From 56d14748f91db6eabe157480f013cd3e9eddc646 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Thu, 20 Dec 2018 17:26:37 +0100
Subject: [PATCH] Fix the Let's Encrypt renew hook script

Only copy over the certs to the prosody directory if it's the 5apps.com
wildcard, not for any 5apps.com subdomain
---
 .../kosmos-base/recipes/letsencrypt.rb        | 32 ++++++++++---------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
index fa7959e..4db4544 100644
--- a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
@@ -24,21 +24,23 @@ systemctl reload nginx
 # Copy the prosody certificates and restart the server if it has been renewed
 # This is necessary because the prosody user doesn't have access to the
 # letsencrypt live folder
-echo "${RENEWED_DOMAINS}" | grep 5apps.com
-if [ $? -ne 1 ]; then
-  cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/5apps.com.crt
-  cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/5apps.com.key
-  cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/muc.5apps.com.crt
-  cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/muc.5apps.com.key
-  cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/xmpp.5apps.com.crt
-  cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/xmpp.5apps.com.key
-  chown prosody:prosody /etc/prosody/certs/*
-  chmod 600 /etc/prosody/certs/*.key
-  chmod 640 /etc/prosody/certs/*.crt
-  systemctl restart prosody
-else
-  exit 0
-fi
+for domain in $RENEWED_DOMAINS; do
+  case $domain in
+  # Do not copy over when renewing other 5apps.com domains
+  5apps.com)
+    cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/5apps.com.crt
+    cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/5apps.com.key
+    cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/muc.5apps.com.crt
+    cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/muc.5apps.com.key
+    cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/xmpp.5apps.com.crt
+    cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/xmpp.5apps.com.key
+    chown prosody:prosody /etc/prosody/certs/*
+    chmod 600 /etc/prosody/certs/*.key
+    chmod 640 /etc/prosody/certs/*.crt
+    systemctl restart prosody
+    ;;
+  esac
+done
 EOF
 
 file "/usr/local/bin/letsencrypt_renew_hook" do