README.md: Update copyright year

We are now using the well-known webroot.

README.md

@@ -25,7 +25,7 @@ Once you've satisfied the the above assumptions, you can execute:
 - Switch from `cron-apt` to [`unattended-upgrades`](https://wiki.debian.org/UnattendedUpgrades)
 
 ## License
-Copyright (C) 2014–2020 Alan Orth
+Copyright (C) 2014–2021 Alan Orth
 
 The contents of this repository are free software: you can redistribute
 it and/or modify it under the terms of the GNU General Public License

roles/nginx/defaults/main.yml

@@ -20,15 +20,18 @@ nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
 # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
 nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
 
-# install certbot + dependencies?
+# install acme.sh?
 # True unless you're in development and using "localhost" + snakeoil certs
 use_letsencrypt: True
 
 # Directory root for Let's Encrypt certs
-letsencrypt_root: /etc/letsencrypt/live
+letsencrypt_root: /etc/ssl
 
-# Location of Let's Encrypt's certbot script
+# Location where to save initial acme.sh script. After installation the script
-letsencrypt_certbot_dest: /opt/certbot-auto
+# will automatically create its home in the /root/.acme.sh directory (including
+# a copy of the script itself).
+letsencrypt_acme_script: /root/acme.sh
+letsencrypt_acme_home: /root/.acme.sh
 
 # stable is 1.18.x
 # mainline is 1.19.x

roles/nginx/files/start-nginx.sh

@@ -1,3 +0,0 @@
-#!/usr/bin/env bash
-
-/bin/systemctl start nginx

roles/nginx/files/stop-nginx.sh

@@ -1,3 +0,0 @@
-#!/usr/bin/env bash
-
-/bin/systemctl stop nginx

roles/nginx/tasks/letsencrypt.yml

@@ -1,135 +1,57 @@
 ---
 
+# Use acme.sh instead of certbot because they only support installation via
+# snap now.
 - block:
+  - name: Remove certbot
+    apt:
+      name: certbot
+      state: absent
+
+  - name: Remove old certbot post and pre hooks for nginx
+    file:
+      dest: "{{ item }}"
+      state: absent
+    with_items:
+      - /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
+      - /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
+
+  - name: Download acme.sh
+    get_url:
+      url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
+      dest: "{{ letsencrypt_acme_script }}"
+
+  - name: Prepare Let's Encrypt well-known directory
+    file:
+      state: directory
+      path: /var/lib/letsencrypt/.well-known
+      owner: root
+      group: nginx
+      mode: g+s
+
   - name: Copy systemd service to renew Let's Encrypt certs
-    template: src=renew-letsencrypt.service.j2 dest=/etc/systemd/system/renew-letsencrypt.service mode=0644 owner=root group=root
+    template:
+      src: renew-letsencrypt.service.j2
+      dest: /etc/systemd/system/renew-letsencrypt.service
+      mode: 0644
+      owner: root
+      group: root
 
   - name: Copy systemd timer to renew Let's Encrypt certs
-    copy: src=renew-letsencrypt.timer dest=/etc/systemd/system/renew-letsencrypt.timer mode=0644 owner=root group=root
+    copy:
+      src: renew-letsencrypt.timer
+      dest: /etc/systemd/system/renew-letsencrypt.timer
+      mode: 0644
+      owner: root
+      group: root
 
-  # always issues daemon-reload just in case the server/timer changed
+  # always issues daemon-reload just in case the service/timer changed
   - name: Start and enable systemd timer to renew Let's Encrypt certs
-    systemd: name=renew-letsencrypt.timer state=started enabled=yes daemon_reload=yes
+    systemd:
-
+      name: renew-letsencrypt.timer
-  - name: Download certbot
+      state: started
-    get_url: dest={{ letsencrypt_certbot_dest }} url=https://dl.eff.org/certbot-auto mode=700
+      enabled: yes
-
+      daemon_reload: yes
-  # Dependencies certbot checks for on its first run. I set them in a fact so that
-  # I can pass the list directly to the apt module to install in one transaction.
-  - name: Set certbot dependencies (Debian 10)
-    when: ansible_distribution == 'Debian' and ansible_distribution_major_version is version('10', '==')
-    set_fact:
-      certbot_dependencies:
-        - augeas-lenses
-        - binutils
-        - binutils-common
-        - binutils-x86-64-linux-gnu
-        - cpp
-        - cpp-8
-        - gcc
-        - gcc-8
-        - libasan5
-        - libatomic1
-        - libaugeas0
-        - libbinutils
-        - libc-dev-bin
-        - libc6-dev
-        - libcc1-0
-        - libexpat1-dev
-        - libffi-dev
-        - libgcc-8-dev
-        - libgomp1
-        - libisl19
-        - libitm1
-        - liblsan0
-        - libmpc3
-        - libmpfr6
-        - libmpx2
-        - libpython-dev
-        - libpython2-dev
-        - libpython2.7
-        - libpython2.7-dev
-        - libquadmath0
-        - libssl-dev
-        - libtsan0
-        - libubsan1
-        - linux-libc-dev
-        - python-dev
-        - python-pip-whl
-        - python-pkg-resources
-        - python-virtualenv
-        - python2-dev
-        - python2.7-dev
-        - python3-distutils
-        - python3-lib2to3
-        - python3-virtualenv
-        - virtualenv
-
-  # Dependencies certbot checks for on its first run. I set them in a fact so that
-  # I can pass the list directly to the apt module to install in one transaction.
-  - name: Set certbot dependencies (Ubuntu 18.04)
-    when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==')
-    set_fact:
-      certbot_dependencies:
-        - augeas-lenses
-        - binutils
-        - binutils-common
-        - binutils-x86-64-linux-gnu
-        - cpp
-        - cpp-7
-        - gcc
-        - gcc-7
-        - gcc-7-base
-        - libasan4
-        - libatomic1
-        - libaugeas0
-        - libbinutils
-        - libc-dev-bin
-        - libc6-dev
-        - libcc1-0
-        - libcilkrts5
-        - libexpat1-dev
-        - libffi-dev
-        - libgcc-7-dev
-        - libgomp1
-        - libisl19
-        - libitm1
-        - liblsan0
-        - libmpc3
-        - libmpx2
-        - libpython-dev
-        - libpython2.7
-        - libpython2.7-dev
-        - libquadmath0
-        - libssl-dev
-        - libtsan0
-        - libubsan0
-        - linux-libc-dev
-        - python-dev
-        - python-pip-whl
-        - python-pkg-resources
-        - python-virtualenv
-        - python2.7-dev
-        - python3-virtualenv
-        - virtualenv
-
-  - name: Install certbot dependencies
-    apt: name={{ certbot_dependencies }} state=present update_cache=yes
-
-  when: ansible_distribution != 'Ubuntu' and ansible_distribution_major_version is version('20.04', '!=')
-  tags: letsencrypt
-
-# On Ubuntu 20.04 it is no longer recommended/supported to use the standalone
-# certbot-auto so I guess we need to use the one from the repositories.
-- block:
-  - name: Install certbot (Ubuntu 20.04)
-    apt: name=certbot state=present update_cache=yes
-
-  - name: Copy certbot post and pre hooks for nginx
-    copy: src={{ item.src }} dest={{ item.dest }} owner=root group=root mode=0755
-    with_items:
-      - { src: 'stop-nginx.sh', dest: '/etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh' }
-      - { src: 'start-nginx.sh', dest: '/etc/letsencrypt/renewal-hooks/post/start-nginx.sh' }
 
   when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')
   tags: letsencrypt

roles/nginx/tasks/main.yml

@@ -71,7 +71,7 @@
 
 - name: Configure Let's Encrypt
   include_tasks: letsencrypt.yml
-  when: use_letsencrypt is defined and use_letsencrypt
+  #when: use_letsencrypt is defined and use_letsencrypt
   tags: letsencrypt
 
 # vim: set ts=2 sw=2:

roles/nginx/templates/https.j2

@@ -16,8 +16,8 @@
 
     # concatenated key + cert
     # See: http://nginx.org/en/docs/http/configuring_https_servers.html
-    ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem;
+    ssl_certificate {{ letsencrypt_root }}/certs/{{ domain_name }}.fullchain.pem;
-    ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem;
+    ssl_certificate_key {{ letsencrypt_root }}/private/{{ domain_name }}.key.pem;
 
     {% endif %}
 

roles/nginx/templates/renew-letsencrypt.service.j2

@@ -1,7 +1,9 @@
 [Unit]
 Description=Renew Let's Encrypt certificates
-ConditionFileIsExecutable={{ letsencrypt_certbot_dest }}
+ConditionFileIsExecutable={{ letsencrypt_acme_home }}/acme.sh
 
 [Service]
 Type=oneshot
-ExecStart={{ letsencrypt_certbot_dest }} renew --standalone --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx"
+ExecStart={{ letsencrypt_acme_home }}/acme.sh --cron --home {{ letsencrypt_acme_home }} --reloadcmd "/bin/systemctl reload nginx"
+
+SuccessExitStatus=0 2

roles/nginx/templates/vhost.conf.j2

@@ -14,6 +14,8 @@ server {
     listen [::]:80;
     server_name {{ domain_name }} {{ domain_aliases }};
 
+    {% include 'well-known.j2' %}
+
     # redirect http -> https
     location / {
         # ? in rewrite makes sure nginx doesn't append query string again

roles/nginx/templates/well-known.j2

@@ -0,0 +1,6 @@
+location ^~ /.well-known/acme-challenge/ {
+  allow all;
+  root /var/lib/letsencrypt/;
+  default_type "text/plain";
+  try_files $uri =404;
+}