SSL Certificate Management using Ansible and Let's Encrypt

Task Overview

This Task automates the process of obtaining, configuring, and renewing SSL certificates using Let's Encrypt with Ansible. The automation will ensure all web servers have up-to-date SSL certificates, reducing manual work and maintaining a secure environment.

Technology Stack

• Ansible – Configuration management & automation
• Let's Encrypt – Free SSL certificate provider
• Certbot – ACME client for obtaining and renewing SSL certificates
• Nginx/Apache – Web server for hosting websites
• AWS EC2 / Any Linux Server – Hosting environment (Ubuntu, CentOS, or Amazon Linux)
• Cron Jobs / Systemd Timers – For automated renewal scheduling

Task Architecture

1. Ansible Playbook provisions and installs dependencies.
2. Certbot is installed and used to generate SSL certificates.
3. The certificate is deployed to Nginx or Apache.
4. Automatic renewal is set up using a scheduled task.
5. A monitoring mechanism is implemented to verify SSL expiration.

Implementation Steps

Step 1: Setting Up Ansible Environment

• Install Ansible on the control node:

sudo apt update && sudo apt install -y ansible

• Create an Ansible inventory file (inventory.yml) with target servers:

all:
  hosts:
    webserver1:
      ansible_host: 192.168.1.10
      ansible_user: ubuntu
      ansible_ssh_private_key_file: ~/.ssh/id_rsa

Step 2: Writing Ansible Playbook for SSL Management

Create a playbook ssl_certificate.yml to:

1. Install required packages
2. Obtain SSL certificate
3. Deploy SSL to Nginx/Apache
4. Automate renewal with cron/systemd

---
- name: SSL Certificate Management
  hosts: all
  become: yes
  tasks:
    - name: Install required packages
      apt:
        name: ["certbot", "python3-certbot-nginx"]
        state: present
        update_cache: yes
      when: ansible_os_family == "Debian"

    - name: Install required packages for RHEL
      yum:
        name: ["certbot", "python3-certbot-nginx"]
        state: present
      when: ansible_os_family == "RedHat"

    - name: Obtain SSL Certificate using Certbot
      command: certbot certonly --nginx --non-interactive --agree-tos --email admin@example.com -d example.com -d www.example.com
      args:
        creates: /etc/letsencrypt/live/example.com/fullchain.pem

    - name: Configure SSL in Nginx
      template:
        src: templates/nginx_ssl.j2
        dest: /etc/nginx/sites-available/example.com
      notify: Restart Nginx

    - name: Ensure SSL renewal via cron
      cron:
        name: "Renew Let's Encrypt Certificates"
        job: "certbot renew --quiet"
        minute: "0"
        hour: "0"

Step 3: Nginx Configuration Template

(templates/nginx_ssl.j2)

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name example.com www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Step 4: Running the Playbook

Execute the playbook to deploy SSL:

ansible-playbook -i inventory.yml ssl_certificate.yml

Step 5: Verifying SSL and Auto-Renewal

• Check SSL certificate:

sudo certbot certificates
sudo certbot renew --dry-run

• Test renewal process:

sudo certbot renew --dry-run

Automation & Monitoring

1. Auto-renewal:
• Cron job runs daily at midnight

0 0 * * * certbot renew --quiet

• Or using systemd timer:

sudo systemctl enable certbot.timer

2. Monitoring Expiry
• Set up an alert if the certificate is expiring

openssl x509 -enddate -noout -in /etc/letsencrypt/live/example.com/fullchain.pem

Project Deliverables

• Ansible Playbook for installing Certbot and obtaining SSL.
• Nginx/Apache configuration for SSL setup.
• Automated renewal using cron/systemd timers.
• Monitoring scripts to track SSL expiration.
• Deployment guide for scaling across multiple servers.

Expected Outcomes

• ✔ Secure HTTPS implementation using Let's Encrypt.
• ✔ Fully automated SSL certificate renewal.
• ✔ Centralized Ansible-based management for multiple servers.
• ✔ Enhanced security and compliance for web applications.

Next Steps

• Enhance security with firewall rules (e.g., AWS Security Groups).
• Integrate monitoring with Prometheus/Grafana alerts.
• Extend to Kubernetes with cert-manager for SSL.

This project is ready for implementation and can be deployed across any cloud or on-prem infrastructure.