From da2572ddb144086034eba1989ae909763e95c680 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 20 Dec 2015 14:13:08 +0100
Subject: Use the Let's Encrypt CA for our public certs.

---
 roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf |  2 +-
 roles/IMAP/tasks/imap.yml                       | 19 +++----------------
 2 files changed, 4 insertions(+), 17 deletions(-)

(limited to 'roles/IMAP')

diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index dc0b5bf..114388e 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -9,7 +9,7 @@ ssl = required
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/dovecot/ssl/imap.fripost.org.pem
+ssl_cert = </etc/dovecot/ssl/imap.fripost.org.chained.pem
 ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
 
 # If key file is password protected, give the password here. Alternatively
diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index ec1aaac..c9686c9 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -76,19 +76,6 @@
         owner=root group=root
         mode=0755
 
-- name: Generate a private key and a X.509 certificate for Dovecot
-  command: genkeypair.sh x509
-                         --pubkey=/etc/dovecot/ssl/imap.fripost.org.pem
-                         --privkey=/etc/dovecot/ssl/imap.fripost.org.key
-                         --ou=IMAP --cn=imap.fripost.org
-                         -t rsa -b 4096 -h sha512
-  register: r1
-  changed_when: r1.rc == 0
-  failed_when: r1.rc > 1
-  notify:
-    - Restart Dovecot
-  tags:
-    - genkey
 
 - name: Fetch Dovecot's X.509 certificate
   # Ensure we don't fetch private data
@@ -105,7 +92,7 @@
         dest=/etc/dovecot/{{ item }}
         owner=root group=root
         mode=0644
-  register: r2
+  register: r1
   with_items:
     - conf.d/10-auth.conf
     - conf.d/10-logging.conf
@@ -132,14 +119,14 @@
               create=yes
               owner=root group=root
               mode=0644
-  register: r3
+  register: r2
   when: "'IMAP' in group_names and 'webmail' not in group_names"
   notify:
     - Restart Dovecot
 
 - name: Start Dovecot
   service: name=dovecot state=started
-  when: not (r1.changed or r2.changed or r3.changed)
+  when: not (r1.changed or r2.changed)
 
 - meta: flush_handlers
 
-- 
cgit v1.2.3