thomas
/
sovereign
關注 1
收藏 0
複製 0
程式碼 問題 0 合併請求 0 版本發佈 0 Wiki 活動
瀏覽代碼

Arrange for services to restart on cert renewal

Mike Ashley 9 年之前
父節點
65729d12f8
當前提交
8f1b6a9ed8
共有 5 個檔案被更改,包括 21 行新增1 行删除
統一視圖 顯示文件統計
  1. 1
    1
      roles/common/DESIGN.md
  2. 5
    0
      roles/common/files/etc_cron-monthly_letsencrypt-renew
  3. 5
    0
      roles/ircbouncer/tasks/znc.yml
  4. 5
    0
      roles/mailserver/tasks/dovecot.yml
  5. 5
    0
      roles/xmpp/tasks/prosody.yml

+ 1
- 1
roles/common/DESIGN.md 查看文件

14
14
15 
 Certificates and private keys are backed up using tarsnap.
 15 
 Certificates and private keys are backed up using tarsnap.
16
16
17 
-Certificate renewal is done automatically using cron. The cron script must be aware of private key copies and update them as well. Services that depend on new keys must also be bounced. It is up to roles that rely on keys to modify the cron script (preferably using `linein` or similar games) to accomplish this.
17 
+Certificate renewal is done automatically using cron. The cron script must be aware of private key copies and update them as well. Services that depend on new keys must also be bounced. It is up to roles that rely on keys to modify the cron script (preferably using `lineinfile` or something similar) to accomplish this.
18
18
19 
 ### Alternative approaches
 19 
 ### Alternative approaches
20
20

+ 5
- 0
roles/common/files/etc_cron-monthly_letsencrypt-renew 查看文件

16 
   /root/letsencrypt/letsencrypt-auto --renew certonly -c /etc/letsencrypt/cli.conf --domains=$domains
 16 
   /root/letsencrypt/letsencrypt-auto --renew certonly -c /etc/letsencrypt/cli.conf --domains=$domains
17 
 done
 17 
 done
18 
 service apache2 start
 18 
 service apache2 start
19 
+
20 
+# Services that rely on LE certificates will need restarted.  In some cases
21 
+# their certificates are based on copies of the LE certs and will need
22 
+# regenerated as well.
23 
+

+ 5
- 0
roles/ircbouncer/tasks/znc.yml 查看文件

24 
     creates=/usr/lib/znc/znc.pem
 24 
     creates=/usr/lib/znc/znc.pem
25 
   notify: restart znc
 25 
   notify: restart znc
26
26
27 
+- name: Update certificate renwal cron job
28 
+  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
29 
+    line="cat /etc/letsencrypt/live/{{ domain }}/{privkey,fullchain}.pem > /var/lib/znc/znc.pem; chown znc.znc /var/lib/znc/znc.pem; chmod 640 /var/lib/znc/znc.pem; service znc restart"
30 
+    insertafter="EOF"
31 
+
27 
 - name: Ensure znc user and group can read cert
 32 
 - name: Ensure znc user and group can read cert
28 
   file: path=/usr/lib/znc/znc.pem group=znc owner=znc mode=640
 33 
   file: path=/usr/lib/znc/znc.pem group=znc owner=znc mode=640
29 
   notify: restart znc
 34 
   notify: restart znc

+ 5
- 0
roles/mailserver/tasks/dovecot.yml 查看文件

64 
     - imaps
 64 
     - imaps
65 
     - pop3s
 65 
     - pop3s
66 
   tags: ufw
 66 
   tags: ufw
67 
+
68 
+- name: Update certificate renwal cron job
69 
+  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
70 
+    line="service dovecot restart"
71 
+    insertafter="EOF"

+ 5
- 0
roles/xmpp/tasks/prosody.yml 查看文件

35 
     - privkey.pem
 35 
     - privkey.pem
36 
     - cert.pem
 36 
     - cert.pem
37
37
38 
+- name: Update certificate renewal cron job
39 
+  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
40 
+    line="cp /etc/letsencrypt/live/{{ domain }}/{privkey,cert}.pem /etc/prosody/certs; chown root.prosody /etc/prosody/certs/{privkey,cert}.pem; chmod 640 /etc/prosody/certs/{privkey,cert}.pem; service prosody restart"
41 
+    insertafter="EOF"
42 
+
38 
 - name: Create Prosody accounts
 43 
 - name: Create Prosody accounts
39 
   command: prosodyctl register {{ item.name }} {{ prosody_virtual_domain }} "{{ item.password }}"
 44 
   command: prosodyctl register {{ item.name }} {{ prosody_virtual_domain }} "{{ item.password }}"
40 
   with_items: prosody_accounts
 45 
   with_items: prosody_accounts

Write Preview
Loading…
取消
儲存