瀏覽代碼

Merge pull request #533 from carljm/post-renew

Idempotency fixes to LetsEncrypt handling.
Mike Ashley 8 年之前
父節點
當前提交
c822f9de14

+ 5
- 2
roles/common/files/etc_cron-monthly_letsencrypt-renew 查看文件

@@ -18,5 +18,8 @@ for c in $(find /etc/letsencrypt/live/ -mindepth 1  -type d); do
18 18
 done
19 19
 service apache2 start
20 20
 
21
-# Services that rely on LE certificates will need restarted.
22
-
21
+# Services that rely on LE certificates may need restarted and/or other actions.
22
+for script in $(find /etc/letsencrypt/postrenew/ -maxdepth 1 -type f -executable); do
23
+  echo "Executing ${script}."
24
+  $script
25
+done

+ 5
- 0
roles/common/files/letsencrypt-gencert 查看文件

@@ -5,4 +5,9 @@ for i in www mail autoconfig read news cloud git; do
5 5
     d="$d,$i.$1";
6 6
   fi
7 7
 done
8
+# We are using the "standalone" letsencrypt plugin, which runs its own
9
+# webserver, so we need to temporarily free up the HTTP(S) ports by stopping
10
+# our own Apache.
11
+service apache2 stop
8 12
 /root/letsencrypt/letsencrypt-auto certonly -c /etc/letsencrypt/cli.conf --domains $d
13
+service apache2 start

+ 6
- 9
roles/common/tasks/letsencrypt.yml 查看文件

@@ -16,6 +16,11 @@
16 16
 
17 17
 - name: Install LetsEncrypt package dependencies
18 18
   command: /root/letsencrypt/letsencrypt-auto --help
19
+  register: le_deps_result
20
+  changed_when: "'Bootstrapping dependencies' in le_deps_result.stdout"
21
+
22
+- name: Create directory for post-renewal scripts
23
+  file: state=directory path=/etc/letsencrypt/postrenew group=root owner=root
19 24
 
20 25
 - name: Install crontab entry for LetsEncrypt
21 26
   copy:
@@ -28,13 +33,8 @@
28 33
 - name: Create live directory for LetsEncrypt cron job
29 34
   file: state=directory path=/etc/letsencrypt/live group=root owner=root
30 35
 
31
-- name: Stop Apache
32
-  service: name=apache2 state=stopped
33
-
34 36
 - name: Get an SSL certificate for {{ domain }} from Let's Encrypt
35
-  script: letsencrypt-gencert {{ domain }}
36
-  args:
37
-    creates: /etc/letsencrypt/live/{{ domain }}/privkey.pem
37
+  script: letsencrypt-gencert {{ domain }} creates=/etc/letsencrypt/live/{{ domain }}/privkey.pem
38 38
   when: ansible_ssh_user != "vagrant"
39 39
 
40 40
 - name: Modify permissions to allow ssl-cert group access
@@ -83,6 +83,3 @@
83 83
   when: ansible_ssh_user == "vagrant"
84 84
 
85 85
 ### Back to normal
86
-
87
-- name: Start Apache
88
-  service: name=apache2 state=started

+ 7
- 4
roles/ircbouncer/tasks/znc.yml 查看文件

@@ -31,10 +31,13 @@
31 31
     creates=/usr/lib/znc/znc.pem
32 32
   notify: restart znc
33 33
 
34
-- name: Update certificate renwal cron job
35
-  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
36
-    line="cat /etc/letsencrypt/live/{{ domain }}/{privkey,fullchain}.pem > /usr/lib/znc/znc.pem; chown znc.znc /usr/lib/znc/znc.pem; chmod 640 /usr/lib/znc/znc.pem; service znc restart"
37
-    insertafter="EOF"
34
+- name: Update post-certificate-renewal task
35
+  template:
36
+    src: etc_letsencrypt_postrenew_znc.sh.j2
37
+    dest: /etc/letsencrypt/postrenew/znc.sh
38
+    owner: root
39
+    group: root
40
+    mode: 0755
38 41
 
39 42
 - name: Ensure znc user and group can read cert
40 43
   file: path=/usr/lib/znc/znc.pem group=znc owner=znc mode=640

+ 7
- 0
roles/ircbouncer/templates/etc_letsencrypt_postrenew_znc.sh.j2 查看文件

@@ -0,0 +1,7 @@
1
+#!/bin/bash
2
+# Executed by /etc/cron.monthly/letsencrypt-renew
3
+
4
+cat /etc/letsencrypt/live/{{ domain }}/{privkey,fullchain}.pem > /usr/lib/znc/znc.pem
5
+chown znc.znc /usr/lib/znc/znc.pem
6
+chmod 640 /usr/lib/znc/znc.pem
7
+service znc restart

+ 7
- 4
roles/mailserver/tasks/dovecot.yml 查看文件

@@ -65,7 +65,10 @@
65 65
     - pop3s
66 66
   tags: ufw
67 67
 
68
-- name: Update certificate renwal cron job
69
-  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
70
-    line="service dovecot restart"
71
-    insertafter="EOF"
68
+- name: Update post-certificate-renewal task
69
+  copy:
70
+    content: "#!/bin/bash\n\nservice dovecot restart\n"
71
+    dest: /etc/letsencrypt/postrenew/dovecot.sh
72
+    mode: 0755
73
+    owner: root
74
+    group: root

Loading…
取消
儲存