update to official debian certbot package in debian 10, backport in 9. old method of installation is deprecated.

README.md

@@ -149,3 +149,9 @@ The same goes for the RSpamD web interface on port 11334.
 To access the gitea admin CLI, execute it like this:
 
     sudo -u git /usr/local/bin/gitea admin create-user --admin --config /etc/gitea/app.ini --name USERNAME --password PASSWORD --email MAIL
+
+To re-new the LetsEncrypt certificates, for example after adding a new role that needs another subdomain, call:
+
+    sudo certbot -c /etc/letsencrypt/cli.conf --cert-name DOMAIN
+
+Then re-run the whole sovereign playbook, or at least the letsencrypt part of it.

roles/sslletsencrypt/files/etc_cron-daily_letsencrypt-renew

@@ -5,6 +5,6 @@ set -o errexit
 
 # Renew all live certificates with LetsEncrypt.  This needs to run at least
 # once every three months, but recommended frequency is once a day.
-/root/letsencrypt/letsencrypt-auto renew -q -c /etc/letsencrypt/cli.conf \
+certbot renew -q -c /etc/letsencrypt/cli.conf \
 --pre-hook="find /etc/letsencrypt/prerenew/ -maxdepth 1 -type f -executable -exec {} \;" \
 --post-hook="find /etc/letsencrypt/postrenew/ -maxdepth 1 -type f -executable -exec {} \;"

roles/sslletsencrypt/files/letsencrypt-gencert

@@ -33,5 +33,5 @@ done
 # webserver, so we need to temporarily free up the HTTP(S) ports by stopping
 # our own Apache.
 service apache2 stop
-/root/letsencrypt/letsencrypt-auto certonly -c /etc/letsencrypt/cli.conf --domains $d
+certbot certonly --standalone -c /etc/letsencrypt/cli.conf --domains $d
 service apache2 start

roles/sslletsencrypt/tasks/letsencrypt.yml

@@ -3,11 +3,28 @@
     name: ssl-cert
     state: present
 
-- name: Download LetsEncrypt release
-  git: repo=https://github.com/letsencrypt/letsencrypt
-       dest=/root/letsencrypt
-       version=master
-       force=yes
+- name: add stretch-backport for Certbot
+  apt_repository: repo='deb http://deb.debian.org/debian stretch-backports main' state=present update_cache=yes
+  tags:
+    - dependencies
+  when: ansible_distribution_version == '9'
+
+- name: Install Certbot
+  apt:
+    name: "certbot"
+    state: present
+    default_release: stretch-backports
+  tags:
+    - dependencies
+  when: ansible_distribution_version == '9'
+
+- name: Install Certbot
+  apt:
+    name: "certbot"
+    state: present
+  tags:
+    - dependencies
+  when: ansible_distribution_version == '10'
 
 - name: Create directory for LetsEncrypt configuration and certificates
   file: state=directory path=/etc/letsencrypt group=root owner=root
@@ -19,11 +36,6 @@
     owner=root
     group=root
 
-- name: Install LetsEncrypt package dependencies
-  command: /root/letsencrypt/letsencrypt-auto --help
-  register: le_deps_result
-  changed_when: "'Bootstrapping dependencies' in le_deps_result.stdout"
-
 - name: Create directory for pre-renewal scripts
   file: state=directory path=/etc/letsencrypt/prerenew group=root owner=root
 

roles/sslletsencrypt/tasks/main.yml

@@ -1,5 +1,4 @@
 ---
-
 - include: ssl.yml tags=ssl
 - include: letsencrypt.yml tags=letsencrypt
 - include: ufw.yml tags=ufw

roles/sslletsencrypt/templates/etc_letsencrypt_cli.conf.j2

@@ -6,3 +6,7 @@ keep = True
 expand = True
 agree-tos = True
 non-interactive = True
+
+# Because we are using logrotate for greater flexibility, disable the
+# internal certbot logrotation.
+max-log-backups = 0