Install An SSL Cert For Ansible Tower Using LetsEncrypt
This can be done in the span of about 5 minutes(it’s almost tooooo easy).
First, ensure that you have public access to TCP ports 80/443 to your tower server(it’s likely you’ve already done that, though).
Tower auto installs and uses nginx as its webserver. Step one is to tell nginx what your FQDN is for this server(make sure you’ve already created a valid/working DNS entry for this):
Edit the nginx config file at: /etc/nginx/nginx.conf
This is the section of the config prior to manipulation:
1 2 3 4 5 6 | # If you have a domain name, this is where to add it server_name _; keepalive_timeout 65; ssl_certificate /etc/tower/tower.cert; ssl_certificate_key /etc/tower/tower.key; |
This is my config with the server name configured:
1 2 3 4 5 6 | # If you have a domain name, this is where to add it server_name towerofpower.gregsowell.com; keepalive_timeout 65; ssl_certificate /etc/tower/tower.cert; ssl_certificate_key /etc/tower/tower.key; |
Now restart the nginx server:
1 | systemctl reload nginx.service |
Now download the LetsEncrypt certbot auto installer and set it to executable:
1 2 | wget -P /usr/local/bin https://dl.eff.org/certbot-auto chmod +x /usr/local/bin/certbot-auto |
Now run the certbot installer:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | certbot-auto Bootstrapping dependencies for RedHat-based OSes that will use Python3... (you can skip this with --no-bootstrap) dnf is /usr/bin/dnf dnf is hashed (/usr/bin/dnf) Last metadata expiration check: 2:31:18 ago on Thu 18 Jun 2020 08:35:47 AM CDT. Package openssl-1:1.1.1c-15.el8.x86_64 is already installed. Package ca-certificates-2019.2.32-80.0.el8_1.noarch is already installed. Package python36-3.6.8-2.module_el8.1.0+245+c39af44f.x86_64 is already installed. Dependencies resolved. ================================================================================================================================================= Package Architecture Version Repository Size ================================================================================================================================================= Installing: augeas-libs x86_64 1.12.0-5.el8 BaseOS 436 k ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Transaction Summary ================================================================================================================================================= Install 44 Packages Total download size: 52 M Installed size: 135 M Is this ok [y/N]: y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: towerofpower.gregsowell.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Obtaining a new certificate Performing the following challenges: http-01 challenge for towerofpower.gregsowell.com Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/nginx.conf Redirecting all traffic on port 80 to ssl in /etc/nginx/nginx.conf |
So when you run the installer you are prompted to pull down required packages, to which I said yes. It will then find your nginx config and locate the server name that was specified. After that I chose option 1 and let it rip.
It then creates the certs and modifies the nginx config with the new certs.
Here’s the nginx config after the above command:
1 2 3 4 5 | # If you have a domain name, this is where to add it
server_name towerofpower.gregsowell.com;
keepalive_timeout 65;
ssl_certificate /etc/letsencrypt/live/towerofpower.gregsowell.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/towerofpower.gregsowell.com/privkey.pem; # managed by Certbot |
Now restart the nginx server:
1 | systemctl reload nginx.service |
After that you should be able to browse to your tower install with a valid cert!
Good luck and happy automating.