Compare commits
4 Commits
ee13c3cbe9
...
53d53f2375
| Author | SHA1 | Date | |
|---|---|---|---|
| 53d53f2375 | |||
|
1c920a8cb2 | ||
|
|
5e3c8066f9 | ||
|
|
d01c9a4d0a |
@ -101,24 +101,28 @@ nsslapd-allow-anonymous-access: off
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
|
||||
dirsrv_hook = <<-EOF
|
||||
#!/usr/bin/env bash
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -e
|
||||
set -e
|
||||
|
||||
# Copy the dirsrv certificate and restart the server if it has been renewed
|
||||
# This is necessary because dirsrv uses a different format for the certificates
|
||||
for domain in $RENEWED_DOMAINS; do
|
||||
case $domain in
|
||||
#{new_resource.hostname})
|
||||
openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
|
||||
pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
|
||||
systemctl restart #{service_name}
|
||||
;;
|
||||
esac
|
||||
done
|
||||
# Copy the dirsrv certificate and restart the server if it has been renewed
|
||||
# This is necessary because dirsrv uses a different format for the certificates
|
||||
for domain in $RENEWED_DOMAINS; do
|
||||
case $domain in
|
||||
#{new_resource.hostname})
|
||||
openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
|
||||
pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
|
||||
# Remove the encryption key entries from the current database.
|
||||
# They will be recreated on restart for the new certificate
|
||||
awk '! /^dn: cn=3D|AES,cn=encrypted attribute keys,cn=userRoot/ {print; printf "\n" ; }' RS="" #{inst_dir}/dse.ldif > #{inst_dir}/dse_new.ldif
|
||||
mv #{inst_dir}/dse_new.ldif #{inst_dir}/dse.ldif
|
||||
systemctl restart #{service_name}
|
||||
;;
|
||||
esac
|
||||
done
|
||||
EOF
|
||||
|
||||
file "/etc/letsencrypt/renewal-hooks/deploy/dirsrrv" do
|
||||
file "/etc/letsencrypt/renewal-hooks/deploy/dirsrv" do
|
||||
content dirsrv_hook
|
||||
mode 0755
|
||||
owner "root"
|
||||
@ -129,9 +133,21 @@ nsslapd-allow-anonymous-access: off
|
||||
source 'nginx_conf_empty.erb'
|
||||
owner node["nginx"]["user"]
|
||||
mode 0640
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_certbot_site new_resource.hostname do
|
||||
notifies :run, "letsencrypt cert for #{domain}", :delayed
|
||||
end
|
||||
|
||||
# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
|
||||
# has been generated before. The renew cron will take care of renewing
|
||||
execute "letsencrypt cert for #{domain}" do
|
||||
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{domain} -n"
|
||||
only_if do
|
||||
::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{domain}_certbot") &&
|
||||
!::File.exist?("/etc/letsencrypt/live/#{domain}/fullchain.pem")
|
||||
end
|
||||
notifies :run, "execute[add tls config]", :immediately
|
||||
end
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user