Certbot support using certbot nginx plugin #136
Conversation
- Fix typo in index.rst - Update docs to avoid conflict with `certficate` key
| Then it will create certificates as necessary for each hostname in the ``certbot_hosts`` list. | ||
| If a certificate already exists, it will not attempt addition. | ||
|
|
||
| Note that ``python3-certbot-nginx`` includes an auto-renewal cronjob. |
There was a problem hiding this comment.
I did not see this on my server in /var/spool/cron/crontabs/ after running the playbook. Where is it located?
There was a problem hiding this comment.
Got it.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renewI note that the cron job does not include --nginx flag for certbot -q renew. I guess we will find out if it works for me on May 12 when my current cert is due to expire.
There was a problem hiding this comment.
The auto-renew cronjob failed. See #136 (comment)
|
|
||
| ansible-playbook -k certbot.yml | ||
|
|
||
| This will first install ``python3-certbot-nginx`` from the certbot/certbot ppa. |
There was a problem hiding this comment.
What's "ppa"? Is there a link to it?
There was a problem hiding this comment.
Personal Package Archive; standard debian mechanism for maintaining an additional package source. In this case, it's certbot's.
There was a problem hiding this comment.
| This will first install ``python3-certbot-nginx`` from the certbot/certbot ppa. | |
| This will first install ``python3-certbot-nginx`` from the certbot/certbot Personal Package Archive. |
Co-Authored-By: Steve Piercy <[email protected]>
|
With that one new suggestion, I'm OK with merging this. Maybe someone else has an older cert they can test for renewal? |
|
Well, the automatic renewal did not work on my system: Is there something I should check? $ sudo cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
#
# Important Note! This cronjob will NOT be executed if you are
# running systemd as your init system. If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob. For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew |
|
Try running I don't understand what that cron job does. This is what I have: |
|
I expect the manual invocation of Maybe we should change the cronjob that python3-certbot-nginx creates to your version? |
|
I wonder if there's any chance that stevepiercy has a combination of the nginx and standalone versions of certbot installed on a test machine. The "failed to bind" error would indicate that certbot tried to use its standalone web server without knowledge of the nginx install. |
|
Yes, I did install standalone originally on this machine. I think that |
|
I found that this probably depends on the |
|
Aye, there she is! The next time I deploy another Plone instance (which could be next week) I will check my |
|
Some bad news: the nginx certbot plugin is not working with Ubuntu 20.04 (focal). Looks like the bug's been reported and is fixable, but we'll want to wait for that fix before considering this as supported on Focal. certbot/certbot#7951 |
|
I did some digging, and it looks like a release with the fix is imminent. |
|
@smcmahon ping. Would you please rebase on |
|
I can take a look at this on the weekend if no one else does before |
|
Rebased with master. certbot.yml test passes on bionic. |
Simplifies using playbook to issue and use LetsEncrypt certificates.