diff --git a/site-cookbooks/5apps-hubot/recipes/xmpp_schlupp.rb b/site-cookbooks/5apps-hubot/recipes/xmpp_schlupp.rb index fc521b0..f35ec1e 100644 --- a/site-cookbooks/5apps-hubot/recipes/xmpp_schlupp.rb +++ b/site-cookbooks/5apps-hubot/recipes/xmpp_schlupp.rb @@ -143,7 +143,8 @@ end unless node.chef_environment == "development" execute "letsencrypt cert for #{express_domain}" do - command "certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n" + command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n" + cwd "/usr/local/certbot" not_if { File.exist? "/etc/letsencrypt/live/#{express_domain}/fullchain.pem" } notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{express_domain}]", :immediately end diff --git a/site-cookbooks/5apps-xmpp_server/recipes/letsencrypt.rb b/site-cookbooks/5apps-xmpp_server/recipes/letsencrypt.rb index 93abc18..9215fa8 100644 --- a/site-cookbooks/5apps-xmpp_server/recipes/letsencrypt.rb +++ b/site-cookbooks/5apps-xmpp_server/recipes/letsencrypt.rb @@ -12,7 +12,8 @@ end # Generate a Let's Encrypt cert (only if no cert has been generated before). # The renew cron will take care of renewing execute "letsencrypt cert for 5apps xmpp" do - command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/letsencrypt_hook.sh auth\" --manual-cleanup-hook \"/root/letsencrypt_hook.sh cleanup\" --deploy-hook letsencrypt_renew_hook --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -n" + command "./certbot-auto certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/letsencrypt_hook.sh auth\" --manual-cleanup-hook \"/root/letsencrypt_hook.sh cleanup\" --deploy-hook letsencrypt_renew_hook --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -n" + cwd "/usr/local/certbot" not_if do File.exist?("/etc/prosody/certs/5apps.com.crt") end diff --git a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb index 1d489f8..4db4544 100644 --- a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb +++ b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb @@ -7,18 +7,14 @@ # All rights reserved - Do Not Redistribute # -# Install certbot and set up hooks - -apt_repository "certbot" do - uri "http://ppa.launchpad.net/certbot/certbot/ubuntu" - distribution node["lsb"]["codename"] - components ["main"] - keyserver "keyserver.ubuntu.com" - key "7BF576066ADA65728FC7E70A8C47BE8E75BCA694" +git "/usr/local/certbot" do + repository "https://github.com/certbot/certbot" + action :sync + revision "v0.26.1" + user "root" + group "root" end -package "certbot" - letsencrypt_renew_hook = <<-EOF #!/usr/bin/env bash @@ -54,12 +50,10 @@ file "/usr/local/bin/letsencrypt_renew_hook" do group "root" end -unless node.chef_environment == "development" - cron "renew Let's Encrypt certificates" do - minute "0" - hour "4" - mailto "ops@5apps.com" - # The post hook is only executed if a cert has been renewed - command "certbot renew --renew-hook letsencrypt_renew_hook -n 1> /dev/null" - end +cron "renew Let's Encrypt certificates" do + minute "0" + hour "4" + mailto "logs@5apps.com" + # The hook is only executed if a cert has been renewed + command "/usr/local/certbot/certbot-auto renew --deploy-hook letsencrypt_renew_hook -n 1> /dev/null" end diff --git a/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb b/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb index 04a159e..e9b4f6b 100644 --- a/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb +++ b/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb @@ -121,7 +121,8 @@ unless node.chef_environment == "development" # reloaded after adding the vhost or sth, because it does work on the second # run. execute "letsencrypt cert for #{express_domain}" do - command "certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n" + command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n" + cwd "/usr/local/certbot" not_if { File.exist? "/etc/letsencrypt/live/#{express_domain}/fullchain.pem" } notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{express_domain}]", :immediately end diff --git a/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb b/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb index 0b37130..65839d7 100644 --- a/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb +++ b/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb @@ -52,7 +52,8 @@ unless node.chef_environment == "development" # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert # has been generated before. The renew cron will take care of renewing execute "letsencrypt cert for ipfs.kosmos.org" do - command "certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{root_directory} -d ipfs.kosmos.org -n" + command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{root_directory} -d ipfs.kosmos.org -n" + cwd "/usr/local/certbot" only_if do File.exist?("#{node['nginx']['dir']}/sites-enabled/ipfs.kosmos.org") && !File.exist?("/etc/letsencrypt/live/ipfs.kosmos.org/fullchain.pem") diff --git a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb index 6b68b19..6db9868 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb @@ -39,7 +39,8 @@ end unless node.chef_environment == "development" include_recipe "kosmos-base::letsencrypt" execute "letsencrypt cert for #{server_name}" do - command "certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/mastodon -d #{server_name} -n" + command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/mastodon -d #{server_name} -n" + cwd "/usr/local/certbot" not_if { File.exist? "/etc/letsencrypt/live/#{server_name}/fullchain.pem" } notifies :create, "template[#{node['nginx']['dir']}/sites-available/mastodon]", :immediately end diff --git a/site-cookbooks/kosmos-mediawiki/recipes/default.rb b/site-cookbooks/kosmos-mediawiki/recipes/default.rb index 3064bbc..cf37b16 100644 --- a/site-cookbooks/kosmos-mediawiki/recipes/default.rb +++ b/site-cookbooks/kosmos-mediawiki/recipes/default.rb @@ -63,12 +63,19 @@ unless node.chef_environment == "development" include_recipe "kosmos-base::letsencrypt" execute "letsencrypt cert for wiki.kosmos.org" do - command "certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['mediawiki']['docroot_dir']} -d wiki.kosmos.org -n" + command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['mediawiki']['docroot_dir']} -d wiki.kosmos.org -n" + cwd "/usr/local/certbot" + not_if { File.exist? "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem" } + notifies :reload, "service[nginx]", :delayed + end + + execute "letsencrypt cert for wiki.kosmos.org" do + command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node["mediawiki"]["docroot_dir"]} -d wiki.kosmos.org -n" + cwd "/usr/local/certbot" not_if { File.exist? "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem" } notifies :reload, "service[nginx]", :delayed end end - ssl_cert = "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem" ssl_key = "/etc/letsencrypt/live/wiki.kosmos.org/privkey.pem" template "#{node['nginx']['dir']}/sites-available/mediawiki" do diff --git a/site-cookbooks/kosmos-parity/recipes/letsencrypt.rb b/site-cookbooks/kosmos-parity/recipes/letsencrypt.rb index 009237e..fdb84a1 100644 --- a/site-cookbooks/kosmos-parity/recipes/letsencrypt.rb +++ b/site-cookbooks/kosmos-parity/recipes/letsencrypt.rb @@ -33,7 +33,8 @@ nginx_site "#{hostname}" do end execute "letsencrypt cert for #{hostname}" do - command "certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{hostname} -d #{hostname} -n" + command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{hostname} -d #{hostname} -n" + cwd "/usr/local/certbot" not_if { File.exist? "/etc/letsencrypt/live/#{hostname}/fullchain.pem" } notifies :reload, "service[nginx]", :delayed end diff --git a/site-cookbooks/kosmos-wordpress/recipes/nginx.rb b/site-cookbooks/kosmos-wordpress/recipes/nginx.rb index ed8a485..6d04427 100644 --- a/site-cookbooks/kosmos-wordpress/recipes/nginx.rb +++ b/site-cookbooks/kosmos-wordpress/recipes/nginx.rb @@ -38,7 +38,8 @@ unless node.chef_environment == "development" include_recipe "kosmos-base::letsencrypt" execute "letsencrypt cert for blog.kosmos.org" do - command "certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['wordpress']['dir']} -d blog.kosmos.org -n" + command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['wordpress']['dir']} -d blog.kosmos.org -n" + cwd "/usr/local/certbot" not_if { File.exist? "/etc/letsencrypt/live/blog.kosmos.org/fullchain.pem" } notifies :reload, "service[nginx]", :delayed end diff --git a/site-cookbooks/sockethub/recipes/proxy.rb b/site-cookbooks/sockethub/recipes/proxy.rb index 8e4eb36..7d5a3ba 100644 --- a/site-cookbooks/sockethub/recipes/proxy.rb +++ b/site-cookbooks/sockethub/recipes/proxy.rb @@ -43,7 +43,8 @@ unless node.chef_environment == "development" include_recipe "kosmos-base::letsencrypt" execute "letsencrypt cert for sockethub.kosmos.org" do - command "certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/sockethub -d sockethub.kosmos.org -n" + command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/sockethub -d sockethub.kosmos.org -n" + cwd "/usr/local/certbot" not_if { File.exist? "/etc/letsencrypt/live/sockethub.kosmos.org/fullchain.pem" } notifies :reload, "service[nginx]", :delayed end