diff options
| author | Dmitry Ilvokhin <d@ilvokhin.com> | 2024-04-14 19:27:14 +0100 |
|---|---|---|
| committer | Dmitry Ilvokhin <d@ilvokhin.com> | 2024-04-14 19:27:14 +0100 |
| commit | 899eca5f024f22b67aa032dd82aa4393b60b85e4 (patch) | |
| tree | 1ace23e49568fee263fb65edbba83a31f3c2024f /roles/certificate/tasks/main.yml | |
| parent | f2dc007f38c53ce583fb7510ce5f073ed1fcc320 (diff) | |
| download | infra-899eca5f024f22b67aa032dd82aa4393b60b85e4.tar.gz infra-899eca5f024f22b67aa032dd82aa4393b60b85e4.tar.bz2 infra-899eca5f024f22b67aa032dd82aa4393b60b85e4.zip | |
Make certificate updates work for nginx
Currently, we obtain certificates from Let's Encrypt with standalone
mode, so when we do renew, certbot tries to run it is own webserver on
port 80, but this port is already in use by nginx.
Stop nginx, before renewal. This is quite hacky, but should work. Proper
solution is to split certificate role by standalone and non-standalone
versions.
Diffstat (limited to 'roles/certificate/tasks/main.yml')
| -rw-r--r-- | roles/certificate/tasks/main.yml | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/roles/certificate/tasks/main.yml b/roles/certificate/tasks/main.yml index 5d25a63..a736e6b 100644 --- a/roles/certificate/tasks/main.yml +++ b/roles/certificate/tasks/main.yml @@ -13,3 +13,14 @@ -d {{ domains | join(' -d ') }} args: creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem' + +# TODO: rewrite this role or make it more generic. +# +# Currently we reuse certificate role for web and mail servers, but they +# are actually quite different. +# * We can't start nginx without valid certificate, but can start postfix (and +# dovecot?). +# * We can serve acme challenge with nginx itself on renewal, but we need +# `--standalone` mode for mail server (or need to bring nginx). +# * It is undesirable to bring down nginx any time we are updating +# SSL certificates. |