From 500f83aab841b951c315c05f61c25d821947c4fd Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Mon, 7 Oct 2024 17:13:17 +0200
Subject: [PATCH] HAPROXY: OCSP management is now conditional.

---
 defaults/main.yml                        |  3 +-
 tasks/haproxy-ssl.yml                    | 40 ++++++++++++++++++------
 templates/haproxy-letsencrypt-acme.sh.j2 | 11 ++++++-
 3 files changed, 43 insertions(+), 11 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 7fd48d6..4bb3658 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -43,8 +43,9 @@ haproxy_admin_socket_dir: /run/haproxy
 haproxy_admin_socket_file: admin.sock
 haproxy_admin_socket: '{{ haproxy_admin_socket_dir }}/{{ haproxy_admin_socket_file }}'
 
-haproxy_letsencrypt_managed: True
+haproxy_letsencrypt_managed: true
 haproxy_cert_dir: '{{ pki_dir }}/haproxy'
+haproxy_ssl_ocsp_enabled: false
 
 haproxy_install_additional_pkgs: False
 haproxy_additional_pkgs:
diff --git a/tasks/haproxy-ssl.yml b/tasks/haproxy-ssl.yml
index 76c563e..a90bbb6 100644
--- a/tasks/haproxy-ssl.yml
+++ b/tasks/haproxy-ssl.yml
@@ -1,17 +1,39 @@
 ---
-- block:
-    - name: Install the socat binary needed to talk to the haproxy socket
-      apt: name=socat state=latest update_cache=yes cache_valid_time=3600
+- name: haproxy-ssl | Manage OCSP
+  tags: ['haproxy', 'letsencrypt', 'ssl', 'ssl_ocsp']
+  when: haproxy_ssl_ocsp_enabled
+  block:
+    - name: haproxy-ssl | Install the socat binary needed to talk to the haproxy socket
+      ansible.builtin.apt:
+        name: socat
+        state: present
+        cache_valid_time: 3600
 
-    - name: Install a script that refreshes the OCSP configuration and reloads haproxy if needed
-      get_url: url='https://raw.githubusercontent.com/pierky/haproxy-ocsp-stapling-updater/master/hapos-upd' dest=/usr/local/bin/hapos-upd owner=root group=root mode=0755
+    - name: haproxy-ssl | Install a script that refreshes the OCSP configuration and reloads haproxy if needed
+      ansible.builtin.get_url:
+        url: 'https://raw.githubusercontent.com/pierky/haproxy-ocsp-stapling-updater/master/hapos-upd'
+        dest: /usr/local/bin/hapos-upd
+        owner: root
+        group: root
+        mode: "0755"
 
-    - name: Install a cron job that refreshes the OCSP configuration
-      cron:
+    - name: haproxy-ssl | Install a cron job that refreshes the OCSP configuration
+      ansible.builtin.cron:
         name: "Refresh the haproxy OCSP information"
         user: root
+        cron_file: haproxy_ocsp
         special_time: daily
+        state: present
         job: "/usr/local/bin/hapos-upd {% if haproxy_docker_container %}-S{% endif %} --cert {{ haproxy_cert_dir }}/haproxy.pem -v {{ letsencrypt_acme_certs_dir }}/fullchain -s {% if not haproxy_docker_container %}{{ haproxy_admin_socket }}{% else %}{{ haproxy_docker_socket_dir }}/{{ haproxy_admin_socket_file }}{% endif %} -v - >/var/log/hapos-upd.log 2>&1{% if haproxy_docker_container %} ; docker kill --signal USR2 $(docker container ls --filter name=haproxy_haproxy --quiet){% endif %}"
 
-  tags: [ 'haproxy', 'letsencrypt', 'ssl', 'ssl_ocsp' ]
-
+- name: haproxy-ssl | Disable the OCSP handling
+  tags: ['haproxy', 'letsencrypt', 'ssl', 'ssl_ocsp']
+  when: not haproxy_ssl_ocsp_enabled
+  block:
+    - name: haproxy-ssl | Remove the cron job that refreshes the OCSP configuration
+      ansible.builtin.cron:
+        name: "Refresh the haproxy OCSP information"
+        user: root
+        cron_file: haproxy_ocsp
+        special_time: daily
+        state: absent
diff --git a/templates/haproxy-letsencrypt-acme.sh.j2 b/templates/haproxy-letsencrypt-acme.sh.j2
index 412a24a..b647ded 100644
--- a/templates/haproxy-letsencrypt-acme.sh.j2
+++ b/templates/haproxy-letsencrypt-acme.sh.j2
@@ -23,8 +23,17 @@ fi
 
 haproxy_socket={% if not haproxy_docker_container %}{{ haproxy_admin_socket }}{% else %}{{ haproxy_docker_socket_dir }}/{{ haproxy_admin_socket_file }}{% endif %}
 
+echo "Check if the certificate must be replaced" >> $LE_LOG_DIR/haproxy.log
+cat ${LE_CERTS_DIR}/{fullchain,privkey} > ${HAPROXY_CERTFILE}.new
+cmp ${HAPROXY_CERTFILE}.new ${HAPROXY_CERTFILE} 2>/dev/null
+if [ $? -eq 0 ] ; then
+   echo "The certificate is up to date" >> $LE_LOG_DIR/haproxy.log
+   rm -f ${HAPROXY_CERTFILE}.new
+   exit 0
+fi
+
 echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log
-cat ${LE_CERTS_DIR}/{fullchain,privkey} > ${HAPROXY_CERTFILE}
+/bin/mv -f ${HAPROXY_CERTFILE}.new ${HAPROXY_CERTFILE}
 chmod 440 ${HAPROXY_CERTFILE}
 chgrp haproxy ${HAPROXY_CERTFILE}