let us try a more generic approach to copying around letsencrypt certs to additional hosts and just do it at the letsencrypt role level

2018-08-15 19:54:01 +00:00 · 2018-08-15 19:54:01 +00:00 · 1b289a0382
commit 1b289a0382
parent 789310091c
3 changed files with 43 additions and 14 deletions
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@ -904,6 +904,7 @@
    ssl: true
    sslonly: true
    certbot: true
+    certbot_addhost: pkgs02.fedoraproject.org
    tags:
    - pkgs.fedoraproject.org
    when: env == "production" and "phx2" in inventory_hostname
--- a/roles/distgit/tasks/main.yml
+++ b/roles/distgit/tasks/main.yml
@ -347,20 +347,6 @@
  notify:
  - reload httpd

-# Get the letsencrypt ssl cert for pkgs.fedoraproject.org from proxy01
-# It's stored there because the role that requests/updates it is called
-# via the proxy playbooks.
-
- name: copy pkgs.fedoraproject.org ssl cert to pkgs machine
-  synchronize:
-    src: "{{ item }}"
-    dest: "{{ item }}"
-  with_items:
-  - /etc/pki/tls/certs/pkgs.fedoraproject.org.cert
-  - /etc/pki/tls/certs/pkgs.fedoraproject.org.intermediate.cert
-  - /etc/pki/tls/private/pkgs.fedoraproject.org.key
-  delegate_to: proxy01.phx2.fedoraproject.org
-
 # -- Lookaside Cache -------------------------------------
 # This is the annex to Dist Git, where we host source tarballs.
 - name: install the Lookaside Cache httpd configs
--- a/roles/letsencrypt/tasks/main.yml
+++ b/roles/letsencrypt/tasks/main.yml
@ -68,3 +68,45 @@
  - reload proxyhttpd
  tags:
  - letsencrypt
+
+- name: Install the certificate (additional host)
+  copy: >
+    dest=/etc/pki/tls/certs/{{site_name}}.cert
+    content="{{certbot_certificate.stdout}}"
+    owner=root
+    group=root
+    mode=0644
+  notify:
+  - reload proxyhttpd
+  tags:
+  - letsencrypt
+  delegate_to: "{{ certbot_addhost }}"
+  when: certbot_addhost is defined
+
+- name: Install the intermediate/chain certificate (additional host)
+  copy: >
+    dest=/etc/pki/tls/certs/{{site_name}}.intermediate.cert
+    content="{{certbot_chain.stdout}}"
+    owner=root
+    group=root
+    mode=0644
+  notify:
+  - reload proxyhttpd
+  tags:
+  - letsencrypt
+  delegate_to: "{{ certbot_addhost }}"
+  when: certbot_addhost is defined
+
+- name: Install the key (additional host)
+  copy: >
+    dest=/etc/pki/tls/private/{{site_name}}.key
+    content="{{certbot_key.stdout}}"
+    owner=root
+    group=root
+    mode=0600
+  notify:
+  - reload proxyhttpd
+  tags:
+  - letsencrypt
+  delegate_to: "{{ certbot_addhost }}"
+  when: certbot_addhost is defined