kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Automatically generate a Let's Encrypt cert for all 5apps xmpp domains

Browse Source 
Uses the Gandi LiveDNS API
This commit is contained in:
Greg Karékinian
2018-09-04 17:38:17 +02:00
parent 214e69427e
commit 185649a5f9
5 changed files with 99 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
site-cookbooks/kosmos-base/recipes/letsencrypt.rb
View File

@@ -2,7 +2,7 @@
# Cookbook Name:: kosmos-base
# Recipe:: letsencrypt
#
# Copyright 2016, Kosmos
# Copyright 2018, Kosmos
#
# All rights reserved - Do Not Redistribute
#
@@ -10,7 +10,7 @@
git "/usr/local/certbot" do
repository "https://github.com/certbot/certbot"
action :sync
revision "v0.25.0"
revision "v0.26.1"
user "root"
group "root"
end
@@ -21,13 +21,20 @@ letsencrypt_renew_hook = <<-EOF
# Reloading nginx is enough to read the new certificates
systemctl reload nginx
# Copy the prosody certificate and restart the server if it has been renewed
# Copy the prosody certificates and restart the server if it has been renewed
# This is necessary because the prosody user doesn't have access to the
# letsencrypt live folder
echo "${RENEWED_DOMAINS}" | grep xmpp.5apps.com
echo "${RENEWED_DOMAINS}" | grep 5apps.com
if [ $? -ne 1 ]; then
cp /etc/letsencrypt/live/xmpp.5apps.com/fullchain.pem /var/lib/prosody/xmpp.5apps.com.crt
cp /etc/letsencrypt/live/xmpp.5apps.com/privkey.pem /var/lib/prosody/xmpp.5apps.com.key
cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/5apps.com.crt
cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/5apps.com.key
cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/muc.5apps.com.crt
cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/muc.5apps.com.key
cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/xmpp.5apps.com.crt
cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/xmpp.5apps.com.key
chown prosody:prosody /etc/prosody/certs/*
chmod 600 /etc/prosody/certs/*.key
chmod 640 /etc/prosody/certs/*.crt
systemctl restart prosody
else
exit 0
@@ -45,6 +52,6 @@ cron "renew Let's Encrypt certificates" do
minute "0"
hour "4"
mailto "logs@5apps.com"
# The post hook is only executed if a cert has been renewed
command "/usr/local/certbot/certbot-auto renew --renew-hook letsencrypt_renew_hook -n 1> /dev/null"
# The hook is only executed if a cert has been renewed
command "/usr/local/certbot/certbot-auto renew --deploy-hook letsencrypt_renew_hook -n 1> /dev/null"
end