Automatically generate a Let's Encrypt cert for all 5apps xmpp domains

Uses the Gandi LiveDNS API
2018-09-04 17:38:17 +02:00
parent 214e69427e
commit 185649a5f9
5 changed files with 99 additions and 70 deletions
--- a/site-cookbooks/5apps-xmpp_server/recipes/letsencrypt.rb
+++ b/site-cookbooks/5apps-xmpp_server/recipes/letsencrypt.rb
@@ -1,49 +1,22 @@
-# nginx config to generate a Let's Encrypt cert
+# Generate a Let's Encrypt cert for 5apps.com, muc.5apps.com and xmpp.5apps.com

 include_recipe "kosmos-base::letsencrypt"

-root_directory = "/var/www/xmpp.5apps.com"
+gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')

-directory "#{root_directory}/.well-known" do
-  owner node["nginx"]["user"]
-  group node["nginx"]["group"]
-  action :create
-  recursive true
+template "/root/letsencrypt_hook.sh" do
+  variables gandi_api_key: gandi_api_data_bag_item["key"]
+  mode 0770
 end

-template "#{node['nginx']['dir']}/sites-available/xmpp.5apps.com" do
-  source 'nginx_conf_xmpp.5apps.com.erb'
-  owner 'www-data'
-  mode 0640
-  variables server_name:    'xmpp.5apps.com',
-            root_directory: root_directory,
-            ssl_cert:       "/etc/letsencrypt/live/xmpp.5apps.com/fullchain.pem",
-            ssl_key:        "/etc/letsencrypt/live/xmpp.5apps.com/privkey.pem"
-  notifies :reload, 'service[nginx]', :delayed
-end
-
-# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
-# has been generated before. The renew cron will take care of renewing
-execute "letsencrypt cert for xmpp.5apps.com" do
-  command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{root_directory} -d xmpp.5apps.com -n"
+# Generate a Let's Encrypt cert (only if no cert has been generated before).
+# The renew cron will take care of renewing
+execute "letsencrypt cert for 5apps xmpp" do
+  command "./certbot-auto certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/letsencrypt_hook.sh auth\" --manual-cleanup-hook \"/root/letsencrypt_hook.sh cleanup\" --deploy-hook letsencrypt_renew_hook --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -n"
+  environment
  cwd "/usr/local/certbot"
-  only_if do
-    File.exist?("#{node['nginx']['dir']}/sites-enabled/xmpp.5apps.com") &&
-      !File.exist?("/etc/letsencrypt/live/xmpp.5apps.com/fullchain.pem")
+  not_if do
+    File.exist?("/etc/prosody/certs/5apps.com.crt")
  end
-  notifies :create, "template[#{node['nginx']['dir']}/sites-available/xmpp.5apps.com]", :delayed
-  notifies :run, "execute[copy the tls cert to prosody folder]", :delayed
 end

-execute "copy the tls cert to prosody folder" do
-  action :nothing
-  command <<-EOF
-cp /etc/letsencrypt/live/xmpp.5apps.com/fullchain.pem /var/lib/prosody/xmpp.5apps.com.crt
-cp /etc/letsencrypt/live/xmpp.5apps.com/privkey.pem /var/lib/prosody/xmpp.5apps.com.key
-  EOF
-  notifies :restart, "service[prosody]", :delayed
-end
-
-nginx_site 'xmpp.5apps.com' do
-  enable true
-end