Closed fredericmoulins closed 4 years ago
I will check this tomorrow, it is a big one ;-)
it is a big one ;-)
Yes, it is :)
In the certificate role, the task removed set the ACL for www-data on all the certificate directories. It is not setting the default ACL, so it works on Stretch because the certificates files created by certbot are world readable. I don't know if nginx can read the certificates in Buster as they should'nt be world readable anymore.
About the changes:
www
and root domains are somewhat hard-coded.I hope I did not miss any.
I will launch the CI on this, let's see if it breaks anything. It worked on my side.
Set
wwww-data
access to the certificates using thecert-perms
role in each playbook needing it.Use
import_role
to call thecert-perms
role.