From cf77b3343ccaf38fe451bbc191b54557ef467cfe Mon Sep 17 00:00:00 2001
From: Grant Slater <github@firefishy.com>
Date: Tue, 25 Feb 2025 21:48:14 +0000
Subject: [PATCH] letsencrypt: ensure certbot does not create new cert if
 domains change

---
 .../files/default/bin/{renew-hook => deploy-hook}        | 0
 cookbooks/letsencrypt/files/default/bin/renew            | 4 +---
 cookbooks/letsencrypt/templates/default/request.erb      | 9 ++++-----
 cookbooks/letsencrypt/templates/default/upload.erb       | 2 +-
 4 files changed, 6 insertions(+), 9 deletions(-)
 rename cookbooks/letsencrypt/files/default/bin/{renew-hook => deploy-hook} (100%)

diff --git a/cookbooks/letsencrypt/files/default/bin/renew-hook b/cookbooks/letsencrypt/files/default/bin/deploy-hook
similarity index 100%
rename from cookbooks/letsencrypt/files/default/bin/renew-hook
rename to cookbooks/letsencrypt/files/default/bin/deploy-hook
diff --git a/cookbooks/letsencrypt/files/default/bin/renew b/cookbooks/letsencrypt/files/default/bin/renew
index 6a0482185..147abf1e4 100755
--- a/cookbooks/letsencrypt/files/default/bin/renew
+++ b/cookbooks/letsencrypt/files/default/bin/renew
@@ -1,10 +1,8 @@
 #!/bin/sh
 
-cd /srv/acme.openstreetmap.org
-
 /usr/bin/certbot renew \
     --quiet \
     --config-dir /srv/acme.openstreetmap.org/config \
     --work-dir /srv/acme.openstreetmap.org/work \
     --logs-dir /srv/acme.openstreetmap.org/logs \
-    --renew-hook /srv/acme.openstreetmap.org/bin/renew-hook
+    --deploy-hook /srv/acme.openstreetmap.org/bin/deploy-hook
diff --git a/cookbooks/letsencrypt/templates/default/request.erb b/cookbooks/letsencrypt/templates/default/request.erb
index eaefa5bbe..ccdc25fed 100644
--- a/cookbooks/letsencrypt/templates/default/request.erb
+++ b/cookbooks/letsencrypt/templates/default/request.erb
@@ -10,12 +10,11 @@
     --email operations@osmfoundation.org \
     --agree-tos \
     --expand \
+    --renew-with-new-domains \
+    --cert-name <%= @domains.first %> \
 <% @domains.each do |domain| -%>
     --domain <%= domain %> \
 <% end -%>
     --webroot \
-    --webroot-path /srv/acme.openstreetmap.org/html
-
-/srv/acme.openstreetmap.org/bin/upload \
-    <%= @domains.first %> \
-    /srv/acme.openstreetmap.org/config/live/<%= @domains.first %>
+    --webroot-path /srv/acme.openstreetmap.org/html \
+    --deploy-hook /srv/acme.openstreetmap.org/bin/deploy-hook
diff --git a/cookbooks/letsencrypt/templates/default/upload.erb b/cookbooks/letsencrypt/templates/default/upload.erb
index 7700506cd..44d603dd9 100644
--- a/cookbooks/letsencrypt/templates/default/upload.erb
+++ b/cookbooks/letsencrypt/templates/default/upload.erb
@@ -17,4 +17,4 @@ file = Tempfile.new(["letsencrypt", ".json"])
 file.puts JSON.generate(bag)
 file.close
 
-system("/opt/chef/embedded/bin/knife", "data", "bag", "from", "file", "letsencrypt", file.path)
+system("/opt/chef/embedded/bin/knife", "--config", "/srv/acme.openstreetmap.org/.chef/knife.rb", "--key", "/srv/acme.openstreetmap.org/.chef/client.pem", "data", "bag", "from", "file", "letsencrypt", file.path)
-- 
2.39.5