parent
d5346656e3
commit
23e4a4734b
@ -0,0 +1,70 @@
|
|||||||
|
- debug:
|
||||||
|
msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}"
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
domain_name_certificate_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/cert.pem"
|
||||||
|
|
||||||
|
- name: Check if a certificate for the domain already exists
|
||||||
|
stat:
|
||||||
|
path: "{{ domain_name_certificate_path }}"
|
||||||
|
register: domain_name_certificate_path_stat
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}"
|
||||||
|
|
||||||
|
# This will fail if there is something running on port 80 (like matrix-nginx-proxy).
|
||||||
|
# We suppress the error, as we'll try another method below.
|
||||||
|
- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
|
||||||
|
shell: >-
|
||||||
|
/usr/bin/docker run
|
||||||
|
--rm
|
||||||
|
--name=matrix-certbot
|
||||||
|
--net=host
|
||||||
|
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
|
||||||
|
-v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
|
||||||
|
{{ matrix_ssl_certbot_docker_image }}
|
||||||
|
certonly
|
||||||
|
--non-interactive
|
||||||
|
{% if matrix_ssl_use_staging %}--staging{% endif %}
|
||||||
|
--standalone
|
||||||
|
--preferred-challenges http
|
||||||
|
--agree-tos
|
||||||
|
--email={{ matrix_ssl_support_email }}
|
||||||
|
-d {{ domain_name }}
|
||||||
|
when: "domain_name_needs_cert"
|
||||||
|
register: result_certbot_direct
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
# If matrix-nginx-proxy is configured from a previous run of this playbook,
|
||||||
|
# and it's running now, it may be able to proxy requests to `matrix_ssl_certbot_standalone_http_port`.
|
||||||
|
- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
|
||||||
|
shell: >-
|
||||||
|
/usr/bin/docker run
|
||||||
|
--rm
|
||||||
|
--name=matrix-certbot
|
||||||
|
-p 127.0.0.1:{{ matrix_ssl_certbot_standalone_http_port }}:80
|
||||||
|
--network={{ matrix_docker_network }}
|
||||||
|
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
|
||||||
|
-v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
|
||||||
|
{{ matrix_ssl_certbot_docker_image }}
|
||||||
|
certonly
|
||||||
|
--non-interactive
|
||||||
|
{% if matrix_ssl_use_staging %}--staging{% endif %}
|
||||||
|
--standalone
|
||||||
|
--preferred-challenges http
|
||||||
|
--agree-tos
|
||||||
|
--email={{ matrix_ssl_support_email }}
|
||||||
|
-d {{ domain_name }}
|
||||||
|
when: "domain_name_needs_cert and result_certbot_direct.failed"
|
||||||
|
register: result_certbot_proxy
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
- name: Fail if all SSL certificate retrieval attempts failed
|
||||||
|
fail:
|
||||||
|
msg: |
|
||||||
|
Failed to obtain a certificate directly (by listening on port 80)
|
||||||
|
and also failed to obtain by relying on the server at port 80 to proxy the request.
|
||||||
|
See above for details.
|
||||||
|
You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_certbot_standalone_http_port }} or,
|
||||||
|
more easily, stop the server on port 80 while this playbook runs.
|
||||||
|
when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed"
|
@ -1,24 +1,11 @@
|
|||||||
MAILTO="{{ matrix_ssl_support_email }}"
|
MAILTO="{{ matrix_ssl_support_email }}"
|
||||||
|
|
||||||
# The goal of this cronjob is to ask acmetool to check
|
# The goal of this cronjob is to ask certbot to check
|
||||||
# the current SSL certificates and to see if some need renewal.
|
# the current SSL certificates and to see if some need renewal.
|
||||||
# If so, it would attempt to renew.
|
# If so, it would attempt to renew.
|
||||||
#
|
#
|
||||||
# Various services depend on these certificates and would need to be restarted.
|
# Various services depend on these certificates and would need to be restarted.
|
||||||
# This is not our concern here. We simply make sure the certificates are up to date.
|
# This is not our concern here. We simply make sure the certificates are up to date.
|
||||||
# Restarting of services happens on its own different schedule (other cronjobs).
|
# Restarting of services happens on its own different schedule (other cronjobs).
|
||||||
#
|
|
||||||
#
|
|
||||||
# How renewal works?
|
|
||||||
#
|
|
||||||
# acmetool will fail to bind to port :80 (because matrix-nginx-proxy or some other server is running there),
|
|
||||||
# and will fall back to its "webroot" validation method.
|
|
||||||
#
|
|
||||||
# Thus, it would put validation files in `/var/run/acme/acme-challenge`.
|
|
||||||
# These files can be retrieved via any vhost on port 80 of matrix-nginx-proxy,
|
|
||||||
# because it aliases `/.well-known/acme-challenge` to that same directory.
|
|
||||||
#
|
|
||||||
# When a custom proxy server (not matrix-nginx-proxy provided by this playbook),
|
|
||||||
# you'd need to make sure you alias these files correctly or SSL renewal would not work.
|
|
||||||
|
|
||||||
{{ matrix_ssl_renew_cron_time_definition }} root /usr/bin/docker run --rm --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug
|
{{ matrix_ssl_renew_cron_time_definition }} root /bin/bash /usr/local/bin/matrix-ssl-certificates-renew
|
||||||
|
@ -0,0 +1,26 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled)
|
||||||
|
# need to forward requests for `/.well-known/acme-challenge` to the certbot container.
|
||||||
|
#
|
||||||
|
# This can happen inside the container network by proxying to `http://matrix-certbot:80`
|
||||||
|
# or outside (on the host) by proxying to `http://localhost:{{ matrix_ssl_certbot_standalone_http_port }}`.
|
||||||
|
|
||||||
|
docker run \
|
||||||
|
--rm \
|
||||||
|
--name=matrix-certbot \
|
||||||
|
--network="{{ matrix_docker_network }}" \
|
||||||
|
-p 127.0.0.1:{{ matrix_ssl_certbot_standalone_http_port }}:80 \
|
||||||
|
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \
|
||||||
|
-v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt \
|
||||||
|
{{ matrix_ssl_certbot_docker_image }} \
|
||||||
|
renew \
|
||||||
|
--non-interactive \
|
||||||
|
{% if matrix_ssl_use_staging %}
|
||||||
|
--staging \
|
||||||
|
{% endif %}
|
||||||
|
--quiet \
|
||||||
|
--standalone \
|
||||||
|
--preferred-challenges http \
|
||||||
|
--agree-tos \
|
||||||
|
--email={{ matrix_ssl_support_email }}
|
Loading…
Reference in new issue