fix: issue a single certificate per site

Author: fauno

ansible/roles/distributed_press/tasks/main.yml

@@ -206,7 +206,11 @@
     name: nginx
 
 - name: "Register certbot certificate"
-  shell: "certbot --nginx --non-interactive -d {{distributed_press_domain}} {{ distributed_press_served_sites | map('regex_replace', '^', '-d ') | join(' ') }} {% if (social_inbox_enabled) %} -d {{ social_inbox_domain }} {% endif %}--expand --agree-tos --no-eff-email --email {{distributed_press_letsencrypt_email}}"
+  shell: "certbot --nginx --non-interactive -d {{distributed_press_domain}} {% if (social_inbox_enabled) %} -d {{ social_inbox_domain }} {% endif %}--expand --agree-tos --no-eff-email --email {{distributed_press_letsencrypt_email}}"
+
+- name: "Register certbot certificate for each site"
+  shell: "certbot --nginx --non-interactive -d {{item}} --expand --agree-tos --no-eff-email --email {{distributed_press_letsencrypt_email}}"
+  loop: "{{distributed_press_served_sites}}"
 
 - name: "Copy over default site config"
   template:

ansible/roles/distributed_press/templates/nginx-static.j2

@@ -36,8 +36,8 @@ server {
 
   listen [::]:443 ssl; # managed by Certbot
   listen 443 ssl; # managed by Certbot
-  ssl_certificate /etc/letsencrypt/live/{{distributed_press_cert_name}}/fullchain.pem; # managed by Certbot
-  ssl_certificate_key /etc/letsencrypt/live/{{distributed_press_cert_name}}/privkey.pem; # managed by Certbot
+  ssl_certificate /etc/letsencrypt/live/{{item}}/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/{{item}}/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 }