Commit 1f9f07bc authored by Sven-Hendrik Haase's avatar Sven-Hendrik Haase
Browse files

Merge branch 'certificate-catch22' into 'master'

Fix certificate catch-22 bootstrapping issue

Closes #30

See merge request !267
parents aed624bb 361e88b6
Pipeline #4531 passed with stage
in 43 seconds
......@@ -40,16 +40,6 @@ all servers directly from hcloud. You don't really have to do anything to make
this work but you should keep in mind to NOT add hcloud servers to `hosts`!
They'll be available automatically.
#### Note about first time certificates
The first time a certificate is issued, you'll have to do this manually by yourself. First, configure the DNS to
point to the new server and then run a playbook onto the server which includes the nginx role. Then on the server,
it is necessary to run the following once:
certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w /var/lib/letsencrypt/ -d <domain-name>
Note that some roles already run this automatically.
#### Note about packer
We use packer to build snapshots on hcloud to use as server base images.
......
- name: create ssl cert
command: certbot certonly --email {{ certificate_contact_email }} --agree-tos --rsa-key-size {{ certificate_rsa_key_size }} --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d {{ domains | join(' -d ') }} creates='/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
shell: |
set -o pipefail
python -m http.server --directory {{ letsencrypt_validation_dir }} 80 &
trap "jobs -p | xargs --no-run-if-empty kill" EXIT
certbot certonly --email {{ certificate_contact_email }} --agree-tos --rsa-key-size {{ certificate_rsa_key_size }} --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d {{ domains | join(' -d ') }}
args:
creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment