Task #3257
closed
Create a letsencrypt callback for each service that will serve letsencrypt certificates
100%
Description
The letsencrypt scripts take care of the certificates requests and renewal. After a certificate has been renewed, the services that use that certificate needs to be restarted or reloaded.
And maybe some other operations are needed, like in the haproxy case where a unique file containing the certificate chain and the private key is needed.
Related issues
Updated by Andrea Dell'Amico over 9 years ago
- Related to Task #3164: Investigate the procedures needed to obtain valid X.509 TLS certificates from letsencrypt added
Updated by Andrea Dell'Amico over 9 years ago
- Status changed from New to In Progress
The scripts need to be installed in the /usr/local/lib/letsencrypt directory and marked as executable.
Updated by Andrea Dell'Amico over 9 years ago
An example (it's the haproxy one):
#!/bin/bash
LE_SERVICES_SCRIPT_DIR=/usr/local/lib/letsencrypt
LE_CERTS_DIR=/etc/letsencrypt/live/$HOSTNAME
LE_LOG_DIR=/var/log/letsencrypt
HAPROXY_CERTDIR=/etc/pki/certs
HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem
DATE=$( date )
echo "$DATE" >> $LE_LOG_DIR/haproxy.log
if [ -f /etc/default/letsencrypt ] ; then
. /etc/default/letsencrypt
else
echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
fi
echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log
cat ${LE_CERTS_DIR}/{fullchain.pem,privkey.pem} > ${HAPROXY_CERTFILE}
chmod 440 ${HAPROXY_CERTFILE}
chgrp haproxy ${HAPROXY_CERTFILE}
echo "Reload the haproxy service" >> $LE_LOG_DIR/haproxy.log
service haproxy reload >/dev/null 2>&1
echo "Done." >> $LE_LOG_DIR/haproxy.log
exit 0
The /etc/default/letsencrypt is installed by the ansible letsencrypt role, and it defines the following variables:
RSA_KEY_SIZE=4096 LE_EMAIL=sysadmin@research-infrastructures.eu LE_AUTHENTICATOR=standalone LE_STANDALONE_SUPPORTED_CHALLENGES=http-01 LE_SERVICES_SCRIPT_DIR=/usr/local/lib/letsencrypt LE_COMMAND=/opt/letsencrypt/letsencrypt-auto LE_CERTS_DIR=/etc/letsencrypt/live/dev2.d4science.org LE_LOG_DIR=/var/log/letsencrypt
Updated by Andrea Dell'Amico over 9 years ago
Inside the ansible playbooks, the following variables need to be defined or set to True:
letsencrypt_install: True
letsencrypt_domains: '{{ ansible_fqdn }} dev1.d4science.org dev2.d4science.org'
haproxy_letsencrypt_managed: True
Substitute haproxy with your service, if it has an ansible task related to letsencrypt, and list the involved hostnames.
Updated by Andrea Dell'Amico over 9 years ago
Or, for the letsencrypt acme tool:
letsencrypt_acme_install: True
letsencrypt_acme_domains:
- '{{ ansible_fqdn }}
- dev1.d4science.org
- dev2.d4science.org'
haproxy_letsencrypt_managed: True
Updated by Andrea Dell'Amico over 9 years ago
The letsencrypt-acmetool-client role is to be always preferred to the letsencrypt-client one. The alternative client has all the functionalities that we need, there's a repository for it, and its installation does not require the C compiler and tens of MBs of additional software.
It can also run as an unprivileged user, and that's a big plus.
Updated by Andrea Dell'Amico over 9 years ago
More hooks can be added when needed. The schema is always the same.
Updated by Andrea Dell'Amico over 9 years ago
- Status changed from In Progress to Closed
