Try SSL renewal more frequently and reload later

It doesn't hurt to attempt renewal more frequently, as it only does real work if it's actually necessary. Reloading, we postpone some more, because certbot adds some random delay (between 1 and 8 * 60 seconds) when renewing. We want to ensure we reload at least 8 minutes later, which wasn't the case. To make it even safer (in case future certbot versions use a longer delay), we reload a whole hour later. We're in no rush to start using the new certificates anyway, especially given that we attempt renewal often. Somewhat fixes #146 (Github Issue)
5 years ago · ec0f936227
parent 892abdc700
commit ec0f936227
1 changed files with 3 additions and 3 deletions
--- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
@ -69,7 +69,7 @@
      state: present
      hour: 4
      minute: 15
-      day: "*/5"
+      day: "*"
      job: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew

  - name: Ensure periodic reloading of matrix-nginx-proxy is configured for SSL renewal (matrix-nginx-proxy-reload)
@ -78,9 +78,9 @@
      cron_file: matrix-ssl-lets-encrypt
      name: matrix-nginx-proxy-reload
      state: present
-      hour: 4
+      hour: 5
      minute: 20
-      day: "*/5"
+      day: "*"
      job: /bin/systemctl reload matrix-nginx-proxy.service
    when: matrix_nginx_proxy_enabled
  when: "matrix_ssl_retrieval_method == 'lets-encrypt'"