Update to use the run_certbot script for the cron

As certbot-auto is smart enough to renew when running for already requested domains, this update uses the same run_cerbot script for the 2x daily cron. The script is reworked to remove the semaphore. The file-links and config copy is renundant (this could be moved into an external file for the post-hook but not neccessary). The script is also reworked to avoid unncessary nginx restart (is in the post-hook).

Update to use the run_certbot script for the cron
As certbot-auto is smart enough to renew when running for already requested domains, this update uses the same run_cerbot script for the 2x daily cron. The script is reworked to remove the semaphore. The file-links and config copy is renundant (this could be moved into an external file for the post-hook but not neccessary). The script is also reworked to avoid unncessary nginx restart (is in the post-hook).
a2fabfa1 · Martin Fitzpatrick · Fred Smith · 2eaa0120 · a2fabfa1 · a2fabfa1
Commit a2fabfa1 authored Sep 02, 2016 by Martin Fitzpatrick Committed by Fred Smith Nov 03, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 21 deletions

playbooks/roles/lets_encrypt/tasks/main.yml
+2 -9

playbooks/roles/lets_encrypt/templates/run_certbot.sh.j2
+3 -12

No files found.
--- a/playbooks/roles/lets_encrypt/tasks/main.yml
+++ b/playbooks/roles/lets_encrypt/tasks/main.yml
@@ -83,19 +83,12 @@
    - install
    - update
- name: set not-configured semaphore
-  file:
-    path: /opt/.certbot-config-incomplete
-    state: touch
-  tags:
-    - install
-    - update
 - name: run certbot
  command: /opt/run_certbot.sh
  tags:
    - install
    - update
+  ignore_errors: true
 # Renewal will auto-update the certs in place at the linked-to locations
 # checks twice daily @ 12hr interval ±60mins
@@ -113,7 +106,7 @@
        minute    : "{{ 59|random }}"
        cron_file : "lets-encrypt-renew"
        user      : "root"
-        job       : /opt/certbot/certbot-auto renew --pre-hook "/opt/run_certbot.sh" --post-hook "service nginx restart"
+        job       : /opt/run_certbot.sh
        state     : present
  tags:
    - install

--- a/playbooks/roles/lets_encrypt/templates/run_certbot.sh.j2
+++ b/playbooks/roles/lets_encrypt/templates/run_certbot.sh.j2
 #!/bin/bash
-set -e # Quit on error
+set -e
-if [ -e /opt/.certbot-config-incomplete ]; then
 # Store the current nginx status
 service nginx status
@@ -12,10 +10,10 @@ fi
 # Start nginx up (ignore if already running)
 service nginx start || true
-echo "Request certificate via certbot..."
+echo "Request certificate via certbot... (or renew)"
 # Run certbot installation
-/opt/certbot/certbot-auto certonly --webroot --webroot-path=/usr/share/nginx/www --email {{ LETS_ENCRYPT_EMAIL }} --agree-tos --http-01-port {{ LETS_ENCRYPT_PORT }} {% for domain in LETS_ENCRYPT_DOMAINS %} -d {{ domain }} {% endfor %} --non-interactive
+/opt/certbot/certbot-auto certonly --webroot --webroot-path=/usr/share/nginx/www --email {{ LETS_ENCRYPT_EMAIL }} --agree-tos --http-01-port {{ LETS_ENCRYPT_PORT }} {% for domain in LETS_ENCRYPT_DOMAINS %} -d {{ domain }} {% endfor %} --non-interactive --post-hook "service nginx restart"
 echo "Create symlinks to Let's Encrypt certificates..."
@@ -28,14 +26,7 @@ echo "Writing nginx certificate configuration..."
 # Copy the configuration file (with the above certs) into place
 cp /edx/app/edxapp/configuration/playbooks/roles/lets_encrypt/templates/ssl-certs.conf /etc/nginx/ssl-certs.conf
-# Clear configuration-incomplete semaphore
-rm /opt/.certbot-config-incomplete
 # Stop nginx again if it wasn't running, or restart it if it was
 if [ "$nginxstate" == "stopped" ]; then
 service nginx stop
-else
-service restart
-fi
 fi