Actually, use the certbot role

playbooks/hosts/taigastg.fedorainfracloud.org.yml

@@ -30,8 +30,7 @@
 
   roles:
   - basessh
-  - role: letsencrypt
-    site_name: taigastg.fedorainfracloud.org
+  - role: certbot
   - role: taiga
     taiga_back_version: stable
     taiga_front_version: stable

roles/taiga/tasks/main.yml

@@ -37,6 +37,7 @@
   - npm
 # need this for letsencrypt cert
   - certbot
+  - python3-certbot-nginx
   tags: taiga
 
 - user: name=taiga comment="Taiga System Account"
@@ -262,6 +263,29 @@
   tags: taiga
 
 
+# Letsencrypt
+
+- name: get the letsencrypt cert
+  command: certbot certonly -n --standalone --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" -d {{ inventory_hostname }} --agree-tos --email admin@fedoraproject.org
+  args:
+    creates: "/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem"
+  notify: restart nginx
+
+- name: copy cert renew script
+  copy: src=renew-cert.sh dest=/usr/local/bin/renew-cert.sh mode=0755
+  tags:
+  - taiga
+  - cron
+  - letsencrypt
+
+- name: install cron for cert renewal
+  copy: src=cron-renew-cert dest=/etc/cron.d/cron-renew-cert
+  notify: restart crond
+  tags:
+  - taiga
+  - cron
+
+
 ### FINALLY, nginx to serve/proxy it all
 - template: src=default.nginx dest=/etc/nginx/default.d/taiga.conf
             mode=0644 owner=nginx group=nginx