From b351493ba7cb5e582c20d813588751c8a3daf10d Mon Sep 17 00:00:00 2001 From: David Galloway Date: Mon, 19 Jun 2017 15:27:12 -0400 Subject: [PATCH] public_facing: Changes to download.ceph.com crontab Signed-off-by: David Galloway --- .../public_facing/tasks/download.ceph.com.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/roles/public_facing/tasks/download.ceph.com.yml b/roles/public_facing/tasks/download.ceph.com.yml index 0d2568f..632b31c 100644 --- a/roles/public_facing/tasks/download.ceph.com.yml +++ b/roles/public_facing/tasks/download.ceph.com.yml @@ -67,3 +67,31 @@ name: "Update download.ceph.com/timestamp" minute: "0" job: "/usr/libexec/make_timestamp" + +- name: Cron entry for letsencrypt cert renewal + cron: + name: "Renew letsencrypt certificate" + minute: "0" + hour: "0" + day: "1,15" + job: "/usr/bin/letsencrypt renew >> /var/log/letsencrypt.log && service nginx reload" + +# Get letsencrypt authority server IPv4 address +- local_action: shell dig -4 +short acme-v01.api.letsencrypt.org | tail -n 1 + register: letsencrypt_ipv4_address + +# This task really only needs to be run the first time download.ceph.com is set up. +# An entry matching *letsencrypt* in /etc/hosts is required for the cronjob in the next task however. +- name: Create entry for letsencrypt authority server in /etc/hosts + lineinfile: + path: /etc/hosts + regexp: '(.*)letsencrypt(.*)' + line: '{{ letsencrypt_ipv4_address.stdout }} acme-v01.api.letsencrypt.org' + state: present + +# 'letsencrypt renew' fails because it can't reach the letsencrypt authority server using IPv6 +- name: Create cron entry to force IPv4 connectivity to letsencrypt authority server + cron: + name: "Forces letsencrypt to use IPv4 when accessing acme-v01.api.letsencrypt.org" + hour: "0" + job: "IP=$(dig -4 +short acme-v01.api.letsencrypt.org | tail -n 1) && sed -i \"s/.*letsencrypt.*/$IP\tacme-v01.api.letsencrypt.org/g\" /etc/hosts" -- 2.39.5