d4science-ghn-cluster/group_vars/infra_gateway_dev/infra-gateway-dev.yml: List the hostnames that will be added to the certificate request.

library/roles/letsencrypt-client: Some fixes.

letsencrypt-client/defaults/main.yml

@@ -10,7 +10,7 @@ letsencrypt_prerequisites:
 letsencrypt_auto: '{{ letsencrypt_dest_dir }}/letsencrypt/letsencrypt-auto'
 letsencrypt_install_path: /root/.local/share/letsencrypt
 letsencrypt_config_dir: /etc/letsencrypt
-letsencrypt_certs_dir: '{{ letsencrypt_config_dir }}/{{ ansible_fqdn }}/live'
+letsencrypt_certs_dir: '{{ letsencrypt_config_dir }}/live/{{ ansible_fqdn }}'
 # In seconds. Default 7 days
 letsencrypt_renew_before: 604800
 letsencrypt_logdir: /var/log/letsencrypt
@@ -27,6 +27,6 @@ letsencrypt_verbose: False
 letsencrypt_text_interface: True
 # The first on the list gives the name to the certs live directory.
 # If it is not the machine FQDN, change the letsencrypt_cert_dir definition.
-letsencrypt_domains: '{{ ansible_fqdn }},example.com,example.org'
+letsencrypt_domains: '{{ ansible_fqdn }} example.com example.org'
 letsencrypt_renew_by_default: True
 letsencrypt_standalone_port: 9999

letsencrypt-client/templates/cli.ini.j2

@@ -3,9 +3,8 @@ email = {{ letsencrypt_email }}
 authenticator = {{ letsencrypt_authenticator }}
 standalone-supported-challenges = {{ letsencrypt_standalone_supp_challenges }}
 agree-tos = {{ letsencrypt_agree_tos }}
+{% if letsencrypt_verbose %}
 verbose = {{ letsencrypt_verbose }}
+{% endif %}
 text = {{ letsencrypt_text_interface }}
-domains = {{ letsencrypt_domains }}
 renew-by-default = {{ letsencrypt_renew_by_default }}
-
-

letsencrypt-client/templates/letsencrypt-cert-request.sh.j2

@@ -6,6 +6,9 @@ LE_CERT_DIR={{ letsencrypt_certs_dir }}
 LE_SERVICES_SCRIPT_DIR={{ letsencrypt_services_scripts_dir }}
 LOG_DIR={{ letsencrypt_logdir }}
 VALIDITY_RETVAL=0
+DOMAINS="{{ letsencrypt_domains }}"
+CERT_DOMAINS_LIST=
+ACTION=certonly
 RETVAL=0
 
 # Check if the cert file exists. If not, it is a certificate request and not a renewal.
@@ -15,17 +18,25 @@ if [ -f $LE_CERT_DIR/cert.pem ] ; then
     if [ $VALIDITY_RETVAL -eq 0 ] ; then
         echo "The certificate is still valid" >> $LOG_DIR/letsencrypt_request.log
         exit 0
+    else
+        ACTION=renew
     fi
 fi
 
+if [ "$ACTION" === "certonly" ] ; then
+    for dom in $DOMAINS ; do
+        CERT_DOMAINS_LIST+=" -d $dom"
+    done
+fi
+
 # Ask for a new certificate. First request or renewal are the same. We only support the standalone method right now
-$LETSENCRYPT_BIN certonly --http-01-port {{ letsencrypt_standalone_port }} --config /etc/letsencrypt/cli.ini >> $LOG_DIR/letsencrypt_request.log 2>&1
+$LETSENCRYPT_BIN $ACTION $CERT_DOMAINS_LIST --http-01-port {{ letsencrypt_standalone_port }} --config /etc/letsencrypt/cli.ini >> $LOG_DIR/letsencrypt_request.log 2>&1
 RETVAL=$?
 
 # Run the reconfiguration scripts to make the involved services load the new certificate
 for f in $( /bin/ls -1 $LE_SERVICES_SCRIPT_DIR ) ; do
-    if [ -x $f ] ; then
+    if [ -x $LE_SERVICES_SCRIPT_DIR/$f ] ; then
-        echo "Running $f" >> $LOG_DIR/letsencrypt_request.log
+        echo "Running $LE_SERVICES_SCRIPT_DIR/$f" >> $LOG_DIR/letsencrypt_request.log
         $f >> $LOG_DIR/letsencrypt_request.log 2>&1
     fi
 done