-
-
Notifications
You must be signed in to change notification settings - Fork 343
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
create pre and post hooks #80
create pre and post hooks #80
Conversation
* Move 'stop' services to pre-hook and post-hook. This way they will also be stopped and started when renewing. - remove service stop/start tasks - add pre-hook/post-hook templates - add pre-hook/pos-hook template tasks - create missing directories at first run - run pre and post hook during first manual run
This would resolve: |
I find this really useful. I think two more tasks should be added to allow for the user to define their own hooks. For instance, I would like to copy some certificates somewhere upon renewal. This is not possible currently. |
Would be great to get this included. |
Stopping a web server is not needed for renewal but for the first request of a new cert when certbot needs to listen in port 80 for the challenge. So Adding a script for reloading configurations of web servers to |
Its worth to say that new version of |
In light of @tomasbedrich's comment is that something that we should consider in reworking this PR? (It seems like it could greatly simplify the work the Ansible role would have to do). |
This is the snippet which I use now: - name: Create pre-renew hook to stop webservers
copy:
content: "#!/bin/bash\n\nsystemctl stop {{ item }}\n"
dest: "/etc/letsencrypt/renewal-hooks/pre/stop_{{ item }}"
mode: u+x
loop: "{{ certbot_create_standalone_stop_services }}"
- name: Create post-renew hook to start webservers
copy:
content: "#!/bin/bash\n\nsystemctl start {{ item }}\n"
dest: "/etc/letsencrypt/renewal-hooks/post/start_{{ item }}"
mode: u+x
loop: "{{ certbot_create_standalone_stop_services }}" It is for systemd distors only, but feel free to use it as a base for something more universal. |
I was just bitten by this yet again, as the renewal job installed by the OS always ran exactly when new cert was available and the post-hooks of the daily cronjob setup by this role never fired 😢 . @geerlingguy would you welcome a PR to allow users to specify some vars to modify the renewal configuration files , as an alternative to installing a second cronjob? |
fyi, i simplified @tomasbedrich's proposal for my usage, so that the ---
- name: Add cron job for certbot renewal (if configured).
cron:
name: Certbot automatic renewal.
job: "{{ certbot_script }} renew {{ certbot_auto_renew_options }}"
minute: "{{ certbot_auto_renew_minute }}"
hour: "{{ certbot_auto_renew_hour }}"
user: "{{ certbot_auto_renew_user }}"
when: ansible_service_mgr != "systemd"
- block:
- name: Remove cron job for certbot renewal.
cron:
name: Certbot automatic renewal.
state: absent
- name: Configure renewal hooks to stop services
copy:
dest: /etc/letsencrypt/renewal-hooks/pre/stop_services
content: |
#!/bin/sh
systemctl stop {{ certbot_create_standalone_stop_services | join(" ") }}
mode: ug=rx,o=
- name: Configure renewal hooks to start services
copy:
dest: /etc/letsencrypt/renewal-hooks/post/start_services
content: |
#!/bin/sh
systemctl start {{ certbot_create_standalone_stop_services | join(" ") }}
mode: ug=rx,o=
when: ansible_service_mgr == "systemd" i'd also propose to add a variable |
This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution! Please read this blog post to see the reasons why I mark pull requests as stale. |
@geerlingguy, i'd prefer a human decision how this pr is handled. i don't have a particular opinion on this proposed solution, but i'd appreciate some progress on the issue itself which i consider a bug. |
This issue is no longer marked for closure. |
@funkyfuture - It's not a bug, but rather a missing feature. But one I do agree I'd like to support. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like there are also a couple new variables defined—I would prefer that we have them added in defaults
(so like certbot_create_standalone_stop_services: []
), and also mentioned in the parameters in the README with a brief explanation underneath.
{% for item in certbot_create_standalone_stop_services %} | ||
echo "starting service {{ item }}" | ||
{% if ansible_service_mgr == 'systemd' %} | ||
systemctl start {{ item }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the start subcommand can take all designated service names as arguments at once, reducing the downtime due to fewer invoked processes. the same applies to the stop_service.j2
.
A more simple way to achieve this without modifying this role is to override certbot_create_if_missing: true
certbot_create_standalone_stop_services: []
certbot_auto_renew: false # renew is already done by a cron inside certbot package
certbot_create_command: >-
{{ certbot_script }} certonly
--non-interactive
--email "{{ cert_item.email }}"
--agree-tos
--dns-ovh
--dns-ovh-credentials /infra/.ovh
--post-hook "{{ cert_item.post_hook }}"
--domains "{{ cert_item.domains | join(',') }}" The cert creation process is handled here using dns but with standalone or webroot it's the same idea, the only important thing here is this line: And here is an example of one of my cert with containing my certbot_certs:
- email: "{{ my_email }}"
post_hook: "systemctl restart docker-compose@igln"
domains:
- igln.fr
- www.igln.fr This way I get a configuration file like this:
|
Cleaned up version of pr 75.