From a1a0d7e4c114c087596088d42f64f2a9fcdfe418 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Sun, 6 Sep 2020 13:46:06 +0200 Subject: [PATCH] Switch Certbot to snap package on Ubuntu 20.04+ Needs only minor changes. Tested and running on wiki.kosmos.org already. --- .../kosmos-base/files/default/certbot.service | 3 +- .../kosmos-base/recipes/letsencrypt.rb | 52 ++++++++++++------- .../resources/nginx_certbot_site.rb | 4 +- 3 files changed, 36 insertions(+), 23 deletions(-) diff --git a/site-cookbooks/kosmos-base/files/default/certbot.service b/site-cookbooks/kosmos-base/files/default/certbot.service index 39274c3..20c9b88 100644 --- a/site-cookbooks/kosmos-base/files/default/certbot.service +++ b/site-cookbooks/kosmos-base/files/default/certbot.service @@ -1,7 +1,6 @@ [Unit] Description=Certbot -Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html -Documentation=https://letsencrypt.readthedocs.io/en/latest/ +Documentation=https://certbot.eff.org/docs/ OnFailure=status-email-ops@%n.service [Service] Type=oneshot diff --git a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb index d477588..ac5016e 100644 --- a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb +++ b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb @@ -24,13 +24,24 @@ # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN # THE SOFTWARE. -# Install certbot and set up hooks - -apt_repository "certbot" do - uri "ppa:certbot/certbot" +unless platform?('ubuntu') + raise "This recipe only supports Ubuntu installs" end -package "certbot" +if node[:platform_version].to_f < 20.04 + apt_repository "certbot" do + uri "ppa:certbot/certbot" + end + package "certbot" +else + bash "install_certbot_snap" do + code "snap install --classic certbot" + end + # TODO switch to snap_package resource when they fix it + # snap_package "certbot" do + # options "--classic" + # end +end %w(deploy post pre).each do |subdir| directory "/etc/letsencrypt/renewal-hooks/#{subdir}" do @@ -52,22 +63,23 @@ systemctl reload nginx group "root" end -gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps') +# gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps') -template "/root/gandi_dns_certbot_hook.sh" do - variables gandi_api_key: gandi_api_data_bag_item["key"] - mode 0770 -end +# TODO only write to machines that actually need it (e.g. via role) +# template "/root/gandi_dns_certbot_hook.sh" do +# variables gandi_api_key: gandi_api_data_bag_item["key"] +# mode 0770 +# end -include_recipe 'kosmos-base::systemd_emails' +# include_recipe 'kosmos-base::systemd_emails' +# TODO Check the deployed certs expiration dates instead of overwriting supplied systemd services # Overwrite the systemd service to add email notifications on failures -cookbook_file "/lib/systemd/system/certbot.service" do - source "certbot.service" - notifies :run, "execute[systemctl daemon-reload]", :delayed -end - -execute "systemctl daemon-reload" do - command "systemctl daemon-reload" - action :nothing -end +# cookbook_file "/lib/systemd/system/certbot.service" do +# source "certbot.service" +# notifies :run, "execute[systemctl daemon-reload]", :delayed +# end +# execute "systemctl daemon-reload" do +# command "systemctl daemon-reload" +# action :nothing +# end diff --git a/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb b/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb index 97a13af..a3aecc2 100644 --- a/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb +++ b/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb @@ -39,10 +39,12 @@ action :create do include_recipe "kosmos-base::letsencrypt" + certbot_bin = node[:platform_version].to_f < 20.04 ? "/usr/bin/certbot" : "/snap/bin/certbot" + # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert # has been generated before. The renew cron will take care of renewing execute "letsencrypt cert for #{domain}" do - command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} -d #{domain} -n" + command "#{certbot_bin} certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} -d #{domain} -n" only_if do ::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{domain}_certbot") && !::File.exist?("/etc/letsencrypt/live/#{domain}/fullchain.pem")