From 708f8027ef9a3efc6f09ae286321b183dd6f9419 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 20 Aug 2018 19:18:27 +0200 Subject: [PATCH] Adapt the haproxy role so that it supports both letsencrypt acmetool and acme.sh --- haproxy/tasks/haproxy-letsencrypt-acme-sh.yml | 18 +++++++++++++++ .../tasks/haproxy-letsencrypt-acmetool.yml | 23 +++++++++++-------- haproxy/tasks/haproxy-letsencrypt.yml | 7 ------ haproxy/tasks/main.yml | 8 +++---- .../templates/haproxy-letsencrypt-acme.sh.j2 | 12 +++++++--- 5 files changed, 44 insertions(+), 24 deletions(-) create mode 100644 haproxy/tasks/haproxy-letsencrypt-acme-sh.yml delete mode 100644 haproxy/tasks/haproxy-letsencrypt.yml diff --git a/haproxy/tasks/haproxy-letsencrypt-acme-sh.yml b/haproxy/tasks/haproxy-letsencrypt-acme-sh.yml new file mode 100644 index 00000000..2e2f8d73 --- /dev/null +++ b/haproxy/tasks/haproxy-letsencrypt-acme-sh.yml @@ -0,0 +1,18 @@ +--- +- block: + - name: Create the acme hooks directory if it does not yet exist + file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root + + - name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service + template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_sh_services_scripts_dir }}/haproxy owner=root group=root mode=4555 + + - name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case + shell: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem + args: + creates: '{{ pki_dir }}/haproxy/haproxy.pem' + tags: [ 'pki', 'ssl', 'letsencrypt', 'haproxy', 'letsencrypt_acme_sh' ] + + when: + - haproxy_letsencrypt_managed + - letsencrypt_acme_sh_install + tags: [ 'haproxy', 'letsencrypt', 'letsencrypt_acme_sh' ] diff --git a/haproxy/tasks/haproxy-letsencrypt-acmetool.yml b/haproxy/tasks/haproxy-letsencrypt-acmetool.yml index 3b4ba713..8cadc2c7 100644 --- a/haproxy/tasks/haproxy-letsencrypt-acmetool.yml +++ b/haproxy/tasks/haproxy-letsencrypt-acmetool.yml @@ -1,15 +1,18 @@ --- -- name: Create the acme hooks directory if it does not yet exist - file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root +- block: + - name: Create the acme hooks directory if it does not yet exist + file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root + + - name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service + template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4555 + + - name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case + shell: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem + args: + creates: '{{ pki_dir }}/haproxy/haproxy.pem' + tags: [ 'pki', 'ssl', 'letsencrypt', 'haproxy' ] + when: - haproxy_letsencrypt_managed - letsencrypt_acme_install tags: [ 'haproxy', 'letsencrypt' ] - -- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service - template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4555 - when: - - haproxy_letsencrypt_managed - - letsencrypt_acme_install - tags: [ 'haproxy', 'letsencrypt' ] - diff --git a/haproxy/tasks/haproxy-letsencrypt.yml b/haproxy/tasks/haproxy-letsencrypt.yml deleted file mode 100644 index d95ac98b..00000000 --- a/haproxy/tasks/haproxy-letsencrypt.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service - copy: src=haproxy-letsencrypt.sh dest={{ letsencrypt_services_scripts_dir }}/haproxy owner=root group=root mode=0550 - when: - - haproxy_letsencrypt_managed - - letsencrypt_install - tags: [ 'haproxy', 'letsencrypt' ] diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml index a24b731e..2bbb6a10 100644 --- a/haproxy/tasks/main.yml +++ b/haproxy/tasks/main.yml @@ -1,13 +1,13 @@ --- - import_tasks: haproxy-service.yml -- import_tasks: haproxy-letsencrypt.yml +- import_tasks: haproxy-letsencrypt-acme-sh.yml when: - haproxy_letsencrypt_managed - - letsencrypt_install is defined + - letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install - import_tasks: haproxy-letsencrypt-acmetool.yml when: - haproxy_letsencrypt_managed - - letsencrypt_acme_install is defined + - letsencrypt_acme_install is defined and letsencrypt_acme_install - import_tasks: haproxy-ssl.yml when: - haproxy_letsencrypt_managed @@ -18,7 +18,7 @@ - nagios_enabled - name: Ensure that haproxy is enabled and started - service: name=haproxy state=started enabled=yes + service: name=haproxy state=restarted enabled=yes when: haproxy_enabled ignore_errors: True tags: haproxy diff --git a/haproxy/templates/haproxy-letsencrypt-acme.sh.j2 b/haproxy/templates/haproxy-letsencrypt-acme.sh.j2 index 0d274fab..7c01400f 100644 --- a/haproxy/templates/haproxy-letsencrypt-acme.sh.j2 +++ b/haproxy/templates/haproxy-letsencrypt-acme.sh.j2 @@ -12,8 +12,14 @@ DATE=$( date ) [ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR echo "$DATE" >> $LE_LOG_DIR/haproxy.log -if [ -f /etc/default/letsencrypt ] ; then - . /etc/default/letsencrypt +{% if letsencrypt_acme_install %} +LE_ENV_FILE=/etc/default/letsencrypt +{% endif %} +{% if letsencrypt_acme_sh_install %} +LE_ENV_FILE=/etc/default/acme_sh_request_env +{% endif %} +if [ -f "$LE_ENV_FILE" ] ; then + . "$LE_ENV_FILE" else echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log fi @@ -33,7 +39,7 @@ fi # Run the OCSP stapling script if [ -x /usr/local/bin/hapos-upd ] ; then echo "Run the OCSP stapling updater script" >> $LE_LOG_DIR/haproxy.log - /usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v {{ letsencrypt_acme_certs_dir }}/fullchain -s {{ haproxy_admin_socket }} -v - >> $LE_LOG_DIR/haproxy.log 2>&1 + /usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v ${LE_CERTS_DIR}/fullchain -s {{ haproxy_admin_socket }} -v - >> $LE_LOG_DIR/haproxy.log 2>&1 else echo "No OCPS stapling updater script" >> $LE_LOG_DIR/haproxy.log fi