after_ssl:
- exec:
cmd:
- - cd /root && git clone https://github.com/Neilpang/le.git
+ - if [ -z "$LETSENCRYPT_ACCOUNT_EMAIL" ]; then echo "LETSENCRYPT_ACCOUNT_EMAIL ENV variable is required and has not been set."; exit 1; fi
+ - /bin/bash -c "if [[ ! \"$LETSENCRYPT_ACCOUNT_EMAIL\" =~ ([^@]+)@([^\.]+) ]]; then echo \"LETSENCRYPT_ACCOUNT_EMAIL is not a valid email address\"; exit 1; fi"
+
+ - exec:
+ cmd:
+ - cd /root && git clone https://github.com/Neilpang/acme.sh.git && cd /root/acme.sh && git reset --hard c4c5ecd03de497fd4c3079cbac9d3c56edaffc89
- touch /var/spool/cron/crontabs/root
- install -d -m 0755 -g root -o root $LETSENCRYPT_DIR
- - cd /root/le && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./le.sh install
+ - cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --install --log "${LETSENCRYPT_DIR}/acme.sh.log"
+ - cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --upgrade --auto-upgrade
+
+ - file:
+ path: "/etc/nginx/letsencrypt.conf"
+ contents: |
+ user www-data;
+ worker_processes auto;
+ daemon on;
+
+ events {
+ worker_connections 768;
+ # multi_accept on;
+ }
+
+ http {
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+ types_hash_max_size 2048;
+
+ access_log /var/log/nginx/access.letsencrypt.log;
+ error_log /var/log/nginx/error.letsencrypt.log;
+
+ server {
+ listen 80;
+ listen [::]:80;
+
+ location ~ /.well-known {
+ root /var/www/discourse/public;
+ allow all;
+ }
+ }
+ }
- file:
path: /etc/runit/1.d/letsencrypt
chmod: "+x"
contents: |
#!/bin/bash
- set -e
- LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh issue no $$ENV_DISCOURSE_HOSTNAME no 4096
- LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh installcert $$ENV_DISCOURSE_HOSTNAME /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer "sv reload nginx"
- # After the initial install, switch to Webroot plugin
- LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh _setopt $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME/$$ENV_DISCOURSE_HOSTNAME.conf "Le_Webroot" "=" "/var/www/discourse/public"
+ /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
+
+ LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 -w /var/www/discourse/public
+
+ if [ ! "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]; then
+ # Try to issue the cert again if something goes wrong
+ LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 --force -w /var/www/discourse/public
+ fi
+
+ LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --installcert -d $$ENV_DISCOURSE_HOSTNAME --fullchainpath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer --keypath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key --reloadcmd "sv reload nginx"
+
+ /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop
- replace:
filename: "/etc/nginx/conf.d/discourse.conf"
to: |
ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer;
+ - replace:
+ filename: /shared/letsencrypt/account.conf
+ from: /#?ACCOUNT_EMAIL=.+/
+ to: |
+ ACCOUNT_EMAIL=$$ENV_LETSENCRYPT_ACCOUNT_EMAIL
+
- replace:
filename: "/etc/nginx/conf.d/discourse.conf"
from: /ssl_certificate_key.+/
to: |
- ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key; # remember the certificate for 2 months and automatically connect to HTTPS for this domain
+ ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key;
- replace:
filename: "/etc/nginx/conf.d/discourse.conf"
from: /add_header.+/
to: |
- add_header Strict-Transport-Security 'max-age=5184000';
-
-
+ add_header Strict-Transport-Security 'max-age=63072000';