From 31380ef89911ee36e59521f72bc47a2ca135bdc4 Mon Sep 17 00:00:00 2001
From: blackphantom39 <alexander.kaeb@t-online.de>
Date: Wed, 20 Sep 2023 10:26:12 +0200
Subject: [PATCH] use renew hook to create fullchain cert

---
 tasks/dns-challenge.yml            | 9 ++++++++-
 templates/dns-challenge.service.j2 | 4 +---
 templates/renew-hook.sh.j2         | 4 ++++
 3 files changed, 13 insertions(+), 4 deletions(-)
 create mode 100644 templates/renew-hook.sh.j2

diff --git a/tasks/dns-challenge.yml b/tasks/dns-challenge.yml
index 77b4295..b1b2044 100644
--- a/tasks/dns-challenge.yml
+++ b/tasks/dns-challenge.yml
@@ -38,6 +38,13 @@
     - /etc/letsencrypt/renewal-hooks/deploy
   become: true
 
+- name: Render deploy hook script
+  ansible.builtin.template:
+    src: templates/renew-hook.sh.j2
+    dest: /etc/letsencrypt/renewal-hooks/deploy/create-fullchain.sh
+    mode: 0755
+  become: true
+
 - name: Request Cert If Necessary - DNS Challenge
   when: not lecert.stat.exists
   become: true
@@ -47,7 +54,7 @@
         lego -a --dns {{ certbot_dns_provider }}
         --email {{ certbot_admin_email }} -d {{ lego_dflag }}
         --path {{ certbot_live_dir }}
-        run --no-bundle
+        run --no-bundle --renew-hook /etc/letsencrypt/renewal-hooks/deploy/create-fullchain.sh
       environment: "{{ dns_provider_auth_env_variables }}"
       register: lego
       changed_when: lego.rc == 0
diff --git a/templates/dns-challenge.service.j2 b/templates/dns-challenge.service.j2
index a0dfb72..107dbe9 100644
--- a/templates/dns-challenge.service.j2
+++ b/templates/dns-challenge.service.j2
@@ -5,10 +5,8 @@ Description=LEGO DNS challenge
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/lego -a --dns {{ certbot_dns_provider }} --email {{ certbot_admin_email }} -d {{ lego_dflag }} --path {{ certbot_live_dir }} renew --no-bundle
+ExecStart=/usr/bin/lego -a --dns {{ certbot_dns_provider }} --email {{ certbot_admin_email }} -d {{ lego_dflag }} --path {{ certbot_live_dir }} renew --no-bundle --renew-hook /etc/letsencrypt/renewal-hooks/deploy/create-fullchain.sh
 ExecStartPost=cp {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt {{ certbot_live_dir }}/cert.pem
 ExecStartPost=cp {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.key {{ certbot_live_dir }}/privkey.pem
-ExecStartPost=cat {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt >> {{ certbot_live_dir }}/fullchain.pem
-ExecStartPost=cat {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.issuer.crt >> {{ certbot_live_dir }}/fullchain.pem
 {{ "ExecStartPost=/etc/letsencrypt/renewal-hooks/deploy/" + certbot_application if certbot_application is defined else "" }}
 EnvironmentFile=/etc/default/dns-challenge.env
diff --git a/templates/renew-hook.sh.j2 b/templates/renew-hook.sh.j2
new file mode 100644
index 0000000..820e87a
--- /dev/null
+++ b/templates/renew-hook.sh.j2
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+
+cat {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt >> {{ certbot_live_dir }}/fullchain.pem
+cat {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.issuer.crt >> {{ certbot_live_dir }}/fullchain.pem
\ No newline at end of file
-- 
GitLab