From 4bd44ba15edbbae7497b42ddd6118c33766cd1d4 Mon Sep 17 00:00:00 2001 From: Maarten de Waard Date: Tue, 23 Aug 2016 10:21:16 +0200 Subject: [PATCH] finish renewal script --- README.rst | 8 +++--- provisioning_client.sh | 58 +++++++++++++++++++++++------------------- 2 files changed, 37 insertions(+), 29 deletions(-) diff --git a/README.rst b/README.rst index 35004ea..962587d 100644 --- a/README.rst +++ b/README.rst @@ -223,13 +223,13 @@ together a configuration that works for you. frontend http-in # Listen on port 80 - bind *:80 + bind \*:80 # Listen on port 443 # Uncomment after running certbot for the first time, a certificate # needs to be installed *before* HAProxy will be able to start when this # directive is not commented. # - bind *:443 ssl crt /opt/certbot/haproxy_fullchains/__fallback.pem crt /opt/certbot/haproxy_fullchains + bind \*:443 ssl crt /opt/certbot/haproxy_fullchains/__fallback.pem crt /opt/certbot/haproxy_fullchains # Forward Certbot verification requests to the certbot-haproxy plugin acl is_certbot path_beg -i /.well-known/acme-challenge @@ -263,7 +263,7 @@ together a configuration that works for you. server node3 127.0.0.1:8080 check server node4 127.0.0.1:8080 check # If redirection from port 80 to 443 is to be forced, uncomment the next - # line. Keep in mind that the bind *:443 line should be uncommented and a + # line. Keep in mind that the bind \*:443 line should be uncommented and a # certificate should be present for all domains redirect scheme https if !{ ssl_fc } @@ -313,6 +313,7 @@ minutes after the server boots, this is done so renewal starts immediately after the server has been offline for a long time. .. code:: bash + cat < /etc/systemd/system/letsencrypt.timer [Unit] Description=Run Let's Encrypt every 12 hours @@ -334,6 +335,7 @@ after the server has been offline for a long time. [Service] Type=simple + User=certbot ExecStart=/usr/bin/certbot renew -q EOF diff --git a/provisioning_client.sh b/provisioning_client.sh index 67a84f9..844170a 100644 --- a/provisioning_client.sh +++ b/provisioning_client.sh @@ -198,31 +198,37 @@ bash -c 'echo "vagrant ALL=NOPASSWD: /bin/systemctl restart haproxy" systemctl restart apache2 systemctl restart haproxy -#cat < /etc/systemd/system/letsencrypt.timer -#[Unit] -#Description=Run Let's Encrypt every 12 hours -# -#[Timer] -## Time to wait after booting before we run first time -#OnBootSec=2min -## Time between running each consecutive time -#OnUnitActiveSec=12h -#Unit=letsencrypt.service -# -#[Install] -#WantedBy=timers.target -#EOF -# -#cat < /etc/systemd/system/letsencrypt.service -#[Unit] -#Description=Renew Let's Encrypt Certificates -# -#[Service] -#Type=simple -#ExecStart=/usr/bin/certbot renew -q -#EOF -# -#systemctl enable letsencrypt.timer -#systemctl start letsencrypt.timer +# Scripts that run certificate renewal for all certificates every 12 hours. Only +# certificates that are due are renewed. +cat < /etc/systemd/system/letsencrypt.service +[Unit] +Description=Renew Let's Encrypt Certificates + +[Service] +Type=simple +User=vagrant +ExecStart=/usr/bin/certbot renew -q +EOF + +cat < /etc/systemd/system/letsencrypt.timer +[Unit] +Description=Run Let's Encrypt every 12 hours + +[Timer] +# Time to wait after booting before we run first time +OnBootSec=2min +# Time between running each consecutive time +OnUnitActiveSec=12h +Unit=letsencrypt.service + +[Install] +WantedBy=timers.target +EOF + +# Reload for when there were already other scripts in place. +systemctl daemon-reload +# Enable and start the timer, which runs the service. +systemctl enable letsencrypt.timer +systemctl start letsencrypt.timer echo "Provisioning completed."