Pārlūkot izejas kodu

Arrange for services to restart on cert renewal

Mike Ashley 9 gadus atpakaļ
vecāks
revīzija
8f1b6a9ed8

+ 1
- 1
roles/common/DESIGN.md Parādīt failu

@@ -14,7 +14,7 @@ Several packages need access to the private key. Not all are run as root. Exampl
14 14
 
15 15
 Certificates and private keys are backed up using tarsnap.
16 16
 
17
-Certificate renewal is done automatically using cron. The cron script must be aware of private key copies and update them as well. Services that depend on new keys must also be bounced. It is up to roles that rely on keys to modify the cron script (preferably using `linein` or similar games) to accomplish this.
17
+Certificate renewal is done automatically using cron. The cron script must be aware of private key copies and update them as well. Services that depend on new keys must also be bounced. It is up to roles that rely on keys to modify the cron script (preferably using `lineinfile` or something similar) to accomplish this.
18 18
 
19 19
 ### Alternative approaches
20 20
 

+ 5
- 0
roles/common/files/etc_cron-monthly_letsencrypt-renew Parādīt failu

@@ -16,3 +16,8 @@ for c in `ls /etc/letsencrypt/live`; do
16 16
   /root/letsencrypt/letsencrypt-auto --renew certonly -c /etc/letsencrypt/cli.conf --domains=$domains
17 17
 done
18 18
 service apache2 start
19
+
20
+# Services that rely on LE certificates will need restarted.  In some cases
21
+# their certificates are based on copies of the LE certs and will need
22
+# regenerated as well.
23
+

+ 5
- 0
roles/ircbouncer/tasks/znc.yml Parādīt failu

@@ -24,6 +24,11 @@
24 24
     creates=/usr/lib/znc/znc.pem
25 25
   notify: restart znc
26 26
 
27
+- name: Update certificate renwal cron job
28
+  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
29
+    line="cat /etc/letsencrypt/live/{{ domain }}/{privkey,fullchain}.pem > /var/lib/znc/znc.pem; chown znc.znc /var/lib/znc/znc.pem; chmod 640 /var/lib/znc/znc.pem; service znc restart"
30
+    insertafter="EOF"
31
+
27 32
 - name: Ensure znc user and group can read cert
28 33
   file: path=/usr/lib/znc/znc.pem group=znc owner=znc mode=640
29 34
   notify: restart znc

+ 5
- 0
roles/mailserver/tasks/dovecot.yml Parādīt failu

@@ -64,3 +64,8 @@
64 64
     - imaps
65 65
     - pop3s
66 66
   tags: ufw
67
+
68
+- name: Update certificate renwal cron job
69
+  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
70
+    line="service dovecot restart"
71
+    insertafter="EOF"

+ 5
- 0
roles/xmpp/tasks/prosody.yml Parādīt failu

@@ -35,6 +35,11 @@
35 35
     - privkey.pem
36 36
     - cert.pem
37 37
 
38
+- name: Update certificate renewal cron job
39
+  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
40
+    line="cp /etc/letsencrypt/live/{{ domain }}/{privkey,cert}.pem /etc/prosody/certs; chown root.prosody /etc/prosody/certs/{privkey,cert}.pem; chmod 640 /etc/prosody/certs/{privkey,cert}.pem; service prosody restart"
41
+    insertafter="EOF"
42
+
38 43
 - name: Create Prosody accounts
39 44
   command: prosodyctl register {{ item.name }} {{ prosody_virtual_domain }} "{{ item.password }}"
40 45
   with_items: prosody_accounts

Notiek ielāde…
Atcelt
Saglabāt