From 93bb1d549e9f51cf90fd2ea772aee5568ea12243 Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Wed, 22 May 2019 16:41:51 +1000 Subject: [PATCH] letsencrypt : use date call for serial number Per [1] ansible_date_time is NOT actually the date/time -- it is the time cached from the facts. It seems this can not be changed because, of course, things have started depending on this behaviour. This is particuarly incorrect if you're using this as a serial number for DNS and it is not incrementing across runs, and thus bind is refusing to load the new entries in the acme.opendev.org zone during letsencrypt runs, and the TXT authentication fails. Use the suggested work-around in the issue which is an external call to date. [1] https://github.com/ansible/ansible/issues/22561 Change-Id: Ic3f12f52e8fbb87a7cd673c37c6c4280c56c2b0f --- .../roles/letsencrypt-install-txt-record/templates/zone.db.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/roles/letsencrypt-install-txt-record/templates/zone.db.j2 b/playbooks/roles/letsencrypt-install-txt-record/templates/zone.db.j2 index a888051fda..168e711636 100644 --- a/playbooks/roles/letsencrypt-install-txt-record/templates/zone.db.j2 +++ b/playbooks/roles/letsencrypt-install-txt-record/templates/zone.db.j2 @@ -2,7 +2,7 @@ $ORIGIN acme.opendev.org. $TTL 1m @ IN SOA adns1.opendev.org. hostmaster.opendev.org. ( - {{ ansible_date_time.epoch }} ; serial number unixtime + {{ lookup('pipe', 'date +%s') }} ; serial number unixtime 1h ; refresh (secondary checks for updates) 10m ; retry (secondary retries failed axfr) 10d ; expire (secondary ends serving old data)