Don't copy the LE certificates. Instead use the ssl-cert group to manage access to the LE certificates directly. See https://github.com/letsencrypt/letsencrypt/issues/1425 for a request to have the LE client do this itself.

8 years ago · 86048ee397
--- a/roles/common/files/etc_cron-monthly_letsencrypt-renew
+++ b/roles/common/files/etc_cron-monthly_letsencrypt-renew
@@ -17,7 +17,5 @@ for c in `ls /etc/letsencrypt/live`; do
 
				
				 done
			
 
				
				 service apache2 start
			
 
				
				 
			
 
				
				-# Services that rely on LE certificates will need restarted.  In some cases
			
 
				
				-# their certificates are based on copies of the LE certs and will need
			
 
				
				-# regenerated as well.
			
 
				
				+# Services that rely on LE certificates will need restarted.
			
 
				
				 
			
--- a/roles/common/tasks/letsencrypt.yml
+++ b/roles/common/tasks/letsencrypt.yml
@@ -36,6 +36,9 @@
 
				
				     creates: /etc/letsencrypt/live/{{ domain }}/privkey.pem
			
 
				
				   when: ansible_ssh_user != "vagrant"
			
 
				
				 
			
 
				
				+- name: Modify permissions to allow ssl-cert group access
			
 
				
				+  file: path=/etc/letsencrypt/archive owner=root group=ssl-cert mode=750
			
 
				
				+
			
 
				
				 ### Several steps to install a self-signed wildcard key to support offline testing
			
 
				
				 
			
 
				
				 - name: Create live directory for testing keys
			
--- a/roles/xmpp/tasks/prosody.yml
+++ b/roles/xmpp/tasks/prosody.yml
@@ -16,6 +16,9 @@
 
				
				   tags:
			
 
				
				     - dependencies
			
 
				
				 
			
 
				
				+- name: Add prosody user to ssl-cert group
			
 
				
				+  user: name=prosody group=ssl-cert
			
 
				
				+
			
 
				
				 - name: Create Prosody data directory
			
 
				
				   file: state=directory path=/decrypted/prosody owner=prosody group=prosody
			
 
				
				 
			
@@ -23,23 +26,6 @@
 
				
				   template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=root owner=root
			
 
				
				   notify: restart prosody
			
 
				
				 
			
 
				
				-- name: Copy SSL private key and cert
			
 
				
				-  shell: cp /etc/letsencrypt/live/{{ domain }}/{{ item }} /etc/prosody/certs
			
 
				
				-  with_items:
			
 
				
				-    - privkey.pem
			
 
				
				-    - cert.pem
			
 
				
				-
			
 
				
				-- name: Assert mode and ownership on SSL private key and cert
			
 
				
				-  file: dest=/etc/prosody/certs/{{ item }} owner=root group=prosody mode=0640
			
 
				
				-  with_items:
			
 
				
				-    - privkey.pem
			
 
				
				-    - cert.pem
			
 
				
				-
			
 
				
				-- name: Update certificate renewal cron job
			
 
				
				-  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
			
 
				
				-    line="cp /etc/letsencrypt/live/{{ domain }}/{privkey,cert}.pem /etc/prosody/certs; chown root.prosody /etc/prosody/certs/{privkey,cert}.pem; chmod 640 /etc/prosody/certs/{privkey,cert}.pem; service prosody restart"
			
 
				
				-    insertafter="EOF"
			
 
				
				-
			
 
				
				 - name: Create Prosody accounts
			
 
				
				   command: prosodyctl register {{ item.name }} {{ prosody_virtual_domain }} "{{ item.password }}"
			
 
				
				   with_items: prosody_accounts
			
--- a/roles/xmpp/templates/prosody.cfg.lua.j2
+++ b/roles/xmpp/templates/prosody.cfg.lua.j2
@@ -86,8 +86,8 @@ allow_registration = false;
 
				
				 -- These are the SSL/TLS-related settings. If you don't want
			
 
				
				 -- to use SSL/TLS, you may comment or remove this
			
 
				
				 ssl = {
			
 
				
				-	key = "/etc/prosody/certs/privkey.pem";
			
 
				
				-	certificate = "/etc/prosody/certs/cert.pem";
			
 
				
				+	key = "/etc/letsencrypt/live/{{ domain }}/privkey.pem";
			
 
				
				+	certificate = "/etc/letsencrypt/live/{{ domain }}/cert.pem";
			
 
				
				 }
			
 
				
				 
			
 
				
				 -- Force clients to use encrypted connections? This option will