From ddb7ddc71b6ae03951c63726ba9eabc30211e7a3 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Tue, 28 May 2019 01:10:42 +0300
Subject: [PATCH] use fullchain certificates for nginx

---
 roles/nginx/server/templates/nginx.conf.j2 |  3 +--
 roles/nginx/site/tasks/main.yml            | 16 ++--------------
 roles/nginx/site/templates/site.conf.j2    |  3 +--
 3 files changed, 4 insertions(+), 18 deletions(-)

diff --git a/roles/nginx/server/templates/nginx.conf.j2 b/roles/nginx/server/templates/nginx.conf.j2
index f594ede..227f25b 100644
--- a/roles/nginx/server/templates/nginx.conf.j2
+++ b/roles/nginx/server/templates/nginx.conf.j2
@@ -28,8 +28,7 @@ http {
         listen [::]:443 ssl;
         server_name {{ inventory_hostname }};
 
-        ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt;
-        ssl_trusted_certificate {{ tls_certs }}/ca.crt;
+        ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}-fullchain.crt;
         ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key;
 
         ssl_client_certificate {{ tls_certs }}/ca.crt;
diff --git a/roles/nginx/site/tasks/main.yml b/roles/nginx/site/tasks/main.yml
index 9b4fd02..ecea36d 100644
--- a/roles/nginx/site/tasks/main.yml
+++ b/roles/nginx/site/tasks/main.yml
@@ -29,26 +29,14 @@
     - "/srv/ca/private/{{ inventory_hostname }}.key"
   notify: restart nginx
 
-- name: "copy site certificate chain for {{ site }}"
-  copy:
-    src: "{{ item }}"
-    dest: "{{ tls_certs }}/{{ site }}-chain.crt"
-    mode: 0644
-    owner: root
-    group: "{{ ansible_wheel }}"
-  with_first_found:
-    - "/srv/letsencrypt/live/{{ site }}/chain.pem"
-    - "/srv/ca/certs/ca.crt"
-  notify: restart nginx
-
 - name: "copy site certificate for {{ site }}"
   copy:
     src: "{{ item }}"
-    dest: "{{ tls_certs }}/{{ site }}.crt"
+    dest: "{{ tls_certs }}/{{ site }}-fullchain.crt"
     mode: 0644
     owner: root
     group: "{{ ansible_wheel }}"
   with_first_found:
-    - "/srv/letsencrypt/live/{{ site }}/cert.pem"
+    - "/srv/letsencrypt/live/{{ site }}/fullchain.pem"
     - "/srv/ca/certs/{{ inventory_hostname }}.crt"
   notify: restart nginx
diff --git a/roles/nginx/site/templates/site.conf.j2 b/roles/nginx/site/templates/site.conf.j2
index 2c4f003..7c1c24a 100644
--- a/roles/nginx/site/templates/site.conf.j2
+++ b/roles/nginx/site/templates/site.conf.j2
@@ -4,8 +4,7 @@ server {
     listen [::]:443 ssl;
     server_name {{ site }};
 
-    ssl_certificate {{ tls_certs }}/{{ site }}.crt;
-    ssl_trusted_certificate {{ tls_certs }}/{{ site }}-chain.crt;
+    ssl_certificate {{ tls_certs }}/{{ site }}-fullchain.crt;
     ssl_certificate_key {{ tls_private }}/{{ site }}.key;
 
 {% if redirect is defined %}