From 17223bed9cac3a0af65e3ed471a3aa0740c2e001 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Tue, 29 Dec 2020 22:53:47 +0100
Subject: [PATCH] skip the service reload in the ocsp script. Reload the
 container in the cron job.

---
 tasks/haproxy-ssl.yml                    | 2 +-
 templates/haproxy-letsencrypt-acme.sh.j2 | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tasks/haproxy-ssl.yml b/tasks/haproxy-ssl.yml
index a1c69eb..76c563e 100644
--- a/tasks/haproxy-ssl.yml
+++ b/tasks/haproxy-ssl.yml
@@ -11,7 +11,7 @@
         name: "Refresh the haproxy OCSP information"
         user: root
         special_time: daily
-        job: "/usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v {{ letsencrypt_acme_certs_dir }}/fullchain -s {% if not haproxy_docker_container %}{{ haproxy_admin_socket }}{% else %}{{ haproxy_docker_socket_dir }}/{{ haproxy_admin_socket_file }}{% endif %} -v - >/var/log/hapos-upd.log 2>&1"
+        job: "/usr/local/bin/hapos-upd {% if haproxy_docker_container %}-S{% endif %} --cert {{ haproxy_cert_dir }}/haproxy.pem -v {{ letsencrypt_acme_certs_dir }}/fullchain -s {% if not haproxy_docker_container %}{{ haproxy_admin_socket }}{% else %}{{ haproxy_docker_socket_dir }}/{{ haproxy_admin_socket_file }}{% endif %} -v - >/var/log/hapos-upd.log 2>&1{% if haproxy_docker_container %} ; docker kill --signal USR2 $(docker container ls --filter name=haproxy_haproxy --quiet){% endif %}"
 
   tags: [ 'haproxy', 'letsencrypt', 'ssl', 'ssl_ocsp' ]
 
diff --git a/templates/haproxy-letsencrypt-acme.sh.j2 b/templates/haproxy-letsencrypt-acme.sh.j2
index 79c206a..c54a657 100644
--- a/templates/haproxy-letsencrypt-acme.sh.j2
+++ b/templates/haproxy-letsencrypt-acme.sh.j2
@@ -35,11 +35,11 @@ chgrp haproxy ${HAPROXY_CERTFILE}
 if [ -x /usr/local/bin/hapos-upd ] ; then
     upd_retval=
     echo "Run the OCSP stapling updater script" >> $LE_LOG_DIR/haproxy.log
-    /usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v ${LE_CERTS_DIR}/fullchain -s $haproxy_socket -v - >> $LE_LOG_DIR/haproxy.log 2>&1
+    /usr/local/bin/hapos-upd {% if haproxy_docker_container %}-S{% endif %} --cert {{ haproxy_cert_dir }}/haproxy.pem -v ${LE_CERTS_DIR}/fullchain -s $haproxy_socket -v - >> $LE_LOG_DIR/haproxy.log 2>&1
     upd_retval=$?
     if [ $upd_retval -ne 0 ] ; then
         rm -f ${HAPROXY_CERTFILE}.issuer
-        /usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v ${LE_CERTS_DIR}/fullchain -s $haproxy_socket -v - >> $LE_LOG_DIR/haproxy.log 2>&1
+        /usr/local/bin/hapos-upd {% if haproxy_docker_container %}-S{% endif %} --cert {{ haproxy_cert_dir }}/haproxy.pem -v ${LE_CERTS_DIR}/fullchain -s $haproxy_socket -v - >> $LE_LOG_DIR/haproxy.log 2>&1
     fi
 else
     echo "No OCPS stapling updater script" >> $LE_LOG_DIR/haproxy.log