kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 29 Pull Requests 2 Projects 2 Activity

Remove the encryption keys after TLS cert renewal #157

Manually merged
greg merged 3 commits from bugfix/152-remove_encryption_keys_tls into master 2020-04-30 15:50:30 +00:00
Conversation 2 Commits 3 Files Changed 1 +12
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 5e3c8066f9 - Show all commits

12
site-cookbooks/kosmos-dirsrv/resources/instance.rb
View File

@ -129,9 +129,21 @@ nsslapd-allow-anonymous-access: off
source 'nginx_conf_empty.erb'
owner node["nginx"]["user"]
mode 0640
notifies :reload, 'service[nginx]', :delayed
end
nginx_certbot_site new_resource.hostname do
notifies :run, "letsencrypt cert for #{domain}", :delayed
end
# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
# has been generated before. The renew cron will take care of renewing
execute "letsencrypt cert for #{domain}" do
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{domain} -n"
only_if do
::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{domain}_certbot") &&
!::File.exist?("/etc/letsencrypt/live/#{domain}/fullchain.pem")
end
notifies :run, "execute[add tls config]", :immediately
end