Try SSL renewal more frequently and reload later

It doesn't hurt to attempt renewal more frequently, as it only does
real work if it's actually necessary.

Reloading, we postpone some more, because certbot adds some random delay
(between 1 and 8 * 60 seconds) when renewing. We want to ensure
we reload at least 8 minutes later, which wasn't the case.

To make it even safer (in case future certbot versions use a longer
delay), we reload a whole hour later. We're in no rush to start using
the new certificates anyway, especially given that we attempt renewal
often.

Somewhat fixes #146 (Github Issue)
This commit is contained in:
Slavi Pantaleev 2019-04-23 17:49:03 +03:00
parent 892abdc700
commit ec0f936227

View File

@ -69,7 +69,7 @@
state: present state: present
hour: 4 hour: 4
minute: 15 minute: 15
day: "*/5" day: "*"
job: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew job: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew
- name: Ensure periodic reloading of matrix-nginx-proxy is configured for SSL renewal (matrix-nginx-proxy-reload) - name: Ensure periodic reloading of matrix-nginx-proxy is configured for SSL renewal (matrix-nginx-proxy-reload)
@ -78,9 +78,9 @@
cron_file: matrix-ssl-lets-encrypt cron_file: matrix-ssl-lets-encrypt
name: matrix-nginx-proxy-reload name: matrix-nginx-proxy-reload
state: present state: present
hour: 4 hour: 5
minute: 20 minute: 20
day: "*/5" day: "*"
job: /bin/systemctl reload matrix-nginx-proxy.service job: /bin/systemctl reload matrix-nginx-proxy.service
when: matrix_nginx_proxy_enabled when: matrix_nginx_proxy_enabled
when: "matrix_ssl_retrieval_method == 'lets-encrypt'" when: "matrix_ssl_retrieval_method == 'lets-encrypt'"