files/certbot-renewal.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Runs certbot renew
+
+[Service]
+Type=oneshot
+RemainAfterExit=no
+ExecStart=/scripts/certbot-renewal.sh
+
+[Install]
+WantedBy=multi-user.target

files/certbot-renewal.sh

@@ -0,0 +1,60 @@
+#! /bin/bash
+#should probably add logic to only halt/reload once (and only if necessary)
+function halt() {
+    #stop services if necessary
+    if [ -d /var/lib/ipa/ ]
+        #stop httpd
+        systemctl stop httpd
+    fi
+}
+function reload() {
+    #reload/restart relevant services
+    if [ -d /etc/nginx/certs/ ]
+    then
+        systemctl reload nginx
+    fi
+    if [ -d /var/lib/ipa/ ]
+        #restart httpd
+        systemctl start httpd
+        /scripts/setup-le.sh
+        systemctl restart httpd
+        #load cert
+    fi
+
+}
+
+dom=`date +%d`
+today=`date +%Y%m%d`
+log=/var/log/certbot-renewal.log
+echo Renewal attempt for $today >> $log
+#rotate log file every month
+if [[ $dom = 1 ]];then mv $log $log.bak;fi
+for f in `ls /etc/letsencrypt/live/ --ignore "README"`
+do
+    echo Checking $f >> $log
+    #check if cert has already expired or will expire within the next two days and renew if applicable
+    expires=$(echo `openssl x509 -enddate -noout -in /etc/letsencrypt/live/$f/cert.pem` " - 2 day" | grep -Po "(?<=notAfter=).*" | date +%Y%m%d -f -)
+    if [[ $today > $expires ]]
+    then
+        echo Certificate for $f is expired, renewing >> $log
+        halt()
+        certbot renew --cert-name $f >> /var/log/certbot-renewal.log
+        reload()
+        continue
+    fi
+    #convert hostname into day of month between 0 and 28 to renew on specific day of month (reduce chance of running out of cert renewals)
+    hash=$(echo $f| md5sum)
+    num=$((0x${hash%% *}))
+    for d in {0..2}
+    do 
+        rdate=$(((${num#-}+$d)%28+1))
+        if [[ $dom -eq $rdate ]]
+        then
+            echo Date falls within renewal window for $f, attempting renewal >> $log
+            halt()
+            certbot renew --cert-name $f >> $log
+            reload()
+            break
+        fi
+    done
+done

files/certbot-renewal.timer

@@ -0,0 +1,12 @@
+[Unit]
+Description=Runs certbot-renewal once per day
+
+[Timer]
+# Time to wait after booting before we run first time
+OnBootSec=10min
+# Time between running each consecutive time
+OnUnitActiveSec=1d
+Unit=certbot-renewal.service
+
+[Install]
+WantedBy=multi-user.target

tasks/deploy_renewal.yml

@@ -0,0 +1,26 @@
+# deploy_renewal.yml
+---
+- name: deploy certbot renewal script
+  ansible.builtin.copy:
+    src: files/certbot-renewal.sh
+    dest: /scripts/certbot-renewal.sh
+    mode: '0754'
+
+- name: deploy certbot renewal service
+  ansible.builtin.copy:
+    src: files/certbot-renewal.service
+    dest: /usr/lib/systemd/system/certbot-renewal.service
+    mode: '0644'
+
+- name: deploy certbot renewal timer
+  ansible.builtin.copy:
+    src: files/certbot-renewal.timer
+    dest: /usr/lib/systemd/system/certbot-renewal.timer
+    mode: '0644'
+
+- name: ensure certbot renewal script is running
+  service:
+    name: certbot-renewal.timer
+    state: started
+    daemon_reload: true
+    enabled: yes

tasks/main.yml

@@ -9,3 +9,5 @@
 - include_tasks: generate_cert.yml
   loop: "{{ domains }}"
 
+# deploy renewal script, service and timer for host
+- include_tasks: deploy_renewal.yml