r/postgresql-cert: ACME certificates using certbot
This role can be used to get a server certificate for PostgreSQL from an ACME CA using `certbot`. It fetches the initial certificate and copies it to the PostgreSQL configuration directory. It also sets up a post-renewal hook script that copies updated certificates and reload the server.
This commit is contained in:
30
roles/postgresql-cert/templates/deploy-hook.sh.j2
Normal file
30
roles/postgresql-cert/templates/deploy-hook.sh.j2
Normal file
@@ -0,0 +1,30 @@
|
||||
#!/bin/sh
|
||||
# vim: set sw=4 ts=4 sts=4 et :
|
||||
|
||||
POSTGRESQL_DOMAIN="{{ postgresql_cert_domain }}"
|
||||
|
||||
set -- ${FAILED_DOMAINS}
|
||||
for domain; do
|
||||
case ${domain} in
|
||||
${POSTGRESQL_DOMAIN})
|
||||
printf 'Certificate renewal failed for %s, not reloading server\n' \
|
||||
"${domain}" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
set -- ${RENEWED_DOMAINS}
|
||||
for domain; do
|
||||
case ${domain} in
|
||||
${POSTGRESQL_DOMAIN})
|
||||
install -o root -g root -m u=rw,go=r \
|
||||
/etc/letsencrypt/live/${POSTGRESQL_DOMAIN}/fullchain.pem \
|
||||
/etc/postgresql/server.cer
|
||||
install -o root -g postgres -m u=rw,g=r,o= \
|
||||
/etc/letsencrypt/live/${POSTGRESQL_DOMAIN}/privkey.pem \
|
||||
/etc/postgresql/server.key
|
||||
systemctl reload postgresql
|
||||
;;
|
||||
esac
|
||||
done
|
||||
Reference in New Issue
Block a user