Browse Source

roles/certbot: zero downtime, reload only

Do not stop the webserver before performing HTTP challenge (challenge
is on port 80, webserver should be listening on port 443 only).

As post-renewal hook just reload the webserver, don't restart.
python3
Zolfa 5 years ago
parent
commit
80b5d67ad0
Signed by: zolfa GPG Key ID: E1A43B038C4D6616
2 changed files with 13 additions and 11 deletions
  1. +12
    -10
      roles/certbot/tasks/main.yaml
  2. +1
    -1
      roles/certbot/templates/certbot.service

+ 12
- 10
roles/certbot/tasks/main.yaml View File

@ -11,11 +11,13 @@
tags:
- 'packages'
- name: Shutdown webservers
service:
name: "{{ webserver_name }}"
state: stopped
ignore_errors: yes
# Standard nginx installation should not listen on port 80
# -> This is probably not required.
#- name: 'shutdown webservers'
# service:
# name: '{{ webserver_name }}'
# state: 'stopped'
# ignore_errors: true
- name: 'request certificate'
command: >
@ -35,11 +37,11 @@
tags:
- 'tls_pub'
- name: Restart webservers
service:
name: "{{ webserver_name }}"
state: started
ignore_errors: yes
#- name: 'restart webservers'
# service:
# name: '{{ webserver_name }}'
# state: 'started'
# ignore_errors: true
- name: 'add systemd timer for cert renewal'
template:


+ 1
- 1
roles/certbot/templates/certbot.service View File

@ -3,4 +3,4 @@ Description=Let's Encrypt renewal
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --agree-tos --post-hook "systemctl restart {{ webserver_name }}"
ExecStart=/usr/bin/certbot renew --agree-tos --post-hook "systemctl reload {{ webserver_name }}"

Loading…
Cancel
Save