLftV+0VfJV3EWtzpEbjEu3mIsoBZvD0uGqbU
-Llt1yeYyBrcdIbDQZgeRHhrJjC8yx0iqvj5WmnEp8hk6YtqdwGGTJxkpUtxFT/dO
-+0vEpa88MmGGUdXZ4NWI2IYe
+MIIDPjCCAiYCCQCIBIL0qFYY5DANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJB
+VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
+cyBQdHkgTHRkMRowGAYDVQQDDBEqLnNvdmVyZWlnbi5sb2NhbDAeFw0xNjAxMDkw
+OTU4MzNaFw0xNzAxMDgwOTU4MzNaMGExCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApT
+b21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAY
+BgNVBAMMESouc292ZXJlaWduLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA1Z12KXbGOq70H9rxgH+uBF2MSil5xTcxQKFpUhFOu0kIVoQ7Sa2n
+FPKYDC5aTKE7ajgO4cER44WgtBnEXGs7MHQEJL2tT0ETiDfTqSEhTpsXSzCxl7bo
+AZIrw9ntJKvTm4Ot04MXsUqeZyr6gk5XMOilluZWTLzbunigKOJItyM3VBRnLWZi
+ScznIkbKLGt2WjGIaENOR4cw+wwzOmH0UVxGtGWo/jklGtBZG8mb+fF8rH6L6VBa
+nIYHBGlg8Gy0eK430jMD/y2zqlOzY4gE5/BlwaxEupuzL+jtiYGyr7G1tUksQ49v
+UNimlAzUINB6bYnIk0MwpIxB0xECj0nz2wIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
+AQCEVVrT1ktgvA3CwuIr+/BWRfILIHyayy3FxIwF8wBymAwQiT/09JuNDsLuI2/t
+eOY9BZsaJ9BtGA7dajbwKDX83Z+WXcv2AwxbAhxUnpBCQF0MNT9Vh7ixE0rXbXeg
+bvy5D4n1MWTBaPK+MpuEEV5m/dRZOFIgf6AWDCB7QixWm7N2BGjqni5kr2EuqYw8
+JqxXXtTDTBA8BKMLxPRER+w39zD8fQouTn1pI8nVba/WdX1NlchzFrex6ByvKWQG
+joSPd39d68NNyytwmv5LWOQ2Shsk0d0UV9eoFrctPJh8cL4BPfNS7NQR12u55zn0
+NR+SN5v9/7fn+/KF1UZq5Jao
 -----END CERTIFICATE-----

roles/common/tasks/letsencrypt.yml

@@ -0,0 +1,88 @@
+- name: Download LetsEncrypt release
+  git: repo=https://github.com/letsencrypt/letsencrypt
+       dest=/root/letsencrypt
+       version=master
+       force=yes
+
+- name: Create directory for LetsEncrypt configuration and certificates
+  file: state=directory path=/etc/letsencrypt group=root owner=root
+
+- name: Configure LetsEncrypt
+  template:
+    src=etc_letsencrypt_cli.conf.j2
+    dest=/etc/letsencrypt/cli.conf
+    owner=root
+    group=root
+
+- name: Install LetsEncrypt package dependencies
+  command: /root/letsencrypt/letsencrypt-auto --help
+
+- name: Install crontab entry for LetsEncrypt
+  copy:
+    src=etc_cron-monthly_letsencrypt-renew
+    dest=/etc/cron.monthly/letsencrypt-renew
+    owner=root
+    group=root
+    mode=755
+
+- name: Create live directory for LetsEncrypt cron job
+  file: state=directory path=/etc/letsencrypt/live group=root owner=root
+
+- name: Stop Apache
+  service: name=apache2 state=stopped
+
+- name: Get an SSL certificate for {{ domain }} from Let's Encrypt
+  script: letsencrypt-gencert {{ domain }}
+  args:
+    creates: /etc/letsencrypt/live/{{ domain }}/privkey.pem
+  when: ansible_ssh_user != "vagrant"
+
+- name: Modify permissions to allow ssl-cert group access
+  file: path=/etc/letsencrypt/archive owner=root group=ssl-cert mode=750
+  when: ansible_ssh_user != "vagrant"
+
+### Several steps to install a self-signed wildcard key to support offline testing
+
+- name: Create live directory for testing keys
+  file: dest=/etc/letsencrypt/live/{{ domain }} state=directory
+    owner=root group=root mode=755
+  when: ansible_ssh_user == "vagrant"
+
+- name: Copy SSL wildcard private key for testing
+  copy: src=wildcard_private.key
+    dest=/etc/letsencrypt/live/{{ domain }}/privkey.pem
+    owner=root group=ssl-cert mode=640
+  when: ansible_ssh_user == "vagrant"
+
+- name: Copy SSL public certificate into place for testing
+  copy: src=wildcard_public_cert.crt
+    dest=/etc/letsencrypt/live/{{ domain }}/cert.pem
+    group=root owner=root mode=644
+  register: certificate
+  notify: restart apache
+  when: ansible_ssh_user == "vagrant"
+
+- name: Copy SSL CA combined certificate into place for testing
+  copy: src=wildcard_ca.pem
+    dest=/etc/letsencrypt/live/{{ domain }}/chain.pem
+    group=root owner=root mode=644
+  register: ca_certificate
+  notify: restart apache
+  when: ansible_ssh_user == "vagrant"
+
+- name: Create a combined SSL cert for testing
+  shell: cat /etc/letsencrypt/live/{{ domain }}/cert.pem
+    /etc/letsencrypt/live/{{ domain }}/chain.pem >
+    /etc/letsencrypt/live/{{ domain }}/fullchain.pem
+  when: private_key.changed or certificate.changed or ca_certificate.changed
+  when: ansible_ssh_user == "vagrant"
+
+- name: Set permissions on combined SSL public cert
+  file: name=/etc/letsencrypt/live/{{ domain }}/fullchain.pem mode=644
+  notify: restart apache
+  when: ansible_ssh_user == "vagrant"
+
+### Back to normal
+
+- name: Start Apache
+  service: name=apache2 state=started

roles/common/tasks/main.yml

@@ -63,6 +63,7 @@
 - include: users.yml tags=users
 - include: apache.yml tags=apache
 - include: ssl.yml tags=ssl
+- include: letsencrypt.yml tags=letsencrypt
 - include: ufw.yml tags=ufw
 - include: security.yml tags=security
 - include: ntp.yml tags=ntp

roles/common/tasks/ssl.yml

@@ -1,27 +1,3 @@
-- name: Copy SSL private key into place
-  copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=ssl-cert owner=root mode=640
-  register: private_key
-  notify: restart apache
-
-- name: Copy SSL public certificate into place
-  copy: src=wildcard_public_cert.crt dest=/etc/ssl/certs/wildcard_public_cert.crt group=root owner=root mode=644
-  register: certificate
-  notify: restart apache
-
-- name: Copy CA combined certificate into place
-  copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root mode=644
-  register: ca_certificate
-  notify: restart apache
-
-- name: Create a combined version of the public cert with intermediate and root CAs
-  shell: cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem >
-    /etc/ssl/certs/wildcard_combined.pem
-  when: private_key.changed or certificate.changed or ca_certificate.changed
-
-- name: Set permissions on combined public cert
-  file: name=/etc/ssl/certs/wildcard_combined.pem mode=644
-  notify: restart apache
-
 - name: Create strong Diffie-Hellman group
   command: openssl dhparam -out /etc/ssl/private/dhparam2048.pem 2048
     creates=/etc/ssl/private/dhparam2048.pem
@@ -43,7 +19,7 @@
   notify: restart apache
 
 - name: Add common Apache SSL config
-  copy: src=etc_apache2_conf-available_ssl.conf
+  template: src=etc_apache2_conf-available_ssl.conf.j2
     dest=/etc/apache2/conf-available/ssl.conf
     owner=root
     group=root

roles/common/files/etc_apache2_conf-available_ssl.conf → roles/common/templates/etc_apache2_conf-available_ssl.conf.j2

@@ -6,10 +6,10 @@ SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(128000)
 SSLStaplingResponderTimeout 5
 SSLStaplingReturnResponderErrors off
 
-SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+SSLCertificateKeyFile	/etc/letsencrypt/live/{{ domain }}/privkey.pem
+SSLCertificateFile	/etc/letsencrypt/live/{{ domain }}/fullchain.pem
+SSLCertificateChainFile	/etc/letsencrypt/live/{{ domain }}/chain.pem
 
-SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
-SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
-SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
+SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
 
 Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"

roles/common/templates/etc_letsencrypt_cli.conf.j2

@@ -0,0 +1,7 @@
+rsa-key-size = 4096
+server = {{ letsencrypt_server }}
+authenticator = standalone
+register-unsafely-without-email = True
+keep = True
+expand = True
+agree-tos = True

roles/ircbouncer/tasks/znc.yml

@@ -9,7 +9,7 @@
   group: name=znc state=present
 
 - name: Create znc user
-  user: name=znc state=present home=/var/lib/znc system=yes group=znc shell=/usr/sbin/nologin
+  user: name=znc state=present home=/usr/lib/znc system=yes group=znc shell=/usr/sbin/nologin
 
 - name: Ensure pid directory exists
   file: state=directory path=/var/run/znc group=znc owner=znc
@@ -17,11 +17,18 @@
 - name: Copy znc service file into place
   copy: src=etc_systemd_system_znc.service dest=/etc/systemd/system/znc.service mode=0644
 
-- name: Create a combined version of the private key with public cert and intermediate + root CAs
-  shell: cat /etc/ssl/private/wildcard_private.key /etc/ssl/certs/wildcard_combined.pem >
-    /usr/lib/znc/znc.pem creates=/usr/lib/znc/znc.pem
+- name: Create a combined version of the SSL private key and full certificate chain
+  shell: cat /etc/letsencrypt/live/{{ domain }}/privkey.pem
+    /etc/letsencrypt/live/{{ domain }}/fullchain.pem >
+    /usr/lib/znc/znc.pem
+    creates=/usr/lib/znc/znc.pem
   notify: restart znc
 
+- name: Update certificate renwal cron job
+  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
+    line="cat /etc/letsencrypt/live/{{ domain }}/{privkey,fullchain}.pem > /usr/lib/znc/znc.pem; chown znc.znc /usr/lib/znc/znc.pem; chmod 640 /usr/lib/znc/znc.pem; service znc restart"
+    insertafter="EOF"
+
 - name: Ensure znc user and group can read cert
   file: path=/usr/lib/znc/znc.pem group=znc owner=znc mode=640
   notify: restart znc

roles/mailserver/tasks/dovecot.yml

@@ -38,10 +38,13 @@
     - 10-auth.conf
     - 10-mail.conf
     - 10-master.conf
-    - 10-ssl.conf
     - auth-sql.conf.ext
   notify: restart dovecot
 
+- name: Template 10-ssl.conf
+  template: src=etc_dovecot_conf.d_10-ssl.conf.j2 dest=/etc/dovecot/conf.d/10-ssl.conf
+  notify: restart dovecot
+
 - name: Template 15-lda.conf
   template: src=etc_dovecot_conf.d_15-lda.conf.j2 dest=/etc/dovecot/conf.d/15-lda.conf
   notify: restart dovecot
@@ -61,3 +64,8 @@
     - imaps
     - pop3s
   tags: ufw
+
+- name: Update certificate renwal cron job
+  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
+    line="service dovecot restart"
+    insertafter="EOF"

roles/mailserver/files/etc_dovecot_conf.d_10-ssl.conf → roles/mailserver/templates/etc_dovecot_conf.d_10-ssl.conf.j2

@@ -9,8 +9,8 @@ ssl = required
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/ssl/certs/wildcard_combined.pem
-ssl_key = </etc/ssl/private/wildcard_private.key
+ssl_cert = </etc/letsencrypt/live/{{ domain }}/fullchain.pem
+ssl_key = </etc/letsencrypt/live/{{ domain }}/privkey.pem
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often

roles/mailserver/templates/etc_postfix_main.cf.j2

@@ -40,8 +40,8 @@ smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
 smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
 smtp_tls_protocols = !SSLv2,!SSLv3
 smtpd_tls_protocols = !SSLv2,!SSLv3
-smtpd_tls_cert_file=/etc/ssl/certs/wildcard_combined.pem
-smtpd_tls_key_file=/etc/ssl/private/wildcard_private.key
+smtpd_tls_cert_file=/etc/letsencrypt/live/{{ domain }}/fullchain.pem
+smtpd_tls_key_file=/etc/letsencrypt/live/{{ domain }}/privkey.pem
 smtpd_use_tls=yes
 smtpd_tls_auth_only = yes
 smtp_tls_security_level = may

roles/tarsnap/files/tarsnap.sh

@@ -4,7 +4,7 @@
 # Written by Tim Bishop, 2009.
 
 # Directories to backup (relative to /)
-DIRS="home root decrypted var/www"
+DIRS="home root decrypted var/www etc/letsencrypt"
 
 # Number of daily backups to keep
 DAILY=7

roles/xmpp/tasks/prosody.yml

@@ -17,7 +17,7 @@
     - dependencies
 
 - name: Add prosody user to ssl-cert group
-  user: name=prosody groups=ssl-cert append=yes
+  user: name=prosody group=ssl-cert
 
 - name: Create Prosody data directory
   file: state=directory path=/decrypted/prosody owner=prosody group=prosody

roles/xmpp/templates/prosody.cfg.lua.j2

@@ -86,8 +86,8 @@ allow_registration = false;
 -- These are the SSL/TLS-related settings. If you don't want
 -- to use SSL/TLS, you may comment or remove this
 ssl = {
-	key = "/etc/ssl/private/wildcard_private.key";
-	certificate = "/etc/ssl/certs/wildcard_public_cert.crt";
+	key = "/etc/letsencrypt/live/{{ domain }}/privkey.pem";
+	certificate = "/etc/letsencrypt/live/{{ domain }}/cert.pem";
 }
 
 -- Force clients to use encrypted connections? This option will

vars/defaults.yml

@@ -13,6 +13,7 @@ main_user_shell: "/bin/bash"
 # encfs_password: (required)
 friendly_networks:
   - ""
+letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"
 
 # ssh
 kex_algorithms: "diffie-hellman-group-exchange-sha256"