From 8b3a2d84e9620f4943ab956ab14468cff457138b Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 17 Jul 2018 13:14:10 +0200 Subject: [PATCH 1/4] Force a update-cache after adding an apt gpg key. --- mongodb-org-3.2/tasks/mongodb.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/mongodb-org-3.2/tasks/mongodb.yml b/mongodb-org-3.2/tasks/mongodb.yml index 35da6064..17466834 100644 --- a/mongodb-org-3.2/tasks/mongodb.yml +++ b/mongodb-org-3.2/tasks/mongodb.yml @@ -20,9 +20,14 @@ - name: Install the mongodb apt key apt_key: keyserver="hkp://keyserver.ubuntu.com:80" id={{ mongodb_repo_key }} state=present when: mongodb_install_from_external_repo + register: apt_key_update_cache + + - name: Update the apt cache after adding a new key + apt: update_cache=yes + when: apt_key_update_cache is changed - name: Remove the old mongo apt repositories - apt_repository: repo="{{ item }}" state=absent + apt_repository: repo="{{ item }}" state=absent update_cache=yes with_items: '{{ mongodb_old_repositories }}' when: mongodb_upgrade_from_older_version From 1bcc9182f034dab80f80116e0a85c7df8b0325c8 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 17 Jul 2018 17:20:53 +0200 Subject: [PATCH 2/4] letsencrypt cron job: use a random range for the hour and minute, and let the user customise the day of month too. See https://support.d4science.org/issues/12173 --- letsencrypt-acmetool-client/defaults/main.yml | 4 +++- letsencrypt-acmetool-client/tasks/main.yml | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/letsencrypt-acmetool-client/defaults/main.yml b/letsencrypt-acmetool-client/defaults/main.yml index b228dd27..4d00a205 100644 --- a/letsencrypt-acmetool-client/defaults/main.yml +++ b/letsencrypt-acmetool-client/defaults/main.yml @@ -23,7 +23,6 @@ letsencrypt_acme_certs_dir: '{{ letsencrypt_acme_user_home }}/live/{{ letsencryp letsencrypt_acme_services_scripts_dir: /usr/lib/acme/hooks # responses parameters -#letsencrypt_tos_url: 'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf' letsencrypt_tos_url: 'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf' letsencrypt_acme_agree_tos: true letsencrypt_acme_rsa_key_size: 4096 @@ -37,6 +36,9 @@ letsencrypt_key_id: 'some random string' # We 'listener' or 'proxy'. Use 'listener' if we need a certificate for a non web service or before the web service has been configured. # Need to set cap_net_bind_service=+ep for the acmetool binary so that it is able to bind port 80 in that case. letsencrypt_acme_authenticator: listener +letsencrypt_acme_cron_day_of_month: '*' +letsencrypt_acme_cron_hour: '{{ range(1, 4) | random }}' +letsencrypt_acme_cron_minute: '{{ range(1, 60) | random }}' # desired parameters letsencrypt_acme_domains: diff --git a/letsencrypt-acmetool-client/tasks/main.yml b/letsencrypt-acmetool-client/tasks/main.yml index c429d206..147a8c89 100644 --- a/letsencrypt-acmetool-client/tasks/main.yml +++ b/letsencrypt-acmetool-client/tasks/main.yml @@ -130,7 +130,7 @@ - name: Install a daily cron job to renew the certificates when needed become: True become_user: '{{ letsencrypt_acme_user }}' - cron: name="Letsencrypt certificate renewal" special_time=daily job="/usr/local/bin/cron-acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1" + cron: name="Letsencrypt certificate renewal" day={{ letsencrypt_acme_cron_day_of_month }} hour={{ letsencrypt_acme_cron_hour }} minute={{ letsencrypt_acme_cron_minute }} job="/usr/local/bin/cron-acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1" when: letsencrypt_acme_install tags: [ 'letsencrypt', 'letsencrypt_cron' ] From 86b8d03a1772b59ab2b20cc3ff9410f90eb3545d Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 17 Jul 2018 17:23:10 +0200 Subject: [PATCH 3/4] Fix the minutes range. --- letsencrypt-acmetool-client/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt-acmetool-client/defaults/main.yml b/letsencrypt-acmetool-client/defaults/main.yml index 4d00a205..cdf1c66f 100644 --- a/letsencrypt-acmetool-client/defaults/main.yml +++ b/letsencrypt-acmetool-client/defaults/main.yml @@ -38,7 +38,7 @@ letsencrypt_key_id: 'some random string' letsencrypt_acme_authenticator: listener letsencrypt_acme_cron_day_of_month: '*' letsencrypt_acme_cron_hour: '{{ range(1, 4) | random }}' -letsencrypt_acme_cron_minute: '{{ range(1, 60) | random }}' +letsencrypt_acme_cron_minute: '{{ range(0, 59) | random }}' # desired parameters letsencrypt_acme_domains: From 5dedaab7c042fdaa100470ca0b5ba4328b04c6c3 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 17 Jul 2018 18:11:56 +0200 Subject: [PATCH 4/4] Remove the old letsencrypt cron script, now we randomise the time inside the cron job definition itself. --- letsencrypt-acmetool-client/tasks/main.yml | 10 +++++----- .../templates/cron-acme-cert-request.j2 | 12 ------------ 2 files changed, 5 insertions(+), 17 deletions(-) delete mode 100644 letsencrypt-acmetool-client/templates/cron-acme-cert-request.j2 diff --git a/letsencrypt-acmetool-client/tasks/main.yml b/letsencrypt-acmetool-client/tasks/main.yml index 147a8c89..ceed6ed6 100644 --- a/letsencrypt-acmetool-client/tasks/main.yml +++ b/letsencrypt-acmetool-client/tasks/main.yml @@ -110,7 +110,7 @@ - name: Install a script that requests the certificates and manage the self signed certificate template: src=acme-cert-request.sh.j2 dest=/usr/local/bin/acme-cert-request owner=root group=root mode=0755 when: letsencrypt_acme_install - tags: letsencrypt + tags: [ 'letsencrypt', 'letsencrypt_cron' ] - name: Set certificates as to be revoked become: True @@ -122,15 +122,15 @@ - letsencrypt_certs_revoke_list is defined tags: letsencrypt -- name: Install a script that will be used to renew the certificate when needed - template: src=cron-acme-cert-request.j2 dest=/usr/local/bin/cron-acme-cert-request mode=0755 +- name: Remove the old cron script + file: dest=/usr/local/bin/cron-acme-cert-request state=absent when: letsencrypt_acme_install tags: [ 'letsencrypt', 'letsencrypt_cron' ] - name: Install a daily cron job to renew the certificates when needed become: True become_user: '{{ letsencrypt_acme_user }}' - cron: name="Letsencrypt certificate renewal" day={{ letsencrypt_acme_cron_day_of_month }} hour={{ letsencrypt_acme_cron_hour }} minute={{ letsencrypt_acme_cron_minute }} job="/usr/local/bin/cron-acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1" + cron: name="Letsencrypt certificate renewal" day={{ letsencrypt_acme_cron_day_of_month }} hour={{ letsencrypt_acme_cron_hour }} minute={{ letsencrypt_acme_cron_minute }} job="/usr/local/bin/acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1" when: letsencrypt_acme_install tags: [ 'letsencrypt', 'letsencrypt_cron' ] @@ -138,7 +138,7 @@ become: True become_user: '{{ letsencrypt_acme_user }}' command: '/usr/local/bin/acme-cert-request' - when: ( letsencrypt_new_desired_file | changed ) + when: letsencrypt_new_desired_file is changed ignore_errors: True tags: letsencrypt diff --git a/letsencrypt-acmetool-client/templates/cron-acme-cert-request.j2 b/letsencrypt-acmetool-client/templates/cron-acme-cert-request.j2 deleted file mode 100644 index 7e3dd9e3..00000000 --- a/letsencrypt-acmetool-client/templates/cron-acme-cert-request.j2 +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -CMD=/usr/local/bin/acme-cert-request - -SLEEP_SECONDS=$(echo $[($RANDOM %1200)]) -sleep ${SLEEP_SECONDS} - -/usr/local/bin/acme-cert-request -RETVAL=$? - -exit $RETVAL -