Home Explore Help
Sign In
kotoyuuko
/
ansible-proxy-chain
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

fix: correct certbot renewal hooks directory path

Use /etc/letsencrypt/renewal-hooks/post/ instead of the
nonexistent /etc/letsencrypt/renewal-hooks-post/ for the
trojan-go renewal deploy hook

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
kotoyuuko 3 weeks ago
parent
b671cbfcbf
commit
a6b57dc3c2
7 changed files with 59 additions and 2 deletions
Split View Show Diff Stats
  1. 2 0
      openspec/changes/archive/2026-04-22-fix-certbot-renewal-hooks-directory/.openspec.yaml
  2. 14 0
      openspec/changes/archive/2026-04-22-fix-certbot-renewal-hooks-directory/design.md
  3. 19 0
      openspec/changes/archive/2026-04-22-fix-certbot-renewal-hooks-directory/proposal.md
  4. 15 0
      openspec/changes/archive/2026-04-22-fix-certbot-renewal-hooks-directory/specs/trojan-landing/spec.md
  5. 7 0
      openspec/changes/archive/2026-04-22-fix-certbot-renewal-hooks-directory/tasks.md
  6. 1 1
      openspec/specs/trojan-landing/spec.md
  7. 1 1
      roles/trojan/tasks/main.yml

+ 2 - 0
openspec/changes/archive/2026-04-22-fix-certbot-renewal-hooks-directory/.openspec.yaml
View File 

@@ -0,0 +1,2 @@
 
+schema: spec-driven
 
+created: 2026-04-22

+ 14 - 0
openspec/changes/archive/2026-04-22-fix-certbot-renewal-hooks-directory/design.md
View File 

@@ -0,0 +1,14 @@
 
+## Context
 
+
 
+The previous `fix-trojan-go-startup-failure` change renamed the renewal hook path from `/etc/letsencrypt/renewal-hooks/post/restart-trojan.sh` to `/etc/letsencrypt/renewal-hooks-post/trojan-go.sh`. The latter directory does not exist — certbot uses `/etc/letsencrypt/renewal-hooks/post/`.
 
+
 
+## Goals / Non-Goals
 
+
 
+**Goals:**
 
+- Use the correct certbot renewal hooks directory so the task succeeds
 
+
 
+## Decisions
 
+
 
+**Use the standard certbot path `/etc/letsencrypt/renewal-hooks/post/`**
 
+
 
+Certbot automatically scans this directory for post-renewal hooks. No need to create directories or configure anything else.

+ 19 - 0
openspec/changes/archive/2026-04-22-fix-certbot-renewal-hooks-directory/proposal.md
View File 

@@ -0,0 +1,19 @@
 
+## Why
 
+
 
+The certbot renewal hook task references `/etc/letsencrypt/renewal-hooks-post/`, which does not exist. The correct certbot renewal hooks directory is `/etc/letsencrypt/renewal-hooks/post/`. This typo causes the playbook to fail when deploying the renewal hook.
 
+
 
+## What Changes
 
+
 
+- Fix the certbot renewal hook destination path from `/etc/letsencrypt/renewal-hooks-post/trojan-go.sh` to `/etc/letsencrypt/renewal-hooks/post/trojan-go.sh`
 
+
 
+## Capabilities
 
+
 
+### New Capabilities
 
+<!-- none -->
 
+
 
+### Modified Capabilities
 
+<!-- none -->
 
+
 
+## Impact
 
+
 
+- `roles/trojan/tasks/main.yml` — single path fix in the renewal hook task

+ 15 - 0
openspec/changes/archive/2026-04-22-fix-certbot-renewal-hooks-directory/specs/trojan-landing/spec.md
View File 

@@ -0,0 +1,15 @@
 
+## MODIFIED Requirements
 
+
 
+### Requirement: TLS certificate is provisioned via Let's Encrypt
 
+The trojan role SHALL use certbot to obtain a TLS certificate for the landing server's domain, with automatic renewal. After provisioning or renewal, the certificate and key SHALL be copied to a trojan-owned directory (`/etc/trojan-go/tls/`) so the service user can read them. The certbot deploy-hook SHALL be placed in `/etc/letsencrypt/renewal-hooks/post/` for automatic execution.
 
+
 
+#### Scenario: Certificate provisioning
 
+- **WHEN** the trojan role runs with a configured domain name
 
+- **THEN** certbot obtains a TLS certificate for that domain
 
+- **THEN** the certificate and key are copied to `/etc/trojan-go/tls/` owned by the trojan user
 
+
 
+#### Scenario: Certificate auto-renewal
 
+- **WHEN** the certificate is within 30 days of expiry
 
+- **THEN** certbot renews it automatically via systemd timer or cron
 
+- **THEN** a deploy-hook in `/etc/letsencrypt/renewal-hooks/post/` copies the renewed certs to `/etc/trojan-go/tls/`
 
+- **THEN** the Trojan service is reloaded after renewal

+ 7 - 0
openspec/changes/archive/2026-04-22-fix-certbot-renewal-hooks-directory/tasks.md
View File 

@@ -0,0 +1,7 @@
 
+## 1. Fix renewal hook path
 
+
 
+- [x] 1.1 Change certbot renewal hook destination from `/etc/letsencrypt/renewal-hooks-post/` to `/etc/letsencrypt/renewal-hooks/post/` in `roles/trojan/tasks/main.yml`
 
+
 
+## 2. Verify
 
+
 
+- [x] 2.1 Run `ansible-playbook site.yml --syntax-check` to confirm playbook parses

+ 1 - 1
openspec/specs/trojan-landing/spec.md
View File 

@@ -40,7 +40,7 @@ The trojan role SHALL use certbot to obtain a TLS certificate for the landing se
 
 #### Scenario: Certificate auto-renewal
 
 - **WHEN** the certificate is within 30 days of expiry
 
 - **THEN** certbot renews it automatically via systemd timer or cron
 
-- **THEN** a deploy-hook copies the renewed certs to `/etc/trojan-go/tls/`
 
+- **THEN** a deploy-hook in `/etc/letsencrypt/renewal-hooks/post/` copies the renewed certs to `/etc/trojan-go/tls/`
 
 - **THEN** the Trojan service is reloaded after renewal
 
 
 ### Requirement: Trojan listens on port 443 with TLS

+ 1 - 1
roles/trojan/tasks/main.yml
View File 

@@ -92,7 +92,7 @@
 
 
 - name: Deploy certbot renewal hook for trojan
 
   ansible.builtin.copy:
 
-    dest: /etc/letsencrypt/renewal-hooks-post/trojan-go.sh
 
+    dest: /etc/letsencrypt/renewal-hooks/post/trojan-go.sh
 
     content: |
 
       #!/bin/bash
 
       mkdir -p /etc/trojan-go/tls