Renewal does not work
aleksandr-vin opened this issue · comments
I have this role installed:
- src: git+https://github.com/thefinn93/ansible-letsencrypt
version: 9d95251
And I try to spin it on:
$ uname -a
Linux ip-172-31-20-40 4.4.0-59-generic #80-Ubuntu SMP Fri Jan 6 17:47:47 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"
This play runs:
- role: ansible-letsencrypt
tags: [ssl]
letsencrypt_webroot_path: /tmp/letsencrypt
letsencrypt_email: certmaster@my.site.co
letsencrypt_cert_domains: [my.site.co]
letsencrypt_renewal_command_args: '--renew-hook "systemctl restart nginx"'
and creates this renewal config:
$ cat /etc/letsencrypt/renewal/my.site.co.conf
[renewalparams]
hsts = False
authenticator = webroot
verb = certonly
noninteractive_mode = False
os_packages_only = False
uir = False
[[webroot_map]]
my.site.co = /tmp/letsencrypt
But when I try to run the renewal, it fails:
$ sudo /usr/local/share/letsencrypt/env/bin/letsencrypt renew --quiet --renew-hook "systemctl restart nginx"
renewal config file {'renewalparams': {'hsts': 'False', 'authenticator': 'webroot', 'verb': 'certonly', 'noninteractive_mode': 'False', 'os_packages_only': 'False', 'uir': 'False', 'webroot_map': {'my.site.co': '/tmp/letsencrypt'}}} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/my.site.co.conf is broken. Skipping.
No renewals were attempted.
No hooks were run.
Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/my.site.co.conf (parsefail)
0 renew failure(s), 1 parse failure(s)
It appeared that if /etc/letsencrypt/live/my.site.co/fullchain.pem and /etc/letsencrypt/live/my.site.co/privkey.pem were added by hand before the provisioning of letsencrypt, then the Attempt to get the certificate using the webroot authenticator task is skipped and first part of the /etc/letsencrypt/renewal/my.site.co.conf was not created.