roles/certbot: zero downtime, reload only

Do not stop the webserver before performing HTTP challenge (challenge
is on port 80, webserver should be listening on port 443 only).

As post-renewal hook just reload the webserver, don't restart.

roles/certbot/tasks/main.yaml

@@ -11,11 +11,13 @@
   tags:
     - 'packages'
 
-- name: Shutdown webservers
-  service:
-    name: "{{ webserver_name }}"
-    state: stopped
-  ignore_errors: yes
+# Standard nginx installation should not listen on port 80
+# -> This is probably not required.
+#- name: 'shutdown webservers'
+#  service:
+#    name: '{{ webserver_name }}'
+#    state: 'stopped'
+#  ignore_errors: true
 
 - name: 'request certificate'
   command: >
@@ -35,11 +37,11 @@
   tags:
     - 'tls_pub'
 
-- name: Restart webservers
-  service:
-    name: "{{ webserver_name }}"
-    state: started
-  ignore_errors: yes
+#- name: 'restart webservers'
+#  service:
+#    name: '{{ webserver_name }}'
+#    state: 'started'
+#  ignore_errors: true
 
 - name: 'add systemd timer for cert renewal'
   template:

roles/certbot/templates/certbot.service

@@ -3,4 +3,4 @@ Description=Let's Encrypt renewal
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/certbot renew --agree-tos --post-hook "systemctl restart {{ webserver_name }}"
+ExecStart=/usr/bin/certbot renew --agree-tos --post-hook "systemctl reload {{ webserver_name }}"