Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit c34ef9c

Browse files
fullyintfullyint
committed
Update Let's Encrypt certs when CSRs change
1 parent e358dd7 commit c34ef9c

File tree

2 files changed

+14
-9
lines changed

2 files changed

+14
-9
lines changed

roles/letsencrypt/tasks/certificates.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -28,10 +28,10 @@
2828
when: site_uses_letsencrypt
2929
with_dict: "{{ wordpress_sites }}"
3030

31-
- name: Generate the initial certificate
31+
- name: Generate the certificate
3232
command: ./renew-certs.py
3333
args:
3434
chdir: "{{ acme_tiny_data_directory }}"
35-
register: generate_initial_cert
36-
changed_when: generate_initial_cert.stdout is defined and 'Created' in generate_initial_cert.stdout
35+
register: generate_cert
36+
changed_when: generate_cert.stdout is defined and 'Created' in generate_cert.stdout
3737
notify: reload nginx

roles/letsencrypt/templates/renew-certs.py

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4,23 +4,28 @@
44
import sys
55
import time
66

7+
from hashlib import sha1
78
from subprocess import CalledProcessError, check_output, STDOUT
89

910
certs_dir = '{{ letsencrypt_certs_dir }}'
1011
failed = False
11-
sites = {{ wordpress_sites }}
12-
sites = (k for k, v in sites.items() if 'ssl' in v and v['ssl'].get('enabled', False) and v['ssl'].get('provider', 'manual') == 'letsencrypt')
1312

14-
for site in sites:
13+
for site in {{ sites_using_letsencrypt }}:
1514
cert_path = os.path.join(certs_dir, site + '.cert')
1615
bundled_cert_path = os.path.join(certs_dir, site + '-bundled.cert')
1716

17+
with open('{{ acme_tiny_data_directory }}/csrs/{0}.csr'.format(site), 'rb') as f:
18+
csr_hash = sha1(f.read()).hexdigest()
19+
1820
if os.access(cert_path, os.F_OK):
1921
stat = os.stat(cert_path)
2022
print 'Certificate file ' + cert_path + ' already exists'
2123

22-
if time.time() - stat.st_mtime < {{ letsencrypt_min_renewal_age }} * 86400:
23-
print ' The certificate is younger than {{ letsencrypt_min_renewal_age }} days. Not creating a new certificate.\n'
24+
with open(cert_path, 'r') as f:
25+
csr_hash_in_cert = f.readline().strip()
26+
27+
if csr_hash == csr_hash_in_cert and time.time() - stat.st_mtime < {{ letsencrypt_min_renewal_age }} * 86400:
28+
print ' The site hosts are unchanged and the certificate is younger than {{ letsencrypt_min_renewal_age }} days. Not creating a new certificate.\n'
2429
continue
2530

2631
print 'Generating certificate for ' + site
@@ -40,7 +45,7 @@
4045
print e.output
4146
else:
4247
with open(cert_path, 'w') as cert_file:
43-
cert_file.write(cert)
48+
cert_file.write('\n'.join([csr_hash, cert]))
4449

4550
with open('{{ letsencrypt_intermediate_cert_path }}') as intermediate_cert_file:
4651
intermediate_cert = intermediate_cert_file.read()

0 commit comments

Comments
 (0)