mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-05-05 08:31:44 +08:00
3cc27430b6
We need two-phase configuration for Let's Encrypt: 1. initialize; the letsencrypt automation, this is happening only once per VM (when it is spawned) 2. periodic; using certbot-renew.timer. Both those phases are now wrapped into copr/certbot role. Phase 1. needs to be done before the web-server is started (so include the role on appropriate place in the playbook), so we can do 'certbot --standalone' (bounds to port 80). Phase 2. is accomplished using the running web-server, using 'certbot renew --webroot'. If (and only if) the certificate is renewed, web server needs to be restarted (and lighttpd needs to have post-processed certificate format). So we also need the deploy hook script in hand (two actually, lighttpd/httpd) so 'certbot renew' automatically does what we expect it to do.
14 lines
709 B
Django/Jinja
14 lines
709 B
Django/Jinja
# Usually it is enough to do `certbot renew --dry-run` to check that certbot is
|
|
# configured correctly (anytime, without rate limits). You can though (up to 5x
|
|
# a week) try force renewal. It is both affecting your letsencrypt quota, and
|
|
# it requires web server restart. But if you still want to try, please
|
|
# uncomment the following config option, and hit `systemctl start
|
|
# certbot-renew.service`. WARNING WARNING Don't forget to comment it again!
|
|
#CERTBOT_ARGS="--force-renewal"
|
|
{% if letsencrypt.predefined_deploy_script %}
|
|
|
|
# Execute the script after certificate renewal, usually this is needed to
|
|
# restart web server, etc.
|
|
DEPLOY_HOOK="--deploy-hook /usr/libexec/auto-certbot-deploy"
|
|
{% endif %}
|