19 files changed, 80 insertions, 144 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index dc0b5bf..114388e 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -1,32 +1,32 @@
 ##
 ## SSL settings
 ##
 
 # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
 ssl = required
 
 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/dovecot/ssl/imap.fripost.org.pem
+ssl_cert = </etc/dovecot/ssl/imap.fripost.org.chained.pem
 ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
 # world-readable, you may want to place this setting instead to a different
 # root owned 0600 file by using ssl_key_password = <path.
 #ssl_key_password =
 
 # PEM encoded trusted certificate authority. Set this only if you intend to use
 # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
 # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
 #ssl_ca = 
 
 # Require that CRL check succeeds for client certificates.
 #ssl_require_crl = yes
 
 # Directory and/or file for trusted SSL CA certificates. These are used only
 # when Dovecot needs to act as an SSL client (e.g. imapc backend). The
 # directory is usually /etc/ssl/certs in Debian-based systems and the file is
 # /etc/pki/tls/cert.pem in RedHat-based systems.
diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index ec1aaac..c9686c9 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -59,104 +59,91 @@
         owner=root group=root
         mode=0644
   with_items:
     - all
     - flagged
     - recent
     - unseen
 
 - name: Create directory /home/mail/spamspool
   file: path=/home/mail/spamspool
         state=directory
         owner=vmail group=vmail
         mode=0700
 
 - name: Create directory /etc/dovecot/ssl
   file: path=/etc/dovecot/ssl
         state=directory
         owner=root group=root
         mode=0755
 
-- name: Generate a private key and a X.509 certificate for Dovecot
-  command: genkeypair.sh x509
-                         --pubkey=/etc/dovecot/ssl/imap.fripost.org.pem
-                         --privkey=/etc/dovecot/ssl/imap.fripost.org.key
-                         --ou=IMAP --cn=imap.fripost.org
-                         -t rsa -b 4096 -h sha512
-  register: r1
-  changed_when: r1.rc == 0
-  failed_when: r1.rc > 1
-  notify:
-    - Restart Dovecot
-  tags:
-    - genkey
 
 - name: Fetch Dovecot's X.509 certificate
   # Ensure we don't fetch private data
   sudo: False
   fetch: src=/etc/dovecot/ssl/imap.fripost.org.pem
          dest=certs/public/
          fail_on_missing=yes
          flat=yes
   tags:
     - genkey
 
 - name: Configure Dovecot
   copy: src=etc/dovecot/{{ item }}
         dest=/etc/dovecot/{{ item }}
         owner=root group=root
         mode=0644
-  register: r2
+  register: r1
   with_items:
     - conf.d/10-auth.conf
     - conf.d/10-logging.conf
     - conf.d/10-mail.conf
     - conf.d/10-master.conf
     - conf.d/10-ssl.conf
     - conf.d/15-mailboxes.conf
     - conf.d/20-imap.conf
     - conf.d/20-lmtp.conf
     - conf.d/90-plugin.conf
     - conf.d/90-sieve.conf
     - conf.d/auth-ldap.conf.ext
     - dovecot-ldap.conf.ext
     - dovecot-ldap-userdb.conf.ext
   notify:
     - Restart Dovecot
 
 - name: Tell Dovecot we have a remote IMAP proxy
   # XXX: we should have an automatic lookup here
   lineinfile: dest=/etc/dovecot/dovecot.conf
               regexp='^(\s*#)?\s*login_trusted_networks\s*='
               line='login_trusted_networks = 171.25.193.76/32'
               state=present
               create=yes
               owner=root group=root
               mode=0644
-  register: r3
+  register: r2
   when: "'IMAP' in group_names and 'webmail' not in group_names"
   notify:
     - Restart Dovecot
 
 - name: Start Dovecot
   service: name=dovecot state=started
-  when: not (r1.changed or r2.changed or r3.changed)
+  when: not (r1.changed or r2.changed)
 
 - meta: flush_handlers
 
 
 - name: Install 'dovecot_stats_' Munin wildcard plugin
   file: src=/usr/local/share/munin/plugins/dovecot_stats_
         dest=/etc/munin/plugins/dovecot_stats_fripost.org
         owner=root group=root
         state=link force=yes
   tags:
     - munin
     - munin-node
   notify:
     - Restart munin-node
 
 - name: Install 'dovecot_logins' and 'dovecot_who' Munin plugin
   file: src=/usr/local/share/munin/plugins/{{ item }}
         dest=/etc/munin/plugins/{{ item }}
         owner=root group=root
         state=link force=yes
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index efcebef..caba881 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -58,42 +58,42 @@ smtp_data_done_timeout           = 1200s
 
 # Anonymize the (authenticated) sender; pass the mail to the antivirus
 header_checks  = pcre:$config_directory/anonymize_sender.pcre
 #content_filter = amavisfeed:unix:public/amavisfeed-antivirus
 
 
 # TLS
 {% if 'out' in group_names %}
 smtp_tls_security_level         = none
 smtp_bind_address               = 127.0.0.1
 {% else %}
 smtp_tls_security_level         = encrypt
 smtp_tls_cert_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
 smtp_tls_key_file               = /etc/postfix/ssl/{{ ansible_fqdn }}.key
 smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
 smtp_tls_policy_maps            = cdb:/etc/postfix/tls_policy
 smtp_tls_fingerprint_digest     = sha256
 {% endif %}
 
 smtpd_tls_security_level        = encrypt
-smtpd_tls_cert_file             = /etc/postfix/ssl/smtp.fripost.org.pem
-smtpd_tls_key_file              = /etc/postfix/ssl/private/smtp.fripost.org.key
+smtpd_tls_cert_file             = /etc/postfix/ssl/smtp.fripost.org.chained.pem
+smtpd_tls_key_file              = /etc/postfix/ssl/smtp.fripost.org.key
 smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_received_header       = yes
 smtpd_tls_ask_ccert             = yes
 
 # SASL
 smtpd_sasl_auth_enable          = yes
 smtpd_sasl_authenticated_header = no
 smtpd_sasl_local_domain         =
 smtpd_sasl_exceptions_networks  = $mynetworks
 smtpd_sasl_security_options     = noanonymous, noplaintext
 smtpd_sasl_tls_security_options = noanonymous
 broken_sasl_auth_clients        = yes
 smtpd_sasl_type                 = dovecot
 smtpd_sasl_path                 = unix:private/dovecot-auth
 
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml
index da6923b..1b820e3 100644
--- a/roles/MX/tasks/main.yml
+++ b/roles/MX/tasks/main.yml
@@ -65,41 +65,41 @@
            owner=root group=root
            mode=0644
   notify:
     - Reload Postfix
 
 - name: Copy reserved-alias.pl
   copy: src=usr/local/bin/reserved-alias.pl
         dest=/usr/local/bin/reserved-alias.pl
         owner=root group=root
         mode=0755
 
 - meta: flush_handlers
 
 - name: Start Postfix
   service: name=postfix state=started
 
 - name: Fetch Postfix's X.509 certificate
   # Ensure we don't fetch private data
   sudo: False
   # `/usr/sbin/postmulti -i mx -x /usr/sbin/postconf -xh smtpd_tls_cert_file`
-  fetch: src=/etc/ssl/certs/ssl-cert-snakeoil.pem
+  fetch: src=/etc/postfix/ssl/mx.fripost.org.pem
          dest=certs/public/mx{{ mxno | default('') }}.fripost.org.pem
          fail_on_missing=yes
          flat=yes
   tags:
     - genkey
 
 
 - name: Install 'postfix_mailqueue_' Munin wildcard plugin
   file: src=/usr/local/share/munin/plugins/postfix_mailqueue_
         dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }}
         owner=root group=root
         state=link force=yes
   tags:
     - munin
     - munin-node
   notify:
     - Restart munin-node
 
 - name: Install 'postfix_stats_' Munin wildcard plugin
   file: src=/usr/local/share/munin/plugins/postfix_stats_
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index b9f7c09..0259538 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -76,42 +76,42 @@ smtp_send_xforward_command                 = yes
 smtp_destination_recipient_limit           = 1000
 reserved-alias_destination_recipient_limit = 1
 # Tolerate occasional high latency
 smtp_data_done_timeout           = 1200s
 
 
 {% if 'out' in group_names %}
 smtp_tls_security_level         = none
 smtp_bind_address               = 127.0.0.1
 {% else %}
 smtp_tls_security_level         = encrypt
 smtp_tls_cert_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
 smtp_tls_key_file               = /etc/postfix/ssl/{{ ansible_fqdn }}.key
 smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
 smtp_tls_policy_maps            = cdb:/etc/postfix/tls_policy
 smtp_tls_fingerprint_digest     = sha256
 {% endif %}
 
 smtpd_tls_security_level        = may
 smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
-smtpd_tls_cert_file             = /etc/ssl/certs/ssl-cert-snakeoil.pem
-smtpd_tls_key_file              = /etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_cert_file             = /etc/postfix/ssl/mx.fripost.org.chained.pem
+smtpd_tls_key_file              = /etc/postfix/ssl/mx.fripost.org.key
 smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
 smtpd_tls_CApath                = /etc/ssl/certs/
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_received_header       = yes
 smtpd_tls_ask_ccert             = yes
 
 
 # http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix
 # http://www.howtoforge.com/block_spam_at_mta_level_postfix
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
 # UCE control
 invalid_hostname_reject_code        = 554
 multi_recipient_bounce_reject_code  = 554
 non_fqdn_reject_code                = 554
 relay_domains_reject_code           = 554
 unknown_address_reject_code         = 554
diff --git a/roles/common-web/files/etc/nginx/sites-available/default b/roles/common-web/files/etc/nginx/sites-available/default
new file mode 100644
index 0000000..6df1615
--- /dev/null
+++ b/roles/common-web/files/etc/nginx/sites-available/default
@@ -0,0 +1,11 @@
+server {
+    listen      80 default_server;
+    listen [::]:80 default_server;
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log info;
+
+    # serve ACME challenges on all virtual hosts
+    # /!\ need to be served individually for each explicit virtual host as well!
+    include snippets/acme-challenge.conf;
+}
diff --git a/roles/common-web/files/etc/nginx/snippets/acme-challenge.conf b/roles/common-web/files/etc/nginx/snippets/acme-challenge.conf
new file mode 100644
index 0000000..b2a856a
--- /dev/null
+++ b/roles/common-web/files/etc/nginx/snippets/acme-challenge.conf
@@ -0,0 +1,4 @@
+location /.well-known/acme-challenge/ {
+    alias /var/www/acme-challenge/;
+    default_type application/jose+json;
+}
diff --git a/roles/common-web/tasks/main.yml b/roles/common-web/tasks/main.yml
index c44e3a5..fb6bb2d 100644
--- a/roles/common-web/tasks/main.yml
+++ b/roles/common-web/tasks/main.yml
@@ -1,41 +1,42 @@
 - name: Install Nginx
   apt: pkg=nginx
 
 - name: Limit Nginx logging
   lineinfile: "dest=/etc/logrotate.d/nginx create=yes
                regexp='^\\s*rotate\\s'
                line='\trotate 1'"
   tags:
     - logrotate
 
-- name: Copy fastcgi parameters and SSL configuration snippets
+- name: Copy fastcgi parameters, acme-challenge and SSL configuration snippets
   copy: src=etc/nginx/snippets/{{ item }}
         dest=/etc/nginx/snippets/{{ item }}
         owner=root group=root
         mode=0644
   register: r1
   with_items:
     - fastcgi.conf
     - fastcgi-php.conf
     - fastcgi-php-ssl.conf
     - ssl.conf
+    - acme-challenge.conf
   notify:
     - Restart Nginx
 
 - name: Copy /etc/nginx/sites-available/default
   copy: src=etc/nginx/sites-available/default
         dest=/etc/nginx/sites-available/default
         owner=root group=root
         mode=0644
   register: r2
   notify:
     - Restart Nginx
 
 - name: Create /etc/nginx/sites-enabled/default
   file: src=../sites-available/default
         dest=/etc/nginx/sites-enabled/default
         owner=root group=root
         state=link force=yes
   register: r3
   notify:
     - Restart Nginx
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index a852c4d..07047c7 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -35,20 +35,23 @@
 - name: Restart Postfix
   service: name=postfix state=restarted
 
 - name: Reload Postfix
   service: name=postfix state=reloaded
 
 - name: Restart stunnel
   service: name=stunnel4 pattern=/usr/bin/stunnel4 state=restarted
 
 - name: Restart bacula-fd
   service: name=bacula-fd state=restarted
 
 - name: Update certificate
   command: update-ca-certificates
 
 - name: Restart munin-node
   service: name=munin-node state=restarted
 
 - name: Restart freshclam
   service: name=clamav-freshclam state=restarted
+
+- name: Install LetsEncrypt's ACME client
+  apt: deb=/tmp/letsencrypt-tiny_0.1-1_all.deb
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 470a6b2..955493a 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -28,40 +28,43 @@
   command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem
   tags: genkey
 - include: logging.yml      tags=logging
 - include: ntp.yml          tags=ntp
 - include: mail.yml         tags=mail,postfix
 - include: bacula.yml       tags=bacula-fd,bacula
 - include: munin-node.yml   tags=munin-node,munin
 
 - name: Install common packages
   apt: pkg={{ item }}
   with_items:
     - ca-certificates
     - etckeeper
     - ethtool
     - git
     - htop
     - molly-guard
     - rsync
     - screen
     - telnet-ssl
+    # for letencrypt
+    - liblwp-protocol-https-perl
+    - socat
 
 # XXX: this is a workaround the CAcert root CAs not being present in
 # Jessie.  In stretch, we would merely install the 'ca-cacert' package.
 - name: Create directory /usr/local/share/ca-certificates/CAcert
   file: path=/usr/local/share/ca-certificates/CAcert
         state=directory
         owner=root group=root
         mode=0755
   tags:
     - certs
 
 - name: Copy CAcert root CAs
   copy: src=certs/CAcert/{{ item }}
         dest=/usr/local/share/ca-certificates/CAcert/{{ item }}
         owner=root group=root
         mode=0644
   with_items:
     - root.crt
     - class3.crt
   tags:
diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git
index 67776de..afb5fca 100644
--- a/roles/git/files/etc/nginx/sites-available/git
+++ b/roles/git/files/etc/nginx/sites-available/git
@@ -1,74 +1,45 @@
 server {
     listen      80;
     listen [::]:80;
 
     server_name  git.fripost.org;
 
+    include snippets/acme-challenge.conf;
+
     access_log /var/log/nginx/git.access.log;
     error_log  /var/log/nginx/git.error.log info;
 
-    location ^~ /static/ {
-        alias /usr/share/cgit/;
-        expires 30d;
-    }
-
-    # Bypass the CGI to return static files stored on disk. Try first repo with
-    # a trailing '.git', then without.
-    location ~* "^/((?U)[^/]+)(?:\.git)?/objects/(?:[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(?:pack|idx))$" {
-        root /var/lib/gitolite/repositories;
-        try_files /$1.git/objects/$2 /$1/objects/$2 =404;
-        expires 30d;
-        gzip off;
-        # TODO honor git-daemon-export-ok
-    }
-
-    # disallow push over HTTP/HTTPS
-    location ~* "^/[^/]+/git-receive-pack$" { return 403; }
-
-    location ~* "^/[^/]+/(?:HEAD|info/refs|objects/info/[^/]+|git-upload-pack)$" {
-        gzip off;
-        include uwsgi_params;
-        uwsgi_modifier1 9;
-        uwsgi_param GIT_PROJECT_ROOT /var/lib/gitolite/repositories;
-        uwsgi_pass unix:/run/uwsgi/app/git-http-backend/socket;
-    }
-
-
-    # send all other URLs to cgit
     location / {
-        gzip off;
-        include uwsgi_params;
-        uwsgi_modifier1 9;
-        uwsgi_pass unix:/run/uwsgi/app/cgit/socket;
+        return 301 https://$host$request_uri;
     }
 }
 
 
 server {
     listen      443;
     listen [::]:443;
 
     server_name  git.fripost.org;
 
     include snippets/ssl.conf;
-    ssl_certificate     /etc/nginx/ssl/git.fripost.org.pem;
+    ssl_certificate     /etc/nginx/ssl/git.fripost.org.chained.pem;
     ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key;
 
     access_log /var/log/nginx/git.access.log;
     error_log  /var/log/nginx/git.error.log info;
 
     location ^~ /static/ {
         alias /usr/share/cgit/;
         expires 30d;
     }
 
     # Bypass the CGI to return static files stored on disk. Try first repo with
     # a trailing '.git', then without.
     location ~* "^/((?U)[^/]+)(?:\.git)?/objects/(?:[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(?:pack|idx))$" {
         root /var/lib/gitolite/repositories;
         try_files /$1.git/objects/$2 /$1/objects/$2 =404;
         expires 30d;
         gzip off;
         # TODO honor git-daemon-export-ok
     }
 
diff --git a/roles/git/tasks/cgit.yml b/roles/git/tasks/cgit.yml
index 27e0554..7237aa9 100644
--- a/roles/git/tasks/cgit.yml
+++ b/roles/git/tasks/cgit.yml
@@ -55,67 +55,53 @@
     - cgit
     - git-http-backend
   notify:
     - Restart uWSGI
 
 - name: Start uWSGI
   service: name=nginx state=started
   when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed)
 
 - meta: flush_handlers
 
 - name: Add 'cgit' & 'www-data' to the group 'gitolite'
   user: name={{ item }} groups=gitolite append=yes
   with_items:
     # for the cgit interface
     - cgit
     # for pulls over HTTP/HTTPS
     - www-data
 
 
-- name: Generate a private key and a X.509 certificate for Nginx
-  command: genkeypair.sh x509
-                         --pubkey=/etc/nginx/ssl/git.fripost.org.pem
-                         --privkey=/etc/nginx/ssl/git.fripost.org.key
-                         --ou=WWW --cn=git.fripost.org --dns=git.fripost.org
-                         -t rsa -b 4096 -h sha512
-  register: r1
-  changed_when: r1.rc == 0
-  failed_when: r1.rc > 1
-  notify:
-    - Restart Nginx
-  tags:
-    - genkey
-
 - name: Copy /etc/nginx/sites-available/git
   copy: src=etc/nginx/sites-available/git
         dest=/etc/nginx/sites-available/git
         owner=root group=root
         mode=0644
-  register: r2
+  register: r1
   notify:
     - Restart Nginx
 
 - name: Create /etc/nginx/sites-enabled/git
   file: src=../sites-available/git
         dest=/etc/nginx/sites-enabled/git
         owner=root group=root
         state=link force=yes
-  register: r3
+  register: r2
   notify:
     - Restart Nginx
 
 - name: Start Nginx
   service: name=nginx state=started
-  when: not (r1.changed or r2.changed or r3.changed)
+  when: not (r1.changed or r2.changed)
 
 - meta: flush_handlers
 
 - name: Fetch Nginx's X.509 certificate
   # Ensure we don't fetch private data
   sudo: False
   fetch: src=/etc/nginx/ssl/git.fripost.org.pem
          dest=certs/public/
          fail_on_missing=yes
          flat=yes
   tags:
     - genkey
diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa
index ea0424f..5e469fa 100644
--- a/roles/lists/files/etc/nginx/sites-available/sympa
+++ b/roles/lists/files/etc/nginx/sites-available/sympa
@@ -1,44 +1,48 @@
 server {
     listen      80;
     listen [::]:80;
 
     server_name lists.fripost.org;
 
+    include snippets/acme-challenge.conf;
+
     access_log /var/log/nginx/lists.access.log;
     error_log  /var/log/nginx/lists.error.log info;
 
-    return 302 https://$host$request_uri;
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
 
 
 server {
     listen      443;
     listen [::]:443;
 
     server_name  lists.fripost.org;
 
     access_log /var/log/nginx/lists.access.log;
     error_log  /var/log/nginx/lists.error.log info;
 
     include snippets/ssl.conf;
-    ssl_certificate     /etc/nginx/ssl/lists.fripost.org.pem;
+    ssl_certificate     /etc/nginx/ssl/lists.fripost.org.chained.pem;
     ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key;
 
     location = / {
         return 302 /sympa$args;
     }
 
     location ^~ /static-sympa/ {
         alias /var/lib/sympa/static_content/;
         expires 30d;
     }
 
     location ^~ /sympa {
         fastcgi_split_path_info ^(/sympa)(.*)$;
         include snippets/fastcgi.conf;
 
         fastcgi_pass unix:/run/wwsympa.socket;
         gzip off;
     }
 
     location ~* ^/([^/]+)/?$ {
diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml
index 4501d39..21e769a 100644
--- a/roles/lists/tasks/nginx.yml
+++ b/roles/lists/tasks/nginx.yml
@@ -1,50 +1,36 @@
 - name: Install Nginx
   apt: pkg=nginx
 
-- name: Generate a private key and a X.509 certificate for Nginx
-  command: genkeypair.sh x509
-                         --pubkey=/etc/nginx/ssl/lists.fripost.org.pem
-                         --privkey=/etc/nginx/ssl/lists.fripost.org.key
-                         --ou=WWW --cn=lists.fripost.org --dns=lists.fripost.org
-                         -t rsa -b 4096 -h sha512
-  register: r1
-  changed_when: r1.rc == 0
-  failed_when: r1.rc > 1
-  notify:
-    - Restart Nginx
-  tags:
-    - genkey
-
 - name: Copy /etc/nginx/sites-available/sympa
   copy: src=etc/nginx/sites-available/sympa
         dest=/etc/nginx/sites-available/sympa
         owner=root group=root
         mode=0644
-  register: r2
+  register: r1
   notify:
     - Restart Nginx
 
 - name: Create /etc/nginx/sites-enabled/sympa
   file: src=../sites-available/sympa
         dest=/etc/nginx/sites-enabled/sympa
         owner=root group=root
         state=link
-  register: r3
+  register: r2
   notify:
     - Restart Nginx
 
 - name: Start nginx
   service: name=nginx state=started
-  when: not (r1.changed or r2.changed or r3.changed)
+  when: not (r1.changed or r2.changed)
 
 - meta: flush_handlers
 
 - name: Fetch Nginx's X.509 certificate
   # Ensure we don't fetch private data
   sudo: False
   fetch: src=/etc/nginx/ssl/lists.fripost.org.pem
          dest=certs/public/
          fail_on_missing=yes
          flat=yes
   tags:
     - genkey
diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube
index 1297834..df10be9 100644
--- a/roles/webmail/files/etc/nginx/sites-available/roundcube
+++ b/roles/webmail/files/etc/nginx/sites-available/roundcube
@@ -1,39 +1,46 @@
 server {
 
     listen      80;
     listen [::]:80;
 
-    server_name  mail.fripost.org;
+    server_name    mail.fripost.org;
+    server_name webmail.fripost.org;
+
+    include snippets/acme-challenge.conf;
 
     access_log  /var/log/nginx/roundcube.access.log;
     error_log   /var/log/nginx/roundcube.error.log info;
 
-    return 301 https://$host$request_uri;
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
 
 
 server {
     listen      443;
     listen [::]:443;
 
-    server_name  mail.fripost.org;
+    server_name    mail.fripost.org;
+    server_name webmail.fripost.org;
+
     root         /var/lib/roundcube;
 
     include snippets/ssl.conf;
     ssl_certificate     /etc/nginx/ssl/mail.fripost.org.chained.pem;
     ssl_certificate_key /etc/nginx/ssl/mail.fripost.org.key;
 
     location = /favicon.ico {
         root          /usr/share/roundcube/skins/default/images;
         log_not_found off;
         access_log    off;
         expires       max;
     }
 
     location = /robots.txt {
         allow         all;
         log_not_found off;
         access_log    off;
     }
 
     # Deny all attempts to access hidden files, or files under hidden
diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index ed6a3b4..3eaf766 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -86,67 +86,53 @@
               owner=root group=root
               mode=0644
   with_items:
     - classic
     - larry
 
 - name: Configure Roundcube plugins
   copy: src=etc/roundcube/plugins/{{ item }}/config.inc.php
         dest=/etc/roundcube/plugins/{{ item }}/config.inc.php
         owner=root group=root
         mode=0644
   with_items:
     - additional_message_headers
     - jqueryui
     - managesieve
     - password
 
 - name: Start php5-fpm
   service: name=php5-fpm state=started
 
-- name: Generate a private key and a X.509 certificate for Nginx
-  command: genkeypair.sh x509
-                         --pubkey=/etc/nginx/ssl/mail.fripost.org.pem
-                         --privkey=/etc/nginx/ssl/mail.fripost.org.key
-                         --ou=WWW --cn=mail.fripost.org --dns=mail.fripost.org
-                         -t rsa -b 4096 -h sha512
-  register: r1
-  changed_when: r1.rc == 0
-  failed_when: r1.rc > 1
-  notify:
-    - Restart Nginx
-  tags:
-    - genkey
-
 - name: Copy /etc/nginx/sites-available/roundcube
   copy: src=etc/nginx/sites-available/roundcube
         dest=/etc/nginx/sites-available/roundcube
         owner=root group=root
         mode=0644
-  register: r2
+  register: r1
   notify:
     - Restart Nginx
 
 - name: Create /etc/nginx/sites-enabled/roundcube
   file: src=../sites-available/roundcube
         dest=/etc/nginx/sites-enabled/roundcube
         owner=root group=root
         state=link force=yes
-  register: r3
+  register: r2
   notify:
     - Restart Nginx
 
 - name: Start Nginx
   service: name=nginx state=started
-  when: not (r1.changed or r2.changed or r3.changed)
+  when: not (r1.changed or r2.changed)
 
 - meta: flush_handlers
 
 - name: Fetch Nginx's X.509 certificate
   # Ensure we don't fetch private data
   sudo: False
   fetch: src=/etc/nginx/ssl/mail.fripost.org.pem
          dest=certs/public/
          fail_on_missing=yes
          flat=yes
   tags:
     - genkey
diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website
index 3e32158..2519286 100644
--- a/roles/wiki/files/etc/nginx/sites-available/website
+++ b/roles/wiki/files/etc/nginx/sites-available/website
@@ -1,46 +1,51 @@
 server {
     listen      80;
     listen [::]:80;
 
     server_name     fripost.org;
     server_name www.fripost.org;
 
-    access_log /var/log/nginx/access.log;
-    error_log  /var/log/nginx/error.log info;
+    include snippets/acme-challenge.conf;
 
-    return 301 https://fripost.org$request_uri;
+    access_log /var/log/nginx/www.access.log;
+    error_log  /var/log/nginx/www.error.log info;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
 
 
 server {
     listen      443;
     listen [::]:443;
 
-    server_name fripost.org;
+    server_name     fripost.org;
+    server_name www.fripost.org;
 
     include snippets/ssl.conf;
     ssl_certificate     /etc/nginx/ssl/www.fripost.org.chained.pem;
     ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key;
 
-    access_log /var/log/nginx/access.log;
-    error_log  /var/log/nginx/error.log info;
+    access_log /var/log/nginx/www.access.log;
+    error_log  /var/log/nginx/www.error.log info;
 
     location / {
         try_files $uri $uri/ =404;
         index index.html;
         root /var/lib/ikiwiki/public_html/fripost-wiki/website;
     }
     location /static/ {
         alias /var/lib/ikiwiki/public_html/fripost-wiki/static/;
         expires 30d;
     }
     location /material/ {
         alias /var/www/fripost.org/material/;
         expires 30d;
     }
     location /minutes/ {
         alias /var/www/fripost.org/minutes/;
         expires 30d;
     }
     location /.well-known/autoconfig/ {
         alias /var/www/fripost.org/autoconfig/;
diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki
index 3777b87..2855e07 100644
--- a/roles/wiki/files/etc/nginx/sites-available/wiki
+++ b/roles/wiki/files/etc/nginx/sites-available/wiki
@@ -1,38 +1,34 @@
 server {
     listen      80;
     listen [::]:80;
 
     server_name wiki.fripost.org;
 
+    include snippets/acme-challenge.conf;
+
     access_log /var/log/nginx/wiki.access.log;
     error_log  /var/log/nginx/wiki.error.log info;
 
     location / {
         location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; }
-        try_files $uri $uri/ =404;
-        index index.html;
-        root /var/lib/ikiwiki/public_html/fripost-wiki;
-    }
-
-    location = /ikiwiki.cgi {
-        return 302 https://$host$request_uri;
+        return 301 https://$host$request_uri;
     }
 }
 
 
 server {
     listen      443;
     listen [::]:443;
 
     server_name wiki.fripost.org;
 
     include snippets/ssl.conf;
     ssl_certificate     /etc/nginx/ssl/www.fripost.org.chained.pem;
     ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key;
 
     access_log /var/log/nginx/wiki.access.log;
     error_log  /var/log/nginx/wiki.error.log info;
 
     location / {
         location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; }
         try_files $uri $uri/ =404;
diff --git a/roles/wiki/tasks/main.yml b/roles/wiki/tasks/main.yml
index 22a5831..763f99a 100644
--- a/roles/wiki/tasks/main.yml
+++ b/roles/wiki/tasks/main.yml
@@ -48,85 +48,71 @@
 #   ## Add ikiwiki's key to gitolite
 #   sudo ln -s /var/lib/ikiwiki/wiki.fripost.org /var/lib/gitolite/repositories/fripost-wiki.git/hooks/post-update
 #   $ /usr/bin/sudo -u ikiwiki git clone ssh://gitolite@localhost/fripost-wiki.git
 
 - name: Configure ikiwiki
   copy: src=var/lib/ikiwiki/fripost-wiki.setup
         dest=/var/lib/ikiwiki/fripost-wiki.setup
         owner=root group=root
         mode=0644
   notify:
     - Refresh ikiwiki
 
 - name: Add fripost-wiki to /etc/ikiwiki/wikilist
   lineinfile: dest=/etc/ikiwiki/wikilist
               "line=ikiwiki /var/lib/ikiwiki/fripost-wiki.setup"
               owner=root group=root
               mode=0644
 
 - meta: flush_handlers
 
-- name: Generate a private key and a X.509 certificate for Nginx
-  command: genkeypair.sh x509
-                         --pubkey=/etc/nginx/ssl/fripost.org.pem
-                         --privkey=/etc/nginx/ssl/fripost.org.key
-                         --ou=WWW --cn=fripost.org --dns=fripost.org --dns=wiki.fripost.org
-                         -t rsa -b 4096 -h sha512
-  register: r1
-  changed_when: r1.rc == 0
-  failed_when: r1.rc > 1
-  notify:
-    - Restart Nginx
-  tags:
-    - genkey
-
 - name: Copy /etc/nginx/sites-available/{wiki,website}
   copy: src=etc/nginx/sites-available/{{ item }}
         dest=/etc/nginx/sites-available/{{ item }}
         owner=root group=root
         mode=0644
-  register: r2
+  register: r1
   with_items:
     - website
     - wiki
   notify:
     - Restart Nginx
 
 - name: Create /etc/nginx/sites-enabled/{wiki,website}
   file: src=../sites-available/{{ item }}
         dest=/etc/nginx/sites-enabled/{{ item }}
         owner=root group=root
         state=link force=yes
-  register: r3
+  register: r2
   with_items:
     - website
     - wiki
   notify:
     - Restart Nginx
 
 - name: Start Nginx
   service: name=nginx state=started
-  when: not (r1.changed or r2.changed or r3.changed)
+  when: not (r1.changed or r2.changed)
 
 - meta: flush_handlers
 
 - name: Fetch Nginx's X.509 certificate
   # Ensure we don't fetch private data
   sudo: False
-  fetch: src=/etc/nginx/ssl/fripost.org.pem
-         dest=certs/public/
+  fetch: src=/etc/nginx/ssl/www.fripost.org.pem
+         dest=certs/public/fripost.org.pem
          fail_on_missing=yes
          flat=yes
   tags:
     - genkey
 
 - name: Create directory /var/www/fripost.org/autoconfig/mail
   file: path=/var/www/fripost.org/autoconfig/mail
         state=directory
         owner=root group=root
         mode=0755
 
 - name: Copy /var/www/fripost.org/autoconfig/mail/config-v1.1.xml
   copy: src=var/www/fripost.org/autoconfig/mail/config-v1.1.xml
         dest=/var/www/fripost.org/autoconfig/mail/config-v1.1.xml
         owner=root group=root
         mode=0644