Switch certbot to the Ubuntu packages instead of the Git repo

2019-01-09 11:41:35 +01:00 · 2019-01-09 11:41:35 +01:00 · 019bf85ecc
commit 019bf85ecc
parent 9ec1a8a6c0
10 changed files with 28 additions and 37 deletions
--- a/site-cookbooks/5apps-hubot/recipes/xmpp_schlupp.rb
+++ b/site-cookbooks/5apps-hubot/recipes/xmpp_schlupp.rb
@ -143,8 +143,7 @@ end
 unless node.chef_environment == "development"
  execute "letsencrypt cert for #{express_domain}" do
-    command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n"
+    command "certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n"
    cwd "/usr/local/certbot"
    not_if { File.exist? "/etc/letsencrypt/live/#{express_domain}/fullchain.pem" }
    notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{express_domain}]", :immediately
  end
--- a/site-cookbooks/5apps-xmpp_server/recipes/letsencrypt.rb
+++ b/site-cookbooks/5apps-xmpp_server/recipes/letsencrypt.rb
@ -12,8 +12,7 @@ end
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The renew cron will take care of renewing
 execute "letsencrypt cert for 5apps xmpp" do
-  command "./certbot-auto certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/letsencrypt_hook.sh auth\" --manual-cleanup-hook \"/root/letsencrypt_hook.sh cleanup\" --deploy-hook letsencrypt_renew_hook --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -n"
+  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/letsencrypt_hook.sh auth\" --manual-cleanup-hook \"/root/letsencrypt_hook.sh cleanup\" --deploy-hook letsencrypt_renew_hook --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -n"
  cwd "/usr/local/certbot"
  not_if do
    File.exist?("/etc/prosody/certs/5apps.com.crt")
  end
--- a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
@ -7,14 +7,18 @@
 # All rights reserved - Do Not Redistribute
 #
-git "/usr/local/certbot" do
+# Install certbot and set up hooks
-  repository "https://github.com/certbot/certbot"
+
-  action     :sync
+apt_repository "certbot" do
-  revision   "v0.26.1"
+  uri "http://ppa.launchpad.net/certbot/certbot/ubuntu"
-  user       "root"
+  distribution node["lsb"]["codename"]
-  group      "root"
+  components ["main"]
  keyserver "keyserver.ubuntu.com"
  key "7BF576066ADA65728FC7E70A8C47BE8E75BCA694"
 end
 package "certbot"
 letsencrypt_renew_hook = <<-EOF
 #!/usr/bin/env bash
@ -50,10 +54,12 @@ file "/usr/local/bin/letsencrypt_renew_hook" do
  group "root"
 end
-cron "renew Let's Encrypt certificates" do
+unless node.chef_environment == "development"
-  minute "0"
+  cron "renew Let's Encrypt certificates" do
-  hour "4"
+    minute "0"
-  mailto "logs@5apps.com"
+    hour "4"
-  # The hook is only executed if a cert has been renewed
+    mailto "ops@5apps.com"
-  command "/usr/local/certbot/certbot-auto renew --deploy-hook letsencrypt_renew_hook -n 1> /dev/null"
+    # The post hook is only executed if a cert has been renewed
    command "certbot renew --renew-hook letsencrypt_renew_hook -n 1> /dev/null"
  end
 end
--- a/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb
+++ b/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb
@ -121,8 +121,7 @@ unless node.chef_environment == "development"
  # reloaded after adding the vhost or sth, because it does work on the second
  # run.
  execute "letsencrypt cert for #{express_domain}" do
-    command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n"
+    command "certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n"
    cwd "/usr/local/certbot"
    not_if { File.exist? "/etc/letsencrypt/live/#{express_domain}/fullchain.pem" }
    notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{express_domain}]", :immediately
  end
--- a/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb
@ -52,8 +52,7 @@ unless node.chef_environment == "development"
  # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
  # has been generated before. The renew cron will take care of renewing
  execute "letsencrypt cert for ipfs.kosmos.org" do
-    command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{root_directory} -d ipfs.kosmos.org -n"
+    command "certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{root_directory} -d ipfs.kosmos.org -n"
    cwd "/usr/local/certbot"
    only_if do
      File.exist?("#{node['nginx']['dir']}/sites-enabled/ipfs.kosmos.org") &&
        !File.exist?("/etc/letsencrypt/live/ipfs.kosmos.org/fullchain.pem")
--- a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb
@ -39,8 +39,7 @@ end
 unless node.chef_environment == "development"
  include_recipe "kosmos-base::letsencrypt"
  execute "letsencrypt cert for #{server_name}" do
-    command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/mastodon -d #{server_name} -n"
+    command "certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/mastodon -d #{server_name} -n"
    cwd "/usr/local/certbot"
    not_if { File.exist? "/etc/letsencrypt/live/#{server_name}/fullchain.pem" }
    notifies :create, "template[#{node['nginx']['dir']}/sites-available/mastodon]", :immediately
  end
--- a/site-cookbooks/kosmos-mediawiki/recipes/default.rb
+++ b/site-cookbooks/kosmos-mediawiki/recipes/default.rb
@ -63,19 +63,12 @@ unless node.chef_environment == "development"
  include_recipe "kosmos-base::letsencrypt"
  execute "letsencrypt cert for wiki.kosmos.org" do
-    command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['mediawiki']['docroot_dir']} -d wiki.kosmos.org -n"
+    command "certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['mediawiki']['docroot_dir']} -d wiki.kosmos.org -n"
    cwd "/usr/local/certbot"
    not_if { File.exist? "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem" }
    notifies :reload, "service[nginx]", :delayed
  end
  execute "letsencrypt cert for wiki.kosmos.org" do
    command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node["mediawiki"]["docroot_dir"]} -d wiki.kosmos.org -n"
    cwd "/usr/local/certbot"
    not_if { File.exist? "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem" }
    notifies :reload, "service[nginx]", :delayed
  end
 end
 ssl_cert = "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem"
 ssl_key = "/etc/letsencrypt/live/wiki.kosmos.org/privkey.pem"
 template "#{node['nginx']['dir']}/sites-available/mediawiki" do
--- a/site-cookbooks/kosmos-parity/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-parity/recipes/letsencrypt.rb
@ -33,8 +33,7 @@ nginx_site "#{hostname}" do
 end
 execute "letsencrypt cert for #{hostname}" do
-  command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{hostname} -d #{hostname} -n"
+  command "certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{hostname} -d #{hostname} -n"
  cwd "/usr/local/certbot"
  not_if { File.exist? "/etc/letsencrypt/live/#{hostname}/fullchain.pem" }
  notifies :reload, "service[nginx]", :delayed
 end
--- a/site-cookbooks/kosmos-wordpress/recipes/nginx.rb
+++ b/site-cookbooks/kosmos-wordpress/recipes/nginx.rb
@ -38,8 +38,7 @@ unless node.chef_environment == "development"
  include_recipe "kosmos-base::letsencrypt"
  execute "letsencrypt cert for blog.kosmos.org" do
-    command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['wordpress']['dir']} -d blog.kosmos.org -n"
+    command "certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['wordpress']['dir']} -d blog.kosmos.org -n"
    cwd "/usr/local/certbot"
    not_if { File.exist? "/etc/letsencrypt/live/blog.kosmos.org/fullchain.pem" }
    notifies :reload, "service[nginx]", :delayed
  end
--- a/site-cookbooks/sockethub/recipes/proxy.rb
+++ b/site-cookbooks/sockethub/recipes/proxy.rb
@ -43,8 +43,7 @@ unless node.chef_environment == "development"
  include_recipe "kosmos-base::letsencrypt"
  execute "letsencrypt cert for sockethub.kosmos.org" do
-    command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/sockethub -d sockethub.kosmos.org -n"
+    command "certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/sockethub -d sockethub.kosmos.org -n"
    cwd "/usr/local/certbot"
    not_if { File.exist? "/etc/letsencrypt/live/sockethub.kosmos.org/fullchain.pem" }
    notifies :reload, "service[nginx]", :delayed
  end