copr: rework letsencrypt

We need two-phase configuration for Let's Encrypt: 1. initialize; the letsencrypt automation, this is happening only once per VM (when it is spawned) 2. periodic; using certbot-renew.timer. Both those phases are now wrapped into copr/certbot role. Phase 1. needs to be done before the web-server is started (so include the role on appropriate place in the playbook), so we can do 'certbot --standalone' (bounds to port 80). Phase 2. is accomplished using the running web-server, using 'certbot renew --webroot'. If (and only if) the certificate is renewed, web server needs to be restarted (and lighttpd needs to have post-processed certificate format). So we also need the deploy hook script in hand (two actually, lighttpd/httpd) so 'certbot renew' automatically does what we expect it to do.
2026-06-27 23:57:02 +08:00 · 2019-07-19 11:01:40 +02:00
parent cc15118a29
commit 3cc27430b6
18 changed files with 158 additions and 256 deletions
--- a/roles/copr/dist_git/tasks/main.yml
+++ b/roles/copr/dist_git/tasks/main.yml
@@ -56,6 +56,9 @@
  notify:
  - reload httpd

+- name: letsencrypt for copr-dist-git
+  include_role: name=copr/certbot
+
 - name: install copr-dist-git httpd config
  copy: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}"
  with_items:
@@ -65,34 +68,10 @@
  notify:
  - reload httpd

- name: letsencrypt cert
-  include_role: name=certbot
-
 - template: src="ssl.conf.j2" dest="/etc/httpd/conf.d/ssl.conf" owner=root group=root mode=0644
  notify:
  - reload httpd

- name: certbot, correct fcontext mapping the web root
-  sefcontext:
-    target: '/srv/web/acme-challenge/.well-known(/.*)'
-    setype: httpd_sys_content_t
-    state: present
-
- name: certbot, restorecon the web root
-  file:
-    path: /srv/web/acme-challenge/.well-known
-    state: directory
-    setype: httpd_sys_content_t
-
- name: Install config for cert renewal
-  template: src="sysconfig/certbot" dest="/etc/sysconfig/certbot" owner=root group=root
-
- name: Automatize cert renewal
-  service:
-    name: certbot-renew.timer
-    state: started
-    enabled: yes
-
 - name: temporary logrotation fix until copr-dist-git 0.26 is released & deployed
  copy: src="logrotate.d/copr-dist-git" dest="/etc/logrotate.d/copr-dist-git"

--- a/roles/copr/dist_git/templates/ssl.conf.j2
+++ b/roles/copr/dist_git/templates/ssl.conf.j2
@@ -1,9 +1,3 @@
-<VirtualHost *:80>
-    RewriteEngine on
-    RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
-    RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE]
-</VirtualHost>
-
 Listen 443 https

 SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
--- a/roles/copr/dist_git/templates/sysconfig/certbot
+++ b/roles/copr/dist_git/templates/sysconfig/certbot
@@ -1,54 +0,0 @@
-## NOTE ##
-# If a hook is set here then it will be used for all
-# certificates and will override any per certificate
-# hook configuration in place.
-
-# Command to be run in a shell before obtaining any
-# certificates. Intended primarily for renewal, where it
-# can be used to temporarily shut down a webserver that
-# might conflict with the standalone plugin. This will
-# only be called if a certificate is actually to be
-# obtained/renewed. When renewing several certificates
-# that have identical pre-hooks, only the first will be
-# executed.
-#
-# An example to stop the MTA before updating certs would be
-# PRE_HOOK="--pre-hook 'systemctl stop postfix'"
-PRE_HOOK=""
-
-# Command to be run in a shell after attempting to
-# obtain/renew certificates. Can be used to deploy
-# renewed certificates, or to restart any servers that
-# were stopped by --pre-hook. This is only run if an
-# attempt was made to obtain/renew a certificate. If
-# multiple renewed certificates have identical post-
-# hooks, only one will be run.
-#
-# An example to restart httpd would be:
-# POST_HOOK="--post-hook 'systemctl restart httpd'"
-POST_HOOK=""
-
-# Command to be run in a shell once for each
-# successfully renewed certificate. For this command,
-# the shell variable $RENEWED_LINEAGE will point to the
-# config live subdirectory containing the new certs and
-# keys; the shell variable $RENEWED_DOMAINS will contain
-# a space-delimited list of renewed cert domains
-#
-# An example to run a script to alert each cert would be:
-# RENEW_HOOK="--renew-hook /usr/local/bin/cert-notifier.sh"
-RENEW_HOOK=""
-
-# Any other misc arguments for the renewal
-# See certbot -h renew for full list
-#
-# An example to force renewal for certificates not due yet
-# CERTBOT_ARGS="--force-renewal"
-#
-# The following command is produced
-# certbot renew **CERTBOT_ARGS
-{% if devel %}
-CERTBOT_ARGS="--webroot -w /srv/web/acme-challenge --cert-name copr-dist-git-dev.fedorainfracloud.org"
-{% else %}
-CERTBOT_ARGS="--webroot -w /srv/web/acme-challenge --cert-name copr-dist-git.fedorainfracloud.org"
-{% endif %}