Skip to content
Snippets Groups Projects
Commit 00251859 authored by jurgenhaas's avatar jurgenhaas
Browse files

Further improve letsencrypt to run without stopping apache server while it's running

parent ff72eb34
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
tasks/cert_generate.yml
+ 7
1
View file @ 00251859
...@@ -18,9 +18,15 @@ ...@@ -18,9 +18,15 @@
jump: 'ACCEPT' jump: 'ACCEPT'
state: 'present' state: 'present'
- name: "Install New Cert" - name: "Install New Cert via webroot"
shell: certbot certonly --expand --non-interactive --config /etc/letsencrypt/{{ cert.domain }}.ini --cert-name {{ cert.domain }} --webroot-path /var/www/html --webroot
ignore_errors: true
when: groups.proxyserver is not defined or inventory_hostname not in groups.proxyserver
- name: "Install New Cert via HaProxy"
shell: certbot certonly --expand --non-interactive --config /etc/letsencrypt/{{ cert.domain }}.ini --http-01-port {{ port }} --preferred-challenges http-01 --cert-name {{ cert.domain }} shell: certbot certonly --expand --non-interactive --config /etc/letsencrypt/{{ cert.domain }}.ini --http-01-port {{ port }} --preferred-challenges http-01 --cert-name {{ cert.domain }}
ignore_errors: true ignore_errors: true
when: groups.proxyserver is defined and inventory_hostname in groups.proxyserver
- name: "Close Port" - name: "Close Port"
iptables: iptables:
......
tasks/renew.yml
+ 9
2
View file @ 00251859
...@@ -18,12 +18,19 @@ ...@@ -18,12 +18,19 @@
jump: 'ACCEPT' jump: 'ACCEPT'
state: 'present' state: 'present'
- name: "Renew Existing Certs" - name: "Renew Existing Certs via webroot"
#shell: certbot renew --non-interactive --http-01-port {{ port }} --preferred-challenges http-01
shell: certbot renew --non-interactive --webroot-path /var/www/html --webroot shell: certbot renew --non-interactive --webroot-path /var/www/html --webroot
ignore_errors: true ignore_errors: true
register: renew_result register: renew_result
changed_when: "'No renewals were attempted.' not in renew_result.stdout" changed_when: "'No renewals were attempted.' not in renew_result.stdout"
when: groups.proxyserver is not defined or inventory_hostname not in groups.proxyserver
- name: "Renew Existing Certs via HaProxy"
shell: certbot renew --non-interactive --http-01-port {{ port }} --preferred-challenges http-01
ignore_errors: true
register: renew_result
changed_when: "'No renewals were attempted.' not in renew_result.stdout"
when: groups.proxyserver is defined and inventory_hostname in groups.proxyserver
- name: "Close Port" - name: "Close Port"
iptables: iptables:
......
templates/letsencrypt.ini
+ 2
0
View file @ 00251859
...@@ -2,7 +2,9 @@ email = {{ apache_server_admin|default('admin@paragon-es.de') }} ...@@ -2,7 +2,9 @@ email = {{ apache_server_admin|default('admin@paragon-es.de') }}
domains = {{ cert.domain }}{% for alias in cert.aliases|default([]) %}, {{ alias }}{% endfor %}{% for trusted_domain in cert.trusted_domains|default([]) %}, {{ trusted_domain }}{% endfor %} domains = {{ cert.domain }}{% for alias in cert.aliases|default([]) %}, {{ alias }}{% endfor %}{% for trusted_domain in cert.trusted_domains|default([]) %}, {{ trusted_domain }}{% endfor %}
text = True text = True
{% if groups.proxyserver is defined and inventory_hostname in groups.proxyserver %}
authenticator = standalone authenticator = standalone
{% endif %}
# standalone-supported-challenges = tls-sni-01 # standalone-supported-challenges = tls-sni-01
agree-tos = True agree-tos = True
expand = True expand = True
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment