Hi there! I'm Maneshwar. Right now, I’m building LiveAPI, a first-of-its-kind tool for helping you automatically index API endpoints across all your repositories. LiveAPI helps you discover, understand, and use APIs in large tech infrastructures with ease.

TLS with Ansible: Automate Let’s Encrypt via geerlingguy.certbot

Yesterday, we automated syncing NGINX config files using Ansible. Today, we’ll crank it up a notch — let’s auto-provision SSL certificates with Let’s Encrypt using a battle-tested community role.

No more Certbot copy-paste rituals.

No more forgetting cron jobs. Ansible’s got your back.

✋ What’s a “role” again?

Roles in Ansible are reusable chunks of automation.

Think of them like npm packages, but for infrastructure.

They organize tasks, variables, files, templates, etc., into a standard structure.

You just plug them into your playbook.

We’re using two roles here:

• geerlingguy.certbot: Automates Certbot installation, renewal, and cert generation.
• geerlingguy.nginx: Optional, for managing NGINX itself if you want to go full infra-as-code.

Setup requirements.yml

Here’s how you declare role dependencies:

# requirements.yml
roles:
  - src: geerlingguy.nginx
  - src: geerlingguy.certbot

collections:
  - name: community.general

Install them:

ansible-galaxy install -r requirements.yml

Update Folder Structure

We're adding 3 new task files under the same role:

roles/
└─ nginx-conf-sync/
   └─ tasks/
      ├─ ensure-sites-enabled-included.yml
      ├─ install-cron.yml
      ├─ certbot-setup-playbook.yml
      ├─ restart-nginx.yml
      ├─create-nginx-confs.yml
      └─main.yml

Updated main.yml in tasks

---
- import_tasks: ensure-sites-enabled-included.yml
- import_tasks: create-nginx-confs.yml
- import_tasks: install-cron.yml
- import_tasks: certbot-setup-playbook.yml
- import_tasks: restart-nginx.yml

install-cron.yml

- name: Ensure cron is installed
  apt:
    name: cron
    state: present
    update_cache: yes

certbot-setup-playbook.yml

- name: Setup Let's Encrypt certificates using Certbot
  include_role:
    name: geerlingguy.certbot
  vars:
    certbot_admin_email: [email protected]
    certbot_create_if_missing: true
    certbot_create_method: standalone
    certbot_create_standalone_stop_services:
      - nginx
    certbot_certs: >-
      {{ nginx_conf_domains
         | map('regex_replace', '^(.*)$', '{ "domains": ["\\1"] }')
         | map('from_yaml') | list }}

🔎 This dynamic Jinja2 expression auto-generates a list of domain objects for the role, like:

certbot_certs:
  - domains: ["blog.dev.to"]
  - domains: ["api.dev.to"]

restart-nginx.yml

- name: Test NGINX configuration
  command: nginx -t
  args:
    executable: /bin/bash

- name: Reload nginx
  service:
    name: nginx
    state: reloaded

- name: Restart NGINX
  command: sudo systemctl restart nginx
  args:
    executable: /bin/bash

Run it all

ansible-playbook -i hosts.ini nginx-conf-sync-playbook.yml -v

And you’ve got HTTPS in one command. 🎉

Bonus: Role Customization 101

The geerlingguy.certbot role is highly customizable.

Pro Tip: You can generate certs even for wildcard domains or configure HSTS via certbot_hsts: true.

Use the community-built geerlingguy.certbot role to automate HTTPS for all your NGINX sites. Hook it up with your Ansible role, drop in a few lines, and you're done.

Infrastructure as code isn’t just for big teams. It’s for anyone who values their weekend.

LiveAPI helps you get all your backend APIs documented in a few minutes

With LiveAPI, you can quickly generate interactive API documentation that allows users to search and execute APIs directly from the browser.

If you’re tired of manually creating docs for your APIs, this tool might just make your life easier.