letsencrypt: ensure certbot does not create new cert if domains change

author Grant Slater <github@firefishy.com>

Tue, 25 Feb 2025 21:48:14 +0000 (21:48 +0000)

committer Grant <github@firefishy.com>

Wed, 26 Feb 2025 15:04:09 +0000 (16:04 +0100)
author Grant Slater <github@firefishy.com>
Tue, 25 Feb 2025 21:48:14 +0000 (21:48 +0000)
committer Grant <github@firefishy.com>
Wed, 26 Feb 2025 15:04:09 +0000 (16:04 +0100)
diff --git a/cookbooks/letsencrypt/files/default/bin/renew-hook b/cookbooks/letsencrypt/files/default/bin/deploy-hook

similarity index 100%

rename from cookbooks/letsencrypt/files/default/bin/renew-hook

rename to cookbooks/letsencrypt/files/default/bin/deploy-hook
diff --git a/cookbooks/letsencrypt/files/default/bin/renew b/cookbooks/letsencrypt/files/default/bin/renew

index 6a04821852ed1f195cb509dcc6440e9ca1bc11ed..147abf1e4ec3cf976933d9f0f7a80861d8417c92 100755 (executable)
--- a/cookbooks/letsencrypt/files/default/bin/renew
+++ b/cookbooks/letsencrypt/files/default/bin/renew
@@ -1,10 +1,8 @@
  #!/bin/sh
  
-cd /srv/acme.openstreetmap.org
-
  /usr/bin/certbot renew \
      --quiet \
      --config-dir /srv/acme.openstreetmap.org/config \
      --work-dir /srv/acme.openstreetmap.org/work \
      --logs-dir /srv/acme.openstreetmap.org/logs \
-    --renew-hook /srv/acme.openstreetmap.org/bin/renew-hook
+    --deploy-hook /srv/acme.openstreetmap.org/bin/deploy-hook
diff --git a/cookbooks/letsencrypt/templates/default/request.erb b/cookbooks/letsencrypt/templates/default/request.erb

index eaefa5bbe1bf08ef1816aed5440ba453ababd882..ccdc25fedf7894f98297dd6d0ed85afc19982798 100644 (file)
--- a/cookbooks/letsencrypt/templates/default/request.erb
+++ b/cookbooks/letsencrypt/templates/default/request.erb
@@ -10,12 +10,11 @@
      --email operations@osmfoundation.org \
      --agree-tos \
      --expand \
+    --renew-with-new-domains \
+    --cert-name <%= @domains.first %> \
  <% @domains.each do |domain| -%>
      --domain <%= domain %> \
  <% end -%>
      --webroot \
-    --webroot-path /srv/acme.openstreetmap.org/html
-
-/srv/acme.openstreetmap.org/bin/upload \
-    <%= @domains.first %> \
-    /srv/acme.openstreetmap.org/config/live/<%= @domains.first %>
+    --webroot-path /srv/acme.openstreetmap.org/html \
+    --deploy-hook /srv/acme.openstreetmap.org/bin/deploy-hook
diff --git a/cookbooks/letsencrypt/templates/default/upload.erb b/cookbooks/letsencrypt/templates/default/upload.erb

index 7700506cd8f1dec473a41fd64e59a146bb67b3f2..44d603dd9cf28e7c272fa83399fa050679926bd4 100644 (file)
--- a/cookbooks/letsencrypt/templates/default/upload.erb
+++ b/cookbooks/letsencrypt/templates/default/upload.erb
@@ -17,4 +17,4 @@ file = Tempfile.new(["letsencrypt", ".json"])
  file.puts JSON.generate(bag)
  file.close
  
-system("/opt/chef/embedded/bin/knife", "data", "bag", "from", "file", "letsencrypt", file.path)
+system("/opt/chef/embedded/bin/knife", "--config", "/srv/acme.openstreetmap.org/.chef/knife.rb", "--key", "/srv/acme.openstreetmap.org/.chef/client.pem", "data", "bag", "from", "file", "letsencrypt", file.path)
author	Grant Slater <github@firefishy.com>
	Tue, 25 Feb 2025 21:48:14 +0000 (21:48 +0000)
committer	Grant <github@firefishy.com>
	Wed, 26 Feb 2025 15:04:09 +0000 (16:04 +0100)
cookbooks/letsencrypt/files/default/bin/deploy-hook	[moved from cookbooks/letsencrypt/files/default/bin/renew-hook with 100% similarity]	patch \| blob \| history
cookbooks/letsencrypt/files/default/bin/renew		patch \| blob \| history
cookbooks/letsencrypt/templates/default/request.erb		patch \| blob \| history
cookbooks/letsencrypt/templates/default/upload.erb		patch \| blob \| history