become: yes
apt: pkg=python3-certbot-apache
-- name: Ensure Let's Encrypt certificate is readable.
+- name: Look for /etc/letsencrypt/live/.
+ stat:
+ path: /etc/letsencrypt/live
+ register: letsencrypt
+- debug:
+ msg: "/etc/letsencrypt/live/ does not (yet) exist"
+ when: not letsencrypt.stat.exists
+
+- name: "Ensure Let's Encrypt certificate is readable."
become: yes
file:
mode: u=rwx,g=rx,o=rx
path: /etc/letsencrypt/live
+ when: letsencrypt.stat.exists
#+END_SRC
Front's Dovecot (and Postfix) certificate and key are in separate
updated) by Let's Encrypt, but also because Let's Encrypt's symbolic
links keep the window for a mismatch extremely small.
-With the institutional configuration, Postfix, Dovecot and Apache
-servers get their certificate&key from =/etc/server.crt&.key=. The
-institutional roles check that they exist, but will not create them.
-In this abbey specific role, =/etc/server.crt&key= are ours to frob.
-The following tasks ensure they are symbolic links to
-=/etc/letsencrypt/live/birchwood-abbey.net/fullchain&privkey.pem=. If
-=/etc/letsencrypt/= was restored from a backup, the servers should be
-restarted manually.
+A small institute configures its Postfix, Dovecot and Apache servers
+use the certificate in =/etc/server.crt=. Ansible copies the small
+institute's self-signed (private) certificate there, but only if the
+file does not exist. This abbey specific role is free to symbolically
+link this file (and the corresponding =/etc/server.key= file) to
+=/etc/letsencrypt/live/birchwood-abbey.net/fullchain.pem= (and
+=privkey.pem=).
+
+If =/etc/letsencrypt/= was restored from a backup, the servers should
+be restarted manually.
#+CAPTION: [[file:roles_t/abbey-front/tasks/main.yml][=roles_t/abbey-front/tasks/main.yml=]]
#+BEGIN_SRC conf :tangle roles_t/abbey-front/tasks/main.yml
-- name: Use Let's Encrypt certificate&key.
+- name: "Use Let's Encrypt certificate&key."
+ become: yes
file:
state: link
src: "{{ item.target }}"
link: /etc/server.crt
- target: /etc/letsencrypt/live/birchwood-abbey.net/privkey.pem
link: /etc/server.key
+ when: letsencrypt.stat.exists
+#+END_SRC
+
+** Restart servers caching the Let's Encrypt certificate.
+
+#+CAPTION: [[file:roles_t/abbey-front/tasks/main.yml][=roles_t/abbey-front/tasks/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/abbey-front/tasks/main.yml
+
+- name: Install Certbot hook.
+ become: yes
+ copy:
+ src: certbot_hook
+ dest: /etc/letsencrypt/renewal-hooks/post/restart-abbey-servers
+ mode: u=rwx,g=rx,o=rx
+ when: letsencrypt.stat.exists
+#+END_SRC
+
+The Dovecot IMAP server seems to cache the Let's Encrypt certificate.
+Whenever it runs for more than 3 months (i.e. every 3 months), email
+stops flowing because fetchmail notices the server certificate has
+expired. The Postfix and Apache2 servers seem not to cache their
+server certificate.
+
+#+CAPTION: [[file:roles_t/abbey-front/files/certbot_hook][=roles_t/abbey-front/files/certbot_hook=]]
+#+BEGIN_SRC conf :tangle roles_t/abbey-front/files/certbot_hook
+#!/bin/bash
+systemctl reload dovecot
#+END_SRC
** Rotate Let's Encrypt Log
#+CAPTION: [[file:roles_t/abbey-front/tasks/main.yml][=roles_t/abbey-front/tasks/main.yml=]]
#+BEGIN_SRC conf :tangle roles_t/abbey-front/tasks/main.yml
-- name: Install Let's Encrypt archive script.
+- name: "Install Let's Encrypt archive script."
become: yes
copy:
src: cron.daily_letsencrypt
become: yes
apt: pkg=python3-certbot-apache
-- name: Ensure Let's Encrypt certificate is readable.
+- name: Look for /etc/letsencrypt/live/.
+ stat:
+ path: /etc/letsencrypt/live
+ register: letsencrypt
+- debug:
+ msg: "/etc/letsencrypt/live/ does not (yet) exist"
+ when: not letsencrypt.stat.exists
+
+- name: "Ensure Let's Encrypt certificate is readable."
become: yes
file:
mode: u=rwx,g=rx,o=rx
path: /etc/letsencrypt/live
+ when: letsencrypt.stat.exists
-- name: Use Let's Encrypt certificate&key.
+- name: "Use Let's Encrypt certificate&key."
+ become: yes
file:
state: link
src: "{{ item.target }}"
link: /etc/server.crt
- target: /etc/letsencrypt/live/birchwood-abbey.net/privkey.pem
link: /etc/server.key
+ when: letsencrypt.stat.exists
+
+- name: Install Certbot hook.
+ become: yes
+ copy:
+ src: certbot_hook
+ dest: /etc/letsencrypt/renewal-hooks/post/restart-abbey-servers
+ mode: u=rwx,g=rx,o=rx
+ when: letsencrypt.stat.exists
- name: Install Certbot logrotate configuration.
become: yes
dest: /etc/logrotate.d/certbot
mode: u=rw,g=r,o=r
-- name: Install Let's Encrypt archive script.
+- name: "Install Let's Encrypt archive script."
become: yes
copy:
src: cron.daily_letsencrypt
projects / Network.git / commitdiff