certbot: commit hook must be executed at the end

CHANGELOG.md

@@ -46,6 +46,7 @@ The **patch** part changes incrementally at each release.
 * removed some deprecations for Ansible 2.7
 * apache: improve permissions in save_apache_status script
 * apt: hold packages only if package is installed
+* certbot: commit hook must be executed at the end
 * elasticsearch: listen on local interface only by default
 * evocheck: upstream version 19.11.2
 * evocheck: cron jobs execute in verbose

certbot/files/hooks/z-commit-etc.sh

@@ -18,7 +18,7 @@ main() {
 
       if [ "${changed_lines}" != "0" ]; then
           debug "Committing for ${RENEWED_DOMAINS}"
-          ${git_bin} add --all ${letsencrypt_dir}
+          ${git_bin} add --all
           message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})"
           ${git_bin} commit --message "${message}" --quiet
       else

certbot/tasks/main.yml

@@ -21,3 +21,17 @@
     mode: "0700"
     owner: root
     group: root
+
+- name: Move commit-etc.sh to z-commit-etc.sh if present
+  command: "mv /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh"
+  args:
+    removes: /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh
+    creates: /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh
+
+- name: "certbot lock is ignored by Git"
+  lineinfile:
+    dest: /etc/.gitignore
+    line: letsencrypt/.certbot.lock
+    create: yes
+    owner: root
+    mode: "0600"