codeenigma · gregharvey · Jul 18, 2025 · Jul 17, 2025 · Jul 18, 2025
diff --git a/roles/debian/nginx/templates/vhost_letsencrypt.j2 b/roles/debian/nginx/templates/vhost_letsencrypt.j2
@@ -7,6 +7,7 @@ server {
     listen 80;
     {% endif %}
     server_name {{ domain.server_name }};
+    root /tmp;
     error_log {{ domain.error_log }} {{ domain.error_log_level }};
     access_log {{ domain.access_log }} {{ domain.access_log_format | default('main') }};
     # Proxy for certbot (LetsEncrypt)

diff --git a/roles/debian/ssl/README.md b/roles/debian/ssl/README.md
@@ -22,7 +22,7 @@ location /.well-known/acme-challenge/ {
 }
 ```
 
-If you are using LetsEncrypt handling combined with our `nginx` role and you set `ssl.http_01_port` then it should take care of the proxying, for example:
+If you are using LetsEncrypt handling combined with our `nginx` role and you set `ssl.http_01_port` and `ssl.web_server` to `standalone` then it should take care of the proxying, for example:
 
 ```yaml
 nginx:
@@ -38,13 +38,30 @@ nginx:
         services: []
         web_server: standalone
         certbot_register_command: "certonly --standalone --agree-tos --preferred-challenges http -n"
-        certbot_renew_command: "certonly --standalone --agree-tos --force-renew"
+        on_calendar: "Mon *-*-* 04:00:00"
+        reload_command: reload
+        reload:
+          - nginx
+```
+webroot option
+```yaml
+nginx:
+  domains:
+    - # other domain variables here
+      ssl:
+        domains:
+          - "{{ _domain_name }}"
+        handling: letsencrypt
+        autorenew: true
+        email: administrator@example.com
+        services: []
+        web_server: webroot
+        certbot_register_command: "certonly --standalone --agree-tos --preferred-challenges http -n"
+        on_calendar: "Mon *-*-* 04:00:00"
         reload_command: reload
         reload:
           - nginx
 ```
-Variable "on_calendar" is no longer in use since we have 1 general cron to renew all domains
-
 "web_server" can be standalone and webroot, differnce is that webroot wont start webserver to validate SSL, while standalone requires port on which webserver will be running in order to validate cert so we need the "http_01_port" for standalone option
 
 As in the example above, you need to include *all* variables required by the `letsencrypt` SSL handler because defaults will not load from the `ssl` role in this context.

diff --git a/roles/debian/ssl/defaults/main.yml b/roles/debian/ssl/defaults/main.yml
@@ -33,12 +33,10 @@ ssl:
   http_01_port: 80 # you can set a non-standard port to listen on, but certbot still needs port 80 - see https://letsencrypt.org/docs/challenge-types/#http-01-challenge
   # For "letsencrypt" auto renewal
   autorenew: false # set to true to create a systemd timer to renew LE certs
-  certbot_renew_command: "certonly --agree-tos --force-renew" # root of the command used in the systemd timer
-  # See systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events
-  on_calendar: "Mon *-*-* 04:00:00"
+  on_calendar: "Mon *-*-* 04:00:00" # this is still needed to define when the cron will run, and it's needed in each ssl item not to break task
   web_server: standalone
   # values are standalone, webroot, nginx or apache - warning, nginx and apache will attempt to manipulate your vhosts!
-  # webroot unlike standalone, won't start webserver with certain port
+  # webroot unlike standalone, won't start webserver with certain port, so we can remove http_01_port
 
   # For "letsencrypt" handling, a list of service to stop while creating the certificate.
   # This is because we need port 80 to be free.