diff --git a/manifests/certonly.pp b/manifests/certonly.pp index 6e556ab3..b92be720 100644 --- a/manifests/certonly.pp +++ b/manifests/certonly.pp @@ -257,6 +257,10 @@ } } + # certbot uses --cert-name to generate the file path + $live_path_certname = regsubst($cert_name, '^\*\.', '') + $live_path = "${config_dir}/live/${live_path_certname}/cert.pem" + $hook_args = ['pre', 'post', 'deploy'].map | String $type | { $commands = getvar("${type}_hook_commands") if (!empty($commands)) { @@ -267,6 +271,20 @@ commands => $commands, before => Exec["letsencrypt certonly ${title}"], } + # if ensure is set to present, ensure that the hooks exist in the config file for the domain + # this has to happen after the exec, because `certbot certonly` creates the initial config file + # certbot won't update the config. But an update is required if new hooks are added afterwards + # + # we cannot add it to letsencrypt::hook because the defined resource runs before the Exec, not afterwards + ini_setting { "${title}-${type}": + ensure => $ensure, + path => "${config_dir}/renewal/${live_path_certname}.conf", + section => 'renewalparams', + setting => "${type}_hook", + value => $hook_file, + require => Exec["letsencrypt certonly ${title}"], + } + "--${type}-hook \"${hook_file}\"" } else { @@ -274,10 +292,6 @@ } } - # certbot uses --cert-name to generate the file path - $live_path_certname = regsubst($cert_name, '^\*\.', '') - $live_path = "${config_dir}/live/${live_path_certname}/cert.pem" - $_command = flatten( [ $letsencrypt_command, diff --git a/spec/defines/letsencrypt_certonly_spec.rb b/spec/defines/letsencrypt_certonly_spec.rb index 8d1b5617..202290d3 100644 --- a/spec/defines/letsencrypt_certonly_spec.rb +++ b/spec/defines/letsencrypt_certonly_spec.rb @@ -285,6 +285,7 @@ class { 'letsencrypt::plugin::dns_linode': it do is_expected.to compile.with_all_deps is_expected.to contain_letsencrypt__hook('foo.example.com-pre').with_hook_file('/etc/letsencrypt/renewal-hooks-puppet/foo.example.com-pre.sh') + is_expected.to contain_ini_setting('foo.example.com-pre') end end @@ -295,6 +296,7 @@ class { 'letsencrypt::plugin::dns_linode': it do is_expected.to compile.with_all_deps is_expected.to contain_letsencrypt__hook('*.example.com-pre').with_hook_file('/etc/letsencrypt/renewal-hooks-puppet/example.com-pre.sh') + is_expected.to contain_ini_setting('*.example.com-pre') end end @@ -305,6 +307,7 @@ class { 'letsencrypt::plugin::dns_linode': it do is_expected.to compile.with_all_deps is_expected.to contain_letsencrypt__hook('foo.example.com-post').with_hook_file('/etc/letsencrypt/renewal-hooks-puppet/foo.example.com-post.sh') + is_expected.to contain_ini_setting('foo.example.com-post') end end @@ -315,6 +318,7 @@ class { 'letsencrypt::plugin::dns_linode': it do is_expected.to compile.with_all_deps is_expected.to contain_letsencrypt__hook('foo.example.com-deploy').with_hook_file('/etc/letsencrypt/renewal-hooks-puppet/foo.example.com-deploy.sh') + is_expected.to contain_ini_setting('foo.example.com-deploy') end end end @@ -566,6 +570,9 @@ class { 'letsencrypt::plugin::dns_linode': it { is_expected.to contain_letsencrypt__hook('foo.example.com-pre') } it { is_expected.to contain_letsencrypt__hook('foo.example.com-post') } it { is_expected.to contain_letsencrypt__hook('foo.example.com-deploy') } + it { is_expected.to contain_ini_setting('foo.example.com-pre') } + it { is_expected.to contain_ini_setting('foo.example.com-post') } + it { is_expected.to contain_ini_setting('foo.example.com-deploy') } it { is_expected.to have_letsencrypt__hook_resource_count(3) } end end