Switch to using acme.sh for ssl certificates

roles/mastodon-nginx/tasks/install.yml

@@ -2,11 +2,11 @@
 # This role sets up a Let's Encrypt certificate for the
 # Mastodon instance
 
-- name: Stop nginx for now
+- name: Make TLS certificate storage directory
-  service: name=nginx state=stopped
+  file: name=/etc/ssl/letsencrypt/ state=directory
-- name: Generate standalone Let's Encrypt TLS certificate for Mastodon instance
+- name: Install acme.sh
-  shell: letsencrypt certonly -n --agree-tos --standalone -d {{ LOCAL_DOMAIN }} -m "webmaster@{{ LOCAL_DOMAIN }}"
+  shell: wget -O -  https://get.acme.sh | sh
-- name: Restart nginx
+- name: Generate certificate using acme.sh
-  service: name=nginx state=started
+  shell: acme.sh --issue --nginx -d {{ LOCAL_DOMAIN }}
-- name: Generate webroot Let's Encrypt TLS certificate for Mastodon instance
+- name: Install certificate in storage directory
-  shell: letsencrypt certonly -n --webroot -d {{ LOCAL_DOMAIN }} -w /home/mastodon/live/public/ -m "webmaster@{{ LOCAL_DOMAIN }}"
+  shell: acme.sh --install-cert -d {{ LOCAL_DOMAIN }} --key-file /etc/ssl/letsencrypt/{{ LOCAL_DOMAIN }}.pem --fullchain-file /etc/ssl/letsencrypt/{{ LOCAL_DOMAIN }}.crt --reloadcmd "service nginx force-reload"

roles/mastodon-nginx/templates/mastodon-nginx.conf

@@ -23,8 +23,8 @@ server {
   ssl_prefer_server_ciphers on;
   ssl_session_cache shared:SSL:10m;
 
-  ssl_certificate     /etc/letsencrypt/live/{{ LOCAL_DOMAIN }}/fullchain.pem;
+  ssl_certificate     /etc/ssl/letsencrypt/{{ LOCAL_DOMAIN }}.crt;
-  ssl_certificate_key /etc/letsencrypt/live/{{ LOCAL_DOMAIN }}/privkey.pem;
+  ssl_certificate_key /etc/ssl/letsencrypt/{{ LOCAL_DOMAIN }}.pem;
 
   keepalive_timeout    70;
   sendfile             on;