Planet cert renewal (#284)

* run renewal as user nginx * configure template to serve files from well-known/acme-challenge and include defualt_server nginix configuration
python · Oct 11, 2022 · a607a82 · a607a82
1 parent b6f8b25
commit a607a82
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/salt/planet/config/nginx.planet.conf.jinja b/salt/planet/config/nginx.planet.conf.jinja
@@ -1,9 +1,17 @@
 {% for site, info in salt["pillar.get"]("planet", {}).get("sites").items() %}
 
 server {
-    listen 80;
+    listen 80 default_server;
     server_name {{ site }};
-    return 301 https://$host$request_uri;
+
+    location /.well-known/acme-challenge/ {
+      alias /etc/lego/.well-known/acme-challenge/;
+      try_files $uri =404;
+    }
+
+    location / {
+      return 301 https://$host$request_uri;
+    }
 }
 
 server {

diff --git a/salt/planet/init.sls b/salt/planet/init.sls
@@ -27,7 +27,7 @@ lego_bootstrap:
 
 lego_renew:
   cron.present:
-    - name: /usr/local/bin/lego -a --email="infrastructure-staff@python.org" {% if pillar["dc"] == "vagrant" %}--server=https://salt-master.vagrant.psf.io:14000/dir{% endif %} --domains="{{ grains['fqdn'] }}" {%- for domain in pillar['planet']['subject_alternative_names']  %} --domains {{ domain }}{%- endfor %} --http --http.webroot /etc/lego --path /etc/lego --key-type ec256  renew --days 30 && /usr/sbin/service nginx reload
+    - name: sudo -u nginx /usr/local/bin/lego -a --email="infrastructure-staff@python.org" {% if pillar["dc"] == "vagrant" %}--server=https://salt-master.vagrant.psf.io:14000/dir{% endif %} --domains="{{ grains['fqdn'] }}" {%- for domain in pillar['planet']['subject_alternative_names']  %} --domains {{ domain }}{%- endfor %} --http --http.webroot /etc/lego --path /etc/lego --key-type ec256  renew --days 30 && /usr/sbin/service nginx reload
     - identifier: roundup_lego_renew
     - hour: 0
     - minute: random