use renew hook to create fullchain cert

31380ef8 · blackphantom39 · 664cfec3 · 31380ef8 · 31380ef8 · 31380ef8
Commit 31380ef8 authored 1 year ago by blackphantom39
--- a/tasks/dns-challenge.yml
+++ b/tasks/dns-challenge.yml
@@ -38,6 +38,13 @@
    - /etc/letsencrypt/renewal-hooks/deploy
  become: true

+- name: Render deploy hook script
+  ansible.builtin.template:
+    src: templates/renew-hook.sh.j2
+    dest: /etc/letsencrypt/renewal-hooks/deploy/create-fullchain.sh
+    mode: 0755
+  become: true
+
 - name: Request Cert If Necessary - DNS Challenge
  when: not lecert.stat.exists
  become: true
@@ -47,7 +54,7 @@
        lego -a --dns {{ certbot_dns_provider }}
        --email {{ certbot_admin_email }} -d {{ lego_dflag }}
        --path {{ certbot_live_dir }}
-        run --no-bundle
+        run --no-bundle --renew-hook /etc/letsencrypt/renewal-hooks/deploy/create-fullchain.sh
      environment: "{{ dns_provider_auth_env_variables }}"
      register: lego
      changed_when: lego.rc == 0

--- a/templates/dns-challenge.service.j2
+++ b/templates/dns-challenge.service.j2
@@ -5,10 +5,8 @@ Description=LEGO DNS challenge

 [Service]
 Type=oneshot
-ExecStart=/usr/bin/lego -a --dns {{ certbot_dns_provider }} --email {{ certbot_admin_email }} -d {{ lego_dflag }} --path {{ certbot_live_dir }} renew --no-bundle
+ExecStart=/usr/bin/lego -a --dns {{ certbot_dns_provider }} --email {{ certbot_admin_email }} -d {{ lego_dflag }} --path {{ certbot_live_dir }} renew --no-bundle --renew-hook /etc/letsencrypt/renewal-hooks/deploy/create-fullchain.sh
 ExecStartPost=cp {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt {{ certbot_live_dir }}/cert.pem
 ExecStartPost=cp {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.key {{ certbot_live_dir }}/privkey.pem
-ExecStartPost=cat {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt >> {{ certbot_live_dir }}/fullchain.pem
-ExecStartPost=cat {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.issuer.crt >> {{ certbot_live_dir }}/fullchain.pem
 {{ "ExecStartPost=/etc/letsencrypt/renewal-hooks/deploy/" + certbot_application if certbot_application is defined else "" }}
 EnvironmentFile=/etc/default/dns-challenge.env
--- a/templates/renew-hook.sh.j2
+++ b/templates/renew-hook.sh.j2
+#!/usr/bin/env bash
+
+cat {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt >> {{ certbot_live_dir }}/fullchain.pem
+cat {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.issuer.crt >> {{ certbot_live_dir }}/fullchain.pem
\ No newline at end of file