3cc27430b6
We need two-phase configuration for Let's Encrypt: 1. initialize; the letsencrypt automation, this is happening only once per VM (when it is spawned) 2. periodic; using certbot-renew.timer. Both those phases are now wrapped into copr/certbot role. Phase 1. needs to be done before the web-server is started (so include the role on appropriate place in the playbook), so we can do 'certbot --standalone' (bounds to port 80). Phase 2. is accomplished using the running web-server, using 'certbot renew --webroot'. If (and only if) the certificate is renewed, web server needs to be restarted (and lighttpd needs to have post-processed certificate format). So we also need the deploy hook script in hand (two actually, lighttpd/httpd) so 'certbot renew' automatically does what we expect it to do.
14 lines
338 B
Text
14 lines
338 B
Text
---
|
|
tcp_ports: [22, 80, 443]
|
|
datacenter: cloud
|
|
freezes: false
|
|
|
|
# consumed by roles/copr/certbot
|
|
letsencrypt:
|
|
predefined_deploy_script: httpd
|
|
certificates:
|
|
copr-dist-git.fedorainfracloud.org:
|
|
domains:
|
|
- copr-dist-git.fedorainfracloud.org
|
|
challenge_dir: /var/www/html
|
|
mail: copr-devel@lists.fedorahosted.org
|