From f476e49e64c4068d924f7e261cfeab009d4920bc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 11 Nov 2017 10:38:38 +0200 Subject: [PATCH] Make SSL renewal time configurable and nginx-proxy reload time adequate The matrix-nginx-proxy was reloaded on the 3rd day of the month (`15 4 3 * *`), which makes no sense - it's too infrequently. It's in line with the renewal time now (+5 minutes). --- roles/matrix-server/defaults/main.yml | 7 +++++-- .../templates/cron.d/matrix-ssl-certificate-renewal.j2 | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index da4e71d09..827d146a1 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -73,6 +73,9 @@ matrix_riot_web_enabled: true # and take care of proxying by yourself. matrix_nginx_proxy_enabled: true +# Specifies when to attempt to retrieve new SSL certificates from Let's Encrypt. +matrix_ssl_renew_cron_time_definition: "15 4 */5 * *" + # Specifies when to reload the matrix-nginx-proxy service so that -# a new SSL certificate could go into effect (UTC time). -matrix_nginx_proxy_reload_cron_time_definition: "15 4 3 * *" \ No newline at end of file +# a new SSL certificate could go into effect. +matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" \ No newline at end of file diff --git a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 index 999e7c859..42b7a71a0 100644 --- a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 +++ b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 @@ -21,4 +21,4 @@ MAILTO="{{ matrix_ssl_support_email }}" # When a custom proxy server (not matrix-nginx-proxy provided by this playbook), # you'd need to make sure you alias these files correctly or SSL renewal would not work. -15 4 */5 * * root /usr/bin/docker run --rm --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug +{{ matrix_ssl_renew_cron_time_definition }} root /usr/bin/docker run --rm --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug