From 65482f09c35957b04f2e57eb9b3523e3ff6ce228 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Thu, 14 Mar 2019 15:21:50 +0100 Subject: [PATCH] Extract the post hooks to their own script in Certbot's config dir --- .../5apps-xmpp_server/recipes/letsencrypt.rb | 33 +++++++++++++++- .../kosmos-base/recipes/letsencrypt.rb | 38 ++----------------- 2 files changed, 35 insertions(+), 36 deletions(-) diff --git a/site-cookbooks/5apps-xmpp_server/recipes/letsencrypt.rb b/site-cookbooks/5apps-xmpp_server/recipes/letsencrypt.rb index ec800b6..cfbe366 100644 --- a/site-cookbooks/5apps-xmpp_server/recipes/letsencrypt.rb +++ b/site-cookbooks/5apps-xmpp_server/recipes/letsencrypt.rb @@ -2,6 +2,38 @@ include_recipe "kosmos-base::letsencrypt" +prosody_post_hook = <<-EOF +#!/usr/bin/env bash + +# Copy the prosody certificates and restart the server if it has been renewed +# This is necessary because the prosody user doesn't have access to the +# letsencrypt live folder +for domain in $RENEWED_DOMAINS; do + case $domain in + # Do not copy over when renewing other 5apps.com domains + 5apps.com) + cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/5apps.com.crt + cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/5apps.com.key + cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/muc.5apps.com.crt + cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/muc.5apps.com.key + cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/xmpp.5apps.com.crt + cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/xmpp.5apps.com.key + chown prosody:prosody /etc/prosody/certs/* + chmod 600 /etc/prosody/certs/*.key + chmod 640 /etc/prosody/certs/*.crt + systemctl restart prosody + ;; + esac +done +EOF + +file "/etc/letsencrypt/renewal-hooks/post/prosody" do + content prosody_post_hook + mode 0755 + owner "root" + group "root" +end + gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps') template "/root/letsencrypt_hook.sh" do @@ -17,4 +49,3 @@ execute "letsencrypt cert for 5apps xmpp" do File.exist?("/etc/prosody/certs/5apps.com.crt") end end - diff --git a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb index 6b4139c..d97dbe7 100644 --- a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb +++ b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb @@ -15,45 +15,13 @@ end package "certbot" -letsencrypt_renew_hook = <<-EOF +file "/etc/letsencrypt/renewal-hooks/post/nginx" do + content <<-EOF #!/usr/bin/env bash - # Reloading nginx is enough to read the new certificates systemctl reload nginx - -# Copy the prosody certificates and restart the server if it has been renewed -# This is necessary because the prosody user doesn't have access to the -# letsencrypt live folder -for domain in $RENEWED_DOMAINS; do - case $domain in - # Do not copy over when renewing other 5apps.com domains - 5apps.com) - cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/5apps.com.crt - cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/5apps.com.key - cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/muc.5apps.com.crt - cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/muc.5apps.com.key - cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/xmpp.5apps.com.crt - cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/xmpp.5apps.com.key - chown prosody:prosody /etc/prosody/certs/* - chmod 600 /etc/prosody/certs/*.key - chmod 640 /etc/prosody/certs/*.crt - systemctl restart prosody - ;; - esac -done -EOF - -file "/usr/local/bin/letsencrypt_renew_hook" do - content letsencrypt_renew_hook + EOF mode 0755 owner "root" group "root" end - -cron "renew Let's Encrypt certificates" do - minute "0" - hour "4" - mailto "logs@5apps.com" - # The hook is only executed if a cert has been renewed - command "/usr/bin/certbot renew --deploy-hook letsencrypt_renew_hook -n 1> /dev/null" -end