Switch HTTPS vhosts to Let's Encrypt certificates

For now I generated the certs manually, but in the future the play-
book should run the letsencrypt-auto client for us!

Signed-off-by: Alan Orth <alan.orth@gmail.com>

roles/nginx/defaults/main.yml

@@ -17,7 +17,7 @@ nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
 nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2'
 
 # TLS key directory
-tls_key_dir: /etc/ssl/private
+tls_key_dir: /etc/letsencrypt/live
 
 # stable is 1.8.x
 # mainline is 1.9.x

roles/nginx/tasks/tls_vhosts.yml

@@ -6,15 +6,6 @@
   notify:
     - reload nginx
 
-# concatenated key + cert, can live in the same file
-# See: http://nginx.org/en/docs/http/configuring_https_servers.html
-- name: Copy TLS certs
-  copy: { dest: "{{ tls_key_dir }}/{{ item.nginx_domain_name }}.crt.pem", content: "{{ item.tls_cert }}", mode: 0700, owner: 'root', group: 'root' }
-  with_items: nginx_tls_vhosts
-  when: item.tls_cert is defined
-  notify:
-    - reload nginx
-
 - name: Generate self-signed TLS cert
   command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
   notify:

roles/nginx/templates/https.j2

@@ -4,8 +4,8 @@
 
     # concatenated key + cert
     # See: http://nginx.org/en/docs/http/configuring_https_servers.html
-    ssl_certificate {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
-    ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
+    ssl_certificate {{ tls_key_dir }}/{{ domain_name }}/fullchain.pem;
+    ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}/privkey.pem;
 
     ssl_session_timeout {{ nginx_ssl_session_timeout }};
     ssl_session_cache {{ nginx_ssl_session_cache }};