From: Christian Heller <c.heller@plomlompom.de>
Date: Sun, 9 Dec 2018 16:55:08 +0000 (+0100)
Subject: Improve certificate renewal mechanism.
X-Git-Url: https://plomlompom.com/repos/?p=config;a=commitdiff_plain;h=fc8eea5a9cbbaa968330bf5240de18db7a374e42

Improve certificate renewal mechanism.
---

diff --git a/all_new_2018/linkable_etc_files/web/etc/cron.d/certbot b/all_new_2018/linkable_etc_files/web/etc/cron.d/certbot
new file mode 100644
index 0000000..1fd8aaf
--- /dev/null
+++ b/all_new_2018/linkable_etc_files/web/etc/cron.d/certbot
@@ -0,0 +1,17 @@
+# /etc/cron.d/certbot: crontab entries for the certbot package
+#
+# Upstream recommends attempting renewal twice a day
+#
+# Eventually, this will be an opportunity to validate certificates
+# haven't been revoked, etc.  Renewal will only occur if expiration
+# is within 30 days.
+SHELL=/bin/sh
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+# plomlompom added the --webroot -w /var/www/html/ so that renewal
+# works with nginx running, and the nginx reload post-hook so that
+# the new certificates are linked to by nginx. Note that by default
+# we rely on the systemd timer service file instead of this cronjob,
+# but since both are installed by the certbot package to serve which
+# ever of the two is used, we cautiously adapt both of them too.
+0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --webroot -w /var/www/html/ --post-hook "service nginx reload"
diff --git a/all_new_2018/linkable_etc_files/web/etc/systemd/system/certbot.service b/all_new_2018/linkable_etc_files/web/etc/systemd/system/certbot.service
index 122e7c1..0d20d1f 100644
--- a/all_new_2018/linkable_etc_files/web/etc/systemd/system/certbot.service
+++ b/all_new_2018/linkable_etc_files/web/etc/systemd/system/certbot.service
@@ -3,6 +3,9 @@ Description=Certbot
 Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
 Documentation=https://letsencrypt.readthedocs.io/en/latest/
 [Service]
+# plomlompom added the --webroot -w /var/www/html/ so that renewal
+# works with nginx running, and the nginx reload post-hook so that
+# the new certificates are linked to by nginx.
 Type=oneshot
-ExecStart=/usr/bin/certbot -q renew --webroot -w /var/www/html/
-PrivateTmp=true
+ExecStart=/usr/bin/certbot -q renew --webroot -w /var/www/html/ --post-hook "service nginx reload"
+PrivateTmp=true
\ No newline at end of file