fix all problems during renewal of certificates

roles/certbot/tasks/main.yml

@@ -1,11 +1,24 @@
+- name: renewal certificat www.hory.me
+  command: "/root/certbot-auto certonly -n --webroot -w /var/www/renewal -d www.hory.me -d hory.me --rsa-key-size 4096 --text"
+
+
 - include: renewal.yml subdomain={{item}}
   with_items:
-    - www.hory.me
-    - wiki.hory.me
+    - owncloud.hory.me
     - monitor.hory.me
     - postfixadmin.hory.me
     - sound.hory.me
     - git.hory.me
+    - plante.hory.me
+    - wiki.hory.me
     - demo.hory.me
 
+- name: disable temporary sites
+  command: "a2dissite *"
+  args:
+    chdir: "/etc/apache2/sites-enabled"
 
+- name: remove temporary config
+  file:
+    path: /etc/apache2/sites-available/renewal.conf
+    state: absent

roles/certbot/tasks/renewal.yml

@@ -1,14 +1,31 @@
-- name: update conf
-  lineinfile:
-    dest: /etc/apache2/sites-available
-    regexp: "ServerName:"
-    line: "ServerName: {{domain}}"
+- name: update conf {{subdomain}}
+  replace:
+    dest: /etc/apache2/sites-available/renewal.conf
+    regexp: "www.hory.me"
+    replace: "{{subdomain}}"
 
-- name: reload conf
+- name: update ssl conf {{subdomain}}
+  replace:
+    dest: /etc/apache2/sites-available/renewal-ssl.conf
+    regexp: "www.hory.me"
+    replace: "{{subdomain}}"
+
+- name: reload conf {{subdomain}}
   service:
     name: apache2
     state: reloaded
 
-- name: renewal certificat
-  command: "/root/certbot-auto certonly --renew-by-default -a webroot-path /var/www/site -d {{domain}} --rsa-key-size 4096 --text"
+- name: renewal certificat {{subdomain}}
+  command: "/root/certbot-auto certonly -n --webroot -w /var/www/renewal -d {{subdomain}} --rsa-key-size 4096 --text"
+
+- name: revert conf {{subdomain}}
+  replace:
+    dest: /etc/apache2/sites-available/renewal.conf
+    regexp: "{{subdomain}}"
+    replace: "www.hory.me"
 
+- name: revert ssl conf {{subdomain}}
+  replace:
+    dest: /etc/apache2/sites-available/renewal-ssl.conf
+    regexp: "{{subdomain}}"
+    replace: "www.hory.me"

roles/disable-apache/handlers/main.yml

@@ -3,4 +3,3 @@
     name: apache2
     state: reloaded
 
-  command: "service apache2 reload"

roles/disable-apache/tasks/main.yml

@@ -2,5 +2,21 @@
   command: "a2dissite *"
   args:
     chdir: "/etc/apache2/sites-enabled"
+
+- name: push temporary config file
+  template:
+    src: renewal
+    dest: /etc/apache2/sites-available/renewal.conf
+
+- name: push temporary config ssl file
+  template:
+    src: renewal-ssl
+    dest: /etc/apache2/sites-available/renewal-ssl.conf
+
+- name: enable renewal site
+  command: "a2ensite renewal renewal-ssl"
   notify:
     - reload apache
+
+- name: test
+  command: "echo test"

roles/disable-apache/templates/renewal

@@ -0,0 +1,24 @@
+<VirtualHost *:80>
+				ServerName www.hory.me
+
+				DocumentRoot /var/www/renewal
+				<Directory />
+								Options FollowSymLinks
+								AllowOverride None
+				</Directory>
+				<Directory /var/www/renewal>
+								Options Indexes FollowSymLinks MultiViews
+								AllowOverride None
+								Order allow,deny
+								allow from all
+				</Directory>
+
+
+				ErrorLog ${APACHE_LOG_DIR}/renewal-error.log
+
+				# Possible values include: debug, info, notice, warn, error, crit,
+				# alert, emerg.
+				LogLevel warn
+
+				CustomLog ${APACHE_LOG_DIR}/renewal-access.log combined
+</VirtualHost>

roles/disable-apache/templates/renewal-ssl

@@ -0,0 +1,23 @@
+<VirtualHost *:443>
+
+				<IfModule mod_headers.c>
+								Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
+								Header always set X-Frame-Options DENY
+								Header always set X-Content-Type-Options nosniff
+				</IfModule>
+
+				DocumentRoot /var/www/renewal
+				ServerName www.hory.me
+
+				SSLEngine on
+				SSLProtocol All -SSLv2 -SSLv3 -TLSv1
+				SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA
+				SSLHonorCipherOrder On
+				SSLCompression off
+
+				SSLCertificateFile /etc/letsencrypt/live/www.hory.me/fullchain.pem
+				SSLCertificateKeyFile /etc/letsencrypt/live/www.hory.me/privkey.pem
+				SSLCertificateChainFile /etc/letsencrypt/live/www.hory.me/chain.pem
+				SSLCACertificateFile /etc/letsencrypt/live/www.hory.me/cert.pem
+
+</VirtualHost>

roles/enable-apache/tasks/main.yml

@@ -1,7 +1,6 @@
 - name: reload all sites
-  command: "a2ensite {{site}}"
+  command: "a2ensite {{item}}"
   with_items:
-    - courses
     - git
     - git-ssl
     - monitoring
@@ -18,8 +17,3 @@
     - wiki-ssl
     - www.hory.me
     - www.hory.me-ssl
-
-- name: reload apache
-  service:
-    name: apache2
-    state: reloaded