Merge pull request #533 from carljm/post-renew

Idempotency fixes to LetsEncrypt handling.

roles/common/files/etc_cron-monthly_letsencrypt-renew

@@ -18,5 +18,8 @@ for c in $(find /etc/letsencrypt/live/ -mindepth 1  -type d); do
 done
 service apache2 start
 
-# Services that rely on LE certificates will need restarted.
-
+# Services that rely on LE certificates may need restarted and/or other actions.
+for script in $(find /etc/letsencrypt/postrenew/ -maxdepth 1 -type f -executable); do
+  echo "Executing ${script}."
+  $script
+done

roles/common/files/letsencrypt-gencert

@@ -5,4 +5,9 @@ for i in www mail autoconfig read news cloud git; do
     d="$d,$i.$1";
   fi
 done
+# We are using the "standalone" letsencrypt plugin, which runs its own
+# webserver, so we need to temporarily free up the HTTP(S) ports by stopping
+# our own Apache.
+service apache2 stop
 /root/letsencrypt/letsencrypt-auto certonly -c /etc/letsencrypt/cli.conf --domains $d
+service apache2 start

roles/common/tasks/letsencrypt.yml

@@ -16,6 +16,11 @@
 
 - name: Install LetsEncrypt package dependencies
   command: /root/letsencrypt/letsencrypt-auto --help
+  register: le_deps_result
+  changed_when: "'Bootstrapping dependencies' in le_deps_result.stdout"
+
+- name: Create directory for post-renewal scripts
+  file: state=directory path=/etc/letsencrypt/postrenew group=root owner=root
 
 - name: Install crontab entry for LetsEncrypt
   copy:
@@ -28,13 +33,8 @@
 - name: Create live directory for LetsEncrypt cron job
   file: state=directory path=/etc/letsencrypt/live group=root owner=root
 
-- name: Stop Apache
-  service: name=apache2 state=stopped
-
 - name: Get an SSL certificate for {{ domain }} from Let's Encrypt
-  script: letsencrypt-gencert {{ domain }}
-  args:
-    creates: /etc/letsencrypt/live/{{ domain }}/privkey.pem
+  script: letsencrypt-gencert {{ domain }} creates=/etc/letsencrypt/live/{{ domain }}/privkey.pem
   when: ansible_ssh_user != "vagrant"
 
 - name: Modify permissions to allow ssl-cert group access
@@ -83,6 +83,3 @@
   when: ansible_ssh_user == "vagrant"
 
 ### Back to normal
-
-- name: Start Apache
-  service: name=apache2 state=started

roles/ircbouncer/tasks/znc.yml

@@ -31,10 +31,13 @@
     creates=/usr/lib/znc/znc.pem
   notify: restart znc
 
-- name: Update certificate renwal cron job
-  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
-    line="cat /etc/letsencrypt/live/{{ domain }}/{privkey,fullchain}.pem > /usr/lib/znc/znc.pem; chown znc.znc /usr/lib/znc/znc.pem; chmod 640 /usr/lib/znc/znc.pem; service znc restart"
-    insertafter="EOF"
+- name: Update post-certificate-renewal task
+  template:
+    src: etc_letsencrypt_postrenew_znc.sh.j2
+    dest: /etc/letsencrypt/postrenew/znc.sh
+    owner: root
+    group: root
+    mode: 0755
 
 - name: Ensure znc user and group can read cert
   file: path=/usr/lib/znc/znc.pem group=znc owner=znc mode=640

roles/ircbouncer/templates/etc_letsencrypt_postrenew_znc.sh.j2

@@ -0,0 +1,7 @@
+#!/bin/bash
+# Executed by /etc/cron.monthly/letsencrypt-renew
+
+cat /etc/letsencrypt/live/{{ domain }}/{privkey,fullchain}.pem > /usr/lib/znc/znc.pem
+chown znc.znc /usr/lib/znc/znc.pem
+chmod 640 /usr/lib/znc/znc.pem
+service znc restart

roles/mailserver/tasks/dovecot.yml

@@ -65,7 +65,10 @@
     - pop3s
   tags: ufw
 
-- name: Update certificate renwal cron job
-  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
-    line="service dovecot restart"
-    insertafter="EOF"
+- name: Update post-certificate-renewal task
+  copy:
+    content: "#!/bin/bash\n\nservice dovecot restart\n"
+    dest: /etc/letsencrypt/postrenew/dovecot.sh
+    mode: 0755
+    owner: root
+    group: root