From 80b5d67ad046b28531d11c5c5994892d36614f63 Mon Sep 17 00:00:00 2001 From: Zolfa Date: Wed, 27 May 2020 13:07:10 +0200 Subject: [PATCH] roles/certbot: zero downtime, reload only Do not stop the webserver before performing HTTP challenge (challenge is on port 80, webserver should be listening on port 443 only). As post-renewal hook just reload the webserver, don't restart. --- roles/certbot/tasks/main.yaml | 22 ++++++++++++---------- roles/certbot/templates/certbot.service | 2 +- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/roles/certbot/tasks/main.yaml b/roles/certbot/tasks/main.yaml index a5d3d0b..20aa678 100644 --- a/roles/certbot/tasks/main.yaml +++ b/roles/certbot/tasks/main.yaml @@ -11,11 +11,13 @@ tags: - 'packages' -- name: Shutdown webservers - service: - name: "{{ webserver_name }}" - state: stopped - ignore_errors: yes +# Standard nginx installation should not listen on port 80 +# -> This is probably not required. +#- name: 'shutdown webservers' +# service: +# name: '{{ webserver_name }}' +# state: 'stopped' +# ignore_errors: true - name: 'request certificate' command: > @@ -35,11 +37,11 @@ tags: - 'tls_pub' -- name: Restart webservers - service: - name: "{{ webserver_name }}" - state: started - ignore_errors: yes +#- name: 'restart webservers' +# service: +# name: '{{ webserver_name }}' +# state: 'started' +# ignore_errors: true - name: 'add systemd timer for cert renewal' template: diff --git a/roles/certbot/templates/certbot.service b/roles/certbot/templates/certbot.service index 629fb9d..c23b11e 100644 --- a/roles/certbot/templates/certbot.service +++ b/roles/certbot/templates/certbot.service @@ -3,4 +3,4 @@ Description=Let's Encrypt renewal [Service] Type=oneshot -ExecStart=/usr/bin/certbot renew --agree-tos --post-hook "systemctl restart {{ webserver_name }}" +ExecStart=/usr/bin/certbot renew --agree-tos --post-hook "systemctl reload {{ webserver_name }}"