Some details I just sent to a dev group I’m part of, which I think may help others, so I’ll reproduce it here:
I just had a Trellis site go down because its Let’s Encrypt cert didn’t renew. Angry customer. It turns out the LE client they use (GitHub - diafygi/acme-tiny: A tiny script to issue and renew TLS certs from Let's Encrypt) fails if the LE licence agreement PDF URL changes, which it did, and the cron job Trellis sets up for LE doesn’t actually email you any error output, so I had no idea. On top of that, acme-tiny doesn’t support sending an email address along with a cert issue request, so LE itself doesn’t email me if the cert is nearing expiration.
Steps I took:
Patch acme-tiny (see my branch at https://github.com/tremby/acme-tiny/tree/add-contact-option which is based on someone else’s PR https://github.com/diafygi/acme-tiny/pull/153 which rightly hasn’t been accepted yet because it has a syntax error) to allow an email address to be set
Configure the letsencrypt ansible role to use this version, which involves setting
acme_tiny_repoandacme_tiny_committo point to my commit in roles/letsencrypt/defaults/main.ymlConfigure it to send to my email address, which means adding a
letsencrypt_contactkey with my email address to the same file roles/letsencrypt/defaults/main.yml, and then patching roles/letsencrypt/templates/renew-certs.py to add--contact {{ letsencrypt_contact }}to the list of options passed to acme-tinyPatch roles/letsencrypt/tasks/main.yml to add a new task to add the mail destination to the cron job. That looks like a new task in there like this:
- name: Add email destination to key generation cronjob cronvar: name: MAILTO value: [email protected] cron_file: letsencrypt-certificate-renewalDelete current certs and rerun the letsencrypt role by following instructions here https://discourse.roots.io/t/update-lets-encrypt-certificates/7982/2