Update xmpp role for LE certificate

roles/common/DESIGN.md

@@ -8,11 +8,13 @@ The Let's Encrypt service uses DNS to look up domains being registered and then
 
 A single certificate is created using Let's Encrypt with SANs used for the subdomains. The user must configure the list of subdomains to register in `vars/user.yml` unless they are installing all services, i.e., the default list of subdomains is everything.
 
-Certificate renewal is done automatically using cron.
+The role is designed to fail if a certificate cannot be generated for all subdomains listed.  This catches DNS configuration errors where a subdomain should have a record but does not.  Errors in the other direction (not all subdomains are listed in the SANs) can be addressed after detection by fixing the configuration and rerunning the role.
+
+Several packages need access to the private key. Not all are run as root. Examples include Prosody (XMPP) and ZNC (IRC bouncer). The approach in these cases is to copy the certificates and manage ownership and mode for them separately. This is to avoid stomping on directory ownership and modes in /etc/letsencrypt.
 
 Certificates and private keys are backed up using tarsnap.
 
-The role is designed to fail if a certificate cannot be generated for all subdomains listed.  This catches DNS configuration errors where a subdomain should have a record but does not.  Errors in the other direction (not all subdomains are listed in the SANs) can be addressed after detection by fixing the configuration and rerunning the role.
+Certificate renewal is done automatically using cron. The cron script must be aware of private key copies and update them as well. Services that depend on new keys must also be bounced. It is up to roles that rely on keys to modify the cron script (preferably using `linein` or similar games) to accomplish this.
 
 ### Alternative approaches
 

roles/xmpp/tasks/prosody.yml

@@ -16,9 +16,6 @@
   tags:
     - dependencies
 
-- name: Add prosody user to ssl-cert group
-  user: name=prosody groups=ssl-cert append=yes
-
 - name: Create Prosody data directory
   file: state=directory path=/decrypted/prosody owner=prosody group=prosody
 
@@ -26,6 +23,18 @@
   template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=root owner=root
   notify: restart prosody
 
+- name: Copy SSL private key and cert
+  shell: cp /etc/letsencrypt/live/{{ domain }}/{{ item }} /etc/prosody/certs
+  with_items:
+    - privkey.pem
+    - cert.pem
+
+- name: Assert mode and ownership on SSL private key and cert
+  file: dest=/etc/prosody/certs/{{ item }} owner=root group=prosody mode=0640
+  with_items:
+    - privkey.pem
+    - cert.pem
+
 - name: Create Prosody accounts
   command: prosodyctl register {{ item.name }} {{ prosody_virtual_domain }} "{{ item.password }}"
   with_items: prosody_accounts

roles/xmpp/templates/prosody.cfg.lua.j2

@@ -86,8 +86,8 @@ allow_registration = false;
 -- These are the SSL/TLS-related settings. If you don't want
 -- to use SSL/TLS, you may comment or remove this
 ssl = {
-	key = "/etc/ssl/private/wildcard_private.key";
-	certificate = "/etc/ssl/certs/wildcard_public_cert.crt";
+	key = "/etc/prosody/certs/privkey.pem";
+	certificate = "/etc/prosody/certs/cert.pem";
 }
 
 -- Force clients to use encrypted connections? This option will