Browse Source

Update prosody to use LE certs directly

Don't copy the LE certificates.  Instead use the ssl-cert group to
manage access to the LE certificates directly.  See
https://github.com/letsencrypt/letsencrypt/issues/1425 for a request to
have the LE client do this itself.
Mike Ashley 8 years ago
parent
commit
86048ee397

+ 1
- 3
roles/common/files/etc_cron-monthly_letsencrypt-renew View File

@@ -17,7 +17,5 @@ for c in `ls /etc/letsencrypt/live`; do
17 17
 done
18 18
 service apache2 start
19 19
 
20
-# Services that rely on LE certificates will need restarted.  In some cases
21
-# their certificates are based on copies of the LE certs and will need
22
-# regenerated as well.
20
+# Services that rely on LE certificates will need restarted.
23 21
 

+ 3
- 0
roles/common/tasks/letsencrypt.yml View File

@@ -36,6 +36,9 @@
36 36
     creates: /etc/letsencrypt/live/{{ domain }}/privkey.pem
37 37
   when: ansible_ssh_user != "vagrant"
38 38
 
39
+- name: Modify permissions to allow ssl-cert group access
40
+  file: path=/etc/letsencrypt/archive owner=root group=ssl-cert mode=750
41
+
39 42
 ### Several steps to install a self-signed wildcard key to support offline testing
40 43
 
41 44
 - name: Create live directory for testing keys

+ 3
- 17
roles/xmpp/tasks/prosody.yml View File

@@ -16,6 +16,9 @@
16 16
   tags:
17 17
     - dependencies
18 18
 
19
+- name: Add prosody user to ssl-cert group
20
+  user: name=prosody group=ssl-cert
21
+
19 22
 - name: Create Prosody data directory
20 23
   file: state=directory path=/decrypted/prosody owner=prosody group=prosody
21 24
 
@@ -23,23 +26,6 @@
23 26
   template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=root owner=root
24 27
   notify: restart prosody
25 28
 
26
-- name: Copy SSL private key and cert
27
-  shell: cp /etc/letsencrypt/live/{{ domain }}/{{ item }} /etc/prosody/certs
28
-  with_items:
29
-    - privkey.pem
30
-    - cert.pem
31
-
32
-- name: Assert mode and ownership on SSL private key and cert
33
-  file: dest=/etc/prosody/certs/{{ item }} owner=root group=prosody mode=0640
34
-  with_items:
35
-    - privkey.pem
36
-    - cert.pem
37
-
38
-- name: Update certificate renewal cron job
39
-  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
40
-    line="cp /etc/letsencrypt/live/{{ domain }}/{privkey,cert}.pem /etc/prosody/certs; chown root.prosody /etc/prosody/certs/{privkey,cert}.pem; chmod 640 /etc/prosody/certs/{privkey,cert}.pem; service prosody restart"
41
-    insertafter="EOF"
42
-
43 29
 - name: Create Prosody accounts
44 30
   command: prosodyctl register {{ item.name }} {{ prosody_virtual_domain }} "{{ item.password }}"
45 31
   with_items: prosody_accounts

+ 2
- 2
roles/xmpp/templates/prosody.cfg.lua.j2 View File

@@ -86,8 +86,8 @@ allow_registration = false;
86 86
 -- These are the SSL/TLS-related settings. If you don't want
87 87
 -- to use SSL/TLS, you may comment or remove this
88 88
 ssl = {
89
-	key = "/etc/prosody/certs/privkey.pem";
90
-	certificate = "/etc/prosody/certs/cert.pem";
89
+	key = "/etc/letsencrypt/live/{{ domain }}/privkey.pem";
90
+	certificate = "/etc/letsencrypt/live/{{ domain }}/cert.pem";
91 91
 }
92 92
 
93 93
 -- Force clients to use encrypted connections? This option will

Loading…
Cancel
Save