roles/nginx: Switch to acme.sh for Let's Encrypt

The certbot-auto client that I've been using for a long time is now only supported if you install it using snap. I don't use snap on my systems so I decided to switch to the acme.sh client, which is imp- lemented in POSIX shell with no dependencies. One bonus of this is that I can start using ECC certificates. This also configures the .well-known directory so we can use webroot when installing and renewing certificates. I have yet to understand how the renewal works with regards to webroot, though. I may have to update the systemd timers to point to /var/lib/letsencrypt/.well-known.
2021-03-19 23:39:30 +02:00
parent 65fc52c5e5
commit a34cb1e666
7 changed files with 63 additions and 132 deletions
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@ -16,8 +16,8 @@

    # concatenated key + cert
    # See: http://nginx.org/en/docs/http/configuring_https_servers.html
-    ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem;
-    ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem;
+    ssl_certificate {{ letsencrypt_root }}/certs/{{ domain_name }}.fullchain.pem;
+    ssl_certificate_key {{ letsencrypt_root }}/private/{{ domain_name }}.key.pem;

    {% endif %}