copr-fe-dev: automatize cert renewal with certbot-renew.timer
This commit is contained in:
Jakub Kadlčík
parent
d95e62fd67
commit
232b5a9222
2 changed files with 60 additions and 0 deletions
|
|
@ -32,3 +32,9 @@
|
|||
path: /srv/web/acme-challenge/.well-known
|
||||
state: directory
|
||||
setype: httpd_sys_content_t
|
||||
|
||||
- name: Automatize cert renewal
|
||||
service:
|
||||
name: certbot-renew.timer
|
||||
state: started
|
||||
enabled: yes
|
||||
|
|
|
|||
54
roles/copr/frontend-cloud/templates/sysconfig/certbot
Normal file
54
roles/copr/frontend-cloud/templates/sysconfig/certbot
Normal file
|
|
@ -0,0 +1,54 @@
|
|||
## NOTE ##
|
||||
# If a hook is set here then it will be used for all
|
||||
# certificates and will override any per certificate
|
||||
# hook configuration in place.
|
||||
|
||||
# Command to be run in a shell before obtaining any
|
||||
# certificates. Intended primarily for renewal, where it
|
||||
# can be used to temporarily shut down a webserver that
|
||||
# might conflict with the standalone plugin. This will
|
||||
# only be called if a certificate is actually to be
|
||||
# obtained/renewed. When renewing several certificates
|
||||
# that have identical pre-hooks, only the first will be
|
||||
# executed.
|
||||
#
|
||||
# An example to stop the MTA before updating certs would be
|
||||
# PRE_HOOK="--pre-hook 'systemctl stop postfix'"
|
||||
PRE_HOOK=""
|
||||
|
||||
# Command to be run in a shell after attempting to
|
||||
# obtain/renew certificates. Can be used to deploy
|
||||
# renewed certificates, or to restart any servers that
|
||||
# were stopped by --pre-hook. This is only run if an
|
||||
# attempt was made to obtain/renew a certificate. If
|
||||
# multiple renewed certificates have identical post-
|
||||
# hooks, only one will be run.
|
||||
#
|
||||
# An example to restart httpd would be:
|
||||
# POST_HOOK="--post-hook 'systemctl restart httpd'"
|
||||
POST_HOOK=""
|
||||
|
||||
# Command to be run in a shell once for each
|
||||
# successfully renewed certificate. For this command,
|
||||
# the shell variable $RENEWED_LINEAGE will point to the
|
||||
# config live subdirectory containing the new certs and
|
||||
# keys; the shell variable $RENEWED_DOMAINS will contain
|
||||
# a space-delimited list of renewed cert domains
|
||||
#
|
||||
# An example to run a script to alert each cert would be:
|
||||
# RENEW_HOOK="--renew-hook /usr/local/bin/cert-notifier.sh"
|
||||
RENEW_HOOK=""
|
||||
|
||||
# Any other misc arguments for the renewal
|
||||
# See certbot -h renew for full list
|
||||
#
|
||||
# An example to force renewal for certificates not due yet
|
||||
# CERTBOT_ARGS="--force-renewal"
|
||||
#
|
||||
# The following command is produced
|
||||
# certbot renew **CERTBOT_ARGS
|
||||
{% if devel %}
|
||||
CERTBOT_ARGS="--force-renewal --webroot -w /srv/web/acme-challenge --cert-name copr-fe-dev.cloud.fedoraproject.org"
|
||||
{% else %}
|
||||
CERTBOT_ARGS=""
|
||||
{% endif %}
|
||||
Loading…
Add table
Add a link
Reference in a new issue