Task #3257
closed
Create a letsencrypt callback for each service that will serve letsencrypt certificates
100%
Description
The letsencrypt scripts take care of the certificates requests and renewal. After a certificate has been renewed, the services that use that certificate needs to be restarted or reloaded.
And maybe some other operations are needed, like in the haproxy case where a unique file containing the certificate chain and the private key is needed.
Related issues
Updated by Andrea Dell'Amico almost 10 years ago
- Related to Task #3164: Investigate the procedures needed to obtain valid X.509 TLS certificates from letsencrypt added
Updated by Andrea Dell'Amico almost 10 years ago
- Status changed from New to In Progress
The scripts need to be installed in the /usr/local/lib/letsencrypt directory and marked as executable.
Updated by Andrea Dell'Amico almost 10 years ago
An example (it's the haproxy one):
#!/bin/bash
LE_SERVICES_SCRIPT_DIR=/usr/local/lib/letsencrypt
LE_CERTS_DIR=/etc/letsencrypt/live/$HOSTNAME
LE_LOG_DIR=/var/log/letsencrypt
HAPROXY_CERTDIR=/etc/pki/certs
HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem
DATE=$( date )
echo "$DATE" >> $LE_LOG_DIR/haproxy.log
if [ -f /etc/default/letsencrypt ] ; then
. /etc/default/letsencrypt
else
echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
fi
echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log
cat ${LE_CERTS_DIR}/{fullchain.pem,privkey.pem} > ${HAPROXY_CERTFILE}
chmod 440 ${HAPROXY_CERTFILE}
chgrp haproxy ${HAPROXY_CERTFILE}
echo "Reload the haproxy service" >> $LE_LOG_DIR/haproxy.log
service haproxy reload >/dev/null 2>&1
echo "Done." >> $LE_LOG_DIR/haproxy.log
exit 0
The /etc/default/letsencrypt is installed by the ansible letsencrypt role, and it defines the following variables:
RSA_KEY_SIZE=4096 LE_EMAIL=sysadmin@research-infrastructures.eu LE_AUTHENTICATOR=standalone LE_STANDALONE_SUPPORTED_CHALLENGES=http-01 LE_SERVICES_SCRIPT_DIR=/usr/local/lib/letsencrypt LE_COMMAND=/opt/letsencrypt/letsencrypt-auto LE_CERTS_DIR=/etc/letsencrypt/live/dev2.d4science.org LE_LOG_DIR=/var/log/letsencrypt
Updated by Andrea Dell'Amico almost 10 years ago
Inside the ansible playbooks, the following variables need to be defined or set to True:
letsencrypt_install: True
letsencrypt_domains: '{{ ansible_fqdn }} dev1.d4science.org dev2.d4science.org'
haproxy_letsencrypt_managed: True
Substitute haproxy with your service, if it has an ansible task related to letsencrypt, and list the involved hostnames.
Updated by Andrea Dell'Amico almost 10 years ago
Or, for the letsencrypt acme tool:
letsencrypt_acme_install: True
letsencrypt_acme_domains:
- '{{ ansible_fqdn }}
- dev1.d4science.org
- dev2.d4science.org'
haproxy_letsencrypt_managed: True
Updated by Andrea Dell'Amico over 9 years ago
The letsencrypt-acmetool-client role is to be always preferred to the letsencrypt-client one. The alternative client has all the functionalities that we need, there's a repository for it, and its installation does not require the C compiler and tens of MBs of additional software.
It can also run as an unprivileged user, and that's a big plus.
Updated by Andrea Dell'Amico over 9 years ago
More hooks can be added when needed. The schema is always the same.
Updated by Andrea Dell'Amico over 9 years ago
- Status changed from In Progress to Closed
