mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-03-30 17:01:33 +08:00
3cc27430b6
We need two-phase configuration for Let's Encrypt: 1. initialize; the letsencrypt automation, this is happening only once per VM (when it is spawned) 2. periodic; using certbot-renew.timer. Both those phases are now wrapped into copr/certbot role. Phase 1. needs to be done before the web-server is started (so include the role on appropriate place in the playbook), so we can do 'certbot --standalone' (bounds to port 80). Phase 2. is accomplished using the running web-server, using 'certbot renew --webroot'. If (and only if) the certificate is renewed, web server needs to be restarted (and lighttpd needs to have post-processed certificate format). So we also need the deploy hook script in hand (two actually, lighttpd/httpd) so 'certbot renew' automatically does what we expect it to do.