Switch to certbot for letsencrypt certificates #1668
Switch to certbot for letsencrypt certificates #1668
Conversation
It's November now, so this patch, or something based on the official plugin, is now needed to not break deployments (and probably ACME renewals too). |
Renewals of existing certificates will not be affected by the Nov. new registration shut-off. These will continue to work until early 2021. The full schedule of dates is available here: https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 |
As of today, new deployments don't work due to 'Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2'. |
This looks like a great way to solve the problem. Is there anything keeping this from being merged? Any help the community can provide? |
I tried this just now and got the error message at the end of this comment. It seems I'm sure it's not the right way to fix it but I modified the task in
error message was:
|
@arkarkark I'm unable to reproduce that error locally. When I run with a blank domain in a noninteractive deploy, the I suspect it could be an issue with the variable name This is the site config I used: |
Thanks @nickgnazzo, you're right! I set Even though it's probably not the right way to get |
Tried merging this pull request
|
Possibly related, user experiencing certbot failure though, not acmetool of the original fresh install issue. |
@serjflint I can't seem to reproduce that error. Can you share your site.yml file, if you used one (with any API keys redacted)? Which cloud provider were you using? |
@lazerhawk that issue seems to be using the current Streisand master branch, which does not include the changes in this PR yet. They appear to have run Certbot after Streisand provisioned the server without the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Merging, although if it's writing to /usr
, it's a bug — but not a showstopper.
@@ -9,3 +9,4 @@ apache_packages_to_remove: | |||
- apache2-mpm-worker | |||
|
|||
nginx_systemd_service_path: /etc/systemd/system/nginx.service.d | |||
nginx_default_html_path: /usr/share/nginx/html |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We shouldn't really be writing to /usr
. Somewhere in /var
maybe?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think something like /var/www/streisand-letsencrypt
would be more appropriate?
Yeah, or even You're probably right that something under |
Fixes issue #1662
Modifies the
lets-encrypt
role to use certbot for certificate issuance and auto-renewal. Also upgrades to using Let's Encrypt's ACMEv2 server.Changes made:
acmetool
package, PPA, pubkey, etc. in favor ofcertbot
.certbot certonly --standalone
command to bind on port 80 and complete the ACME challenge/response process (viahttp-01
). This helps us avoid any of certbot's nginx modification/config changes (just to avoid potential complications)./.well-known/acme-challenge
directory is white-listed in order to allow certificate renewal to work.webroot
authenticator./.well-known/acme-challenge
directory will be allowed over port 80 via nginx. Certbot'swebroot
plugin will just write ACME challenge response files to that directory during certificate renewal (once completed the files are removed).