From 70b1b529769948ca5491a5166c5d1be43b69456a Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@isti.cnr.it>
Date: Fri, 27 Oct 2017 12:49:50 +0200
Subject: [PATCH] haproxy: Run the OCSP stapling script after a certificate has
 been renewed. See https://support.d4science.org/issues/10008

---
 haproxy/tasks/haproxy-letsencrypt-acmetool.yml              | 2 +-
 haproxy/tasks/haproxy-ssl.yml                               | 2 +-
 .../haproxy-letsencrypt-acme.sh.j2}                         | 6 ++++++
 3 files changed, 8 insertions(+), 2 deletions(-)
 rename haproxy/{files/haproxy-letsencrypt-acme.sh => templates/haproxy-letsencrypt-acme.sh.j2} (75%)

diff --git a/haproxy/tasks/haproxy-letsencrypt-acmetool.yml b/haproxy/tasks/haproxy-letsencrypt-acmetool.yml
index 857fb3a..3b4ba71 100644
--- a/haproxy/tasks/haproxy-letsencrypt-acmetool.yml
+++ b/haproxy/tasks/haproxy-letsencrypt-acmetool.yml
@@ -7,7 +7,7 @@
   tags: [ 'haproxy', 'letsencrypt' ]
 
 - name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
-  copy: src=haproxy-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4555
+  template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4555
   when:
     - haproxy_letsencrypt_managed
     - letsencrypt_acme_install
diff --git a/haproxy/tasks/haproxy-ssl.yml b/haproxy/tasks/haproxy-ssl.yml
index 7750336..f873d46 100644
--- a/haproxy/tasks/haproxy-ssl.yml
+++ b/haproxy/tasks/haproxy-ssl.yml
@@ -8,7 +8,7 @@
 
     - name: Install a cron job that refreshes the OCSP configuration
       cron:
-        name: "Refresh haproxy OCSP information"
+        name: "Refresh the haproxy OCSP information"
         user: root
         special_time: daily
         job: "/usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v {{ letsencrypt_acme_certs_dir }}/fullchain -s {{ haproxy_admin_socket }} >/var/log/hapos-upd.log 2>&1"
diff --git a/haproxy/files/haproxy-letsencrypt-acme.sh b/haproxy/templates/haproxy-letsencrypt-acme.sh.j2
similarity index 75%
rename from haproxy/files/haproxy-letsencrypt-acme.sh
rename to haproxy/templates/haproxy-letsencrypt-acme.sh.j2
index 6746458..7628d4c 100644
--- a/haproxy/files/haproxy-letsencrypt-acme.sh
+++ b/haproxy/templates/haproxy-letsencrypt-acme.sh.j2
@@ -30,6 +30,12 @@ else
     service haproxy reload >> $LE_LOG_DIR/haproxy.log 2>&1
 fi
 
+# Run the OCSP stapling script
+if [ -x /usr/local/bin/hapos-upd ] ; then
+    echo "Run the OCSP stapling script" >> $LE_LOG_DIR/haproxy.log
+    /usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v {{ letsencrypt_acme_certs_dir }}/fullchain -s {{ haproxy_admin_socket }} >> $LE_LOG_DIR/haproxy.log 2>&1
+fi
+
 echo "Done." >> $LE_LOG_DIR/haproxy.log
 
 exit 0