50 lines
		
	
	
		
			1.2 KiB
		
	
	
	
		
			Ruby
		
	
	
	
	
	
			
		
		
	
	
			50 lines
		
	
	
		
			1.2 KiB
		
	
	
	
		
			Ruby
		
	
	
	
	
	
| #
 | |
| # Cookbook Name:: kosmos-base
 | |
| # Recipe:: letsencrypt
 | |
| #
 | |
| # Copyright 2016, Kosmos
 | |
| #
 | |
| # All rights reserved - Do Not Redistribute
 | |
| #
 | |
| 
 | |
| git "/usr/local/certbot" do
 | |
|   repository "https://github.com/certbot/certbot"
 | |
|   action     :sync
 | |
|   revision   "v0.13.0"
 | |
|   user       "root"
 | |
|   group      "root"
 | |
| end
 | |
| 
 | |
| letsencrypt_renew_hook = <<-EOF
 | |
| #!/usr/bin/env bash
 | |
| 
 | |
| # Reloading nginx is enough to read the new certificates
 | |
| systemctl reload nginx
 | |
| 
 | |
| # Copy the prosody certificate and restart the server if it has been renewed
 | |
| # This is necessary because the prosody user doesn't have access to the
 | |
| # letsencrypt live folder
 | |
| echo "${RENEWED_DOMAINS}" | grep xmpp.5apps.com
 | |
| if [ $? -ne 1 ]; then
 | |
|   cp /etc/letsencrypt/live/xmpp.5apps.com/fullchain.pem /var/lib/prosody/xmpp.5apps.com.crt
 | |
|   cp /etc/letsencrypt/live/xmpp.5apps.com/privkey.pem /var/lib/prosody/xmpp.5apps.com.key
 | |
|   systemctl restart prosody
 | |
| else
 | |
|   exit 0
 | |
| fi
 | |
| EOF
 | |
| 
 | |
| file "/usr/local/bin/letsencrypt_renew_hook" do
 | |
|   content letsencrypt_renew_hook
 | |
|   mode 0700
 | |
|   owner "root"
 | |
|   group "root"
 | |
| end
 | |
| 
 | |
| cron "renew Let's Encrypt certificates" do
 | |
|   minute "0"
 | |
|   hour "4"
 | |
|   # The post hook is only executed if a cert has been renewed
 | |
|   command "/usr/local/certbot/certbot-auto renew --renew-hook \"/usr/local/bin/letsencrypt_renew_hook\" -n"
 | |
| end
 |