library/roles/letsencrypt-client: Various fixes to the scripts.

library/roles/haproxy: callback that manages the certificates renewal from letsencrypt. Fixes https://support.d4science.org/issues/3258
This commit is contained in:
Andrea Dell'Amico 2016-04-13 19:52:10 +02:00
parent fd5a10b0e8
commit 5fc3c9964d
9 changed files with 100 additions and 47 deletions

View File

@ -11,3 +11,5 @@ haproxy_default_port: 80
haproxy_terminate_tls: False haproxy_terminate_tls: False
haproxy_ssl_port: 443 haproxy_ssl_port: 443
haproxy_admin_port: 8880 haproxy_admin_port: 8880
haproxy_letsencrypt_managed: False

View File

@ -0,0 +1,27 @@
#!/bin/bash
LE_SERVICES_SCRIPT_DIR=/usr/local/lib/letsencrypt
LE_CERTS_DIR=/etc/letsencrypt/live/$HOSTNAME
LE_LOG_DIR=/var/log/letsencrypt
HAPROXY_CERTDIR=/etc/pki/certs
HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem
DATE=$( date )
echo "$DATE" >> $LE_LOG_DIR/haproxy.log
if [ -f /etc/default/letsencrypt ] ; then
. /etc/default/letsencrypt
else
echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
fi
echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log
cat ${LE_CERTS_DIR}/{fullchain.pem,privkey.pem} > ${HAPROXY_CERTFILE}
chmod 440 ${HAPROXY_CERTFILE}
chgrp haproxy ${HAPROXY_CERTFILE}
echo "Reload the haproxy service" >> $LE_LOG_DIR/haproxy.log
service haproxy reload >/dev/null 2>&1
echo "Done." >> $LE_LOG_DIR/haproxy.log
exit 0

View File

@ -0,0 +1,6 @@
---
- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
copy: src=haproxy-letsencrypt.sh dest={{ letsencrypt_services_scripts_dir }}/haproxy owner=root group=root mode=0550
when: haproxy_letsencrypt_managed
tags: [ 'haproxy', 'letsencrypt' ]

View File

@ -0,0 +1,47 @@
---
- name: Get the haproxy repo key
apt_key: url=http://haproxy.debian.net/bernat.debian.org.gpg state=present
when: haproxy_latest_release
register: haproxy_repo
tags: haproxy
- name: Define the haproxy repository
apt_repository: repo='{{ haproxy_latest_repo }}' state=present update_cache=yes
when: haproxy_latest_release
register: haproxy_repo
tags: haproxy
- name: Install the haproxy package
apt: name=haproxy state=present default_release={{ ansible_lsb.codename }}-backports
when: not haproxy_latest_release
tags: haproxy
- name: Install the haproxy package
apt: name=haproxy state=latest default_release={{ ansible_lsb.codename }}-backports-{{ haproxy_version }}
when:
- haproxy_latest_release
- is_debian
tags: haproxy
- name: Install the haproxy package
apt: name=haproxy state=latest
when:
- haproxy_latest_release
- is_ubuntu
tags: haproxy
- name: Ensure that haproxy is enabled and started
service: name=haproxy state=restarted enabled=yes
when: haproxy_enabled
ignore_errors: True
tags: haproxy
- name: Haproxy puts a new rsyslog directive. Restart rsyslog to activate it. Reload is not sufficient
service: name=rsyslog state=restarted
when: haproxy_enabled
tags: haproxy
- name: Ensure that haproxy is stopped and disabled if needed
service: name=haproxy state=stopped enabled=no
when: not haproxy_enabled
tags: haproxy

View File

@ -1,47 +1,4 @@
--- ---
- name: Get the haproxy repo key - include: haproxy-service.yml
apt_key: url=http://haproxy.debian.net/bernat.debian.org.gpg state=present - include: haproxy-letsencrypt.yml
when: haproxy_latest_release when: haproxy_letsencrypt_managed
register: haproxy_repo
tags: haproxy
- name: Define the haproxy repository
apt_repository: repo='{{ haproxy_latest_repo }}' state=present update_cache=yes
when: haproxy_latest_release
register: haproxy_repo
tags: haproxy
- name: Install the haproxy package
apt: name=haproxy state=present default_release={{ ansible_lsb.codename }}-backports
when: not haproxy_latest_release
tags: haproxy
- name: Install the haproxy package
apt: name=haproxy state=latest default_release={{ ansible_lsb.codename }}-backports-{{ haproxy_version }}
when:
- haproxy_latest_release
- is_debian
tags: haproxy
- name: Install the haproxy package
apt: name=haproxy state=latest
when:
- haproxy_latest_release
- is_ubuntu
tags: haproxy
- name: Ensure that haproxy is enabled and started
service: name=haproxy state=restarted enabled=yes
when: haproxy_enabled
ignore_errors: True
tags: haproxy
- name: Haproxy puts a new rsyslog directive. Reload rsyslog to activate it
service: name=rsyslog state=reloaded
when: haproxy_enabled
tags: haproxy
- name: Ensure that haproxy is stopped and disabled if needed
service: name=haproxy state=stopped enabled=no
when: not haproxy_enabled
tags: haproxy

View File

@ -30,3 +30,4 @@ letsencrypt_text_interface: True
letsencrypt_domains: '{{ ansible_fqdn }} example.com example.org' letsencrypt_domains: '{{ ansible_fqdn }} example.com example.org'
letsencrypt_renew_by_default: True letsencrypt_renew_by_default: True
letsencrypt_standalone_port: 9999 letsencrypt_standalone_port: 9999

View File

@ -33,6 +33,11 @@
when: letsencrypt_install when: letsencrypt_install
tags: letsencrypt tags: letsencrypt
- name: Install a default file that shell scripts can include
template: src=letsencrypt-default.j2 dest=/etc/default/letsencrypt owner=root group=root mode=0644
when: letsencrypt_install
tags: letsencrypt
- name: Install the command that asks for the certificates and their renewal - name: Install the command that asks for the certificates and their renewal
template: src=letsencrypt-cert-request.sh.j2 dest=/usr/local/sbin/letsencrypt-cert-request owner=root group=root mode=0550 template: src=letsencrypt-cert-request.sh.j2 dest=/usr/local/sbin/letsencrypt-cert-request owner=root group=root mode=0550
when: letsencrypt_install when: letsencrypt_install

View File

@ -37,7 +37,7 @@ RETVAL=$?
for f in $( /bin/ls -1 $LE_SERVICES_SCRIPT_DIR ) ; do for f in $( /bin/ls -1 $LE_SERVICES_SCRIPT_DIR ) ; do
if [ -x $LE_SERVICES_SCRIPT_DIR/$f ] ; then if [ -x $LE_SERVICES_SCRIPT_DIR/$f ] ; then
echo "Running $LE_SERVICES_SCRIPT_DIR/$f" >> $LOG_DIR/letsencrypt_request.log echo "Running $LE_SERVICES_SCRIPT_DIR/$f" >> $LOG_DIR/letsencrypt_request.log
$f >> $LOG_DIR/letsencrypt_request.log 2>&1 $LE_SERVICES_SCRIPT_DIR/$f >> $LOG_DIR/letsencrypt_request.log 2>&1
fi fi
done done

View File

@ -0,0 +1,8 @@
RSA_KEY_SIZE={{ letsencrypt_rsa_key_size }}
LE_EMAIL={{ letsencrypt_email }}
LE_AUTHENTICATOR={{ letsencrypt_authenticator }}
LE_STANDALONE_SUPPORTED_CHALLENGES={{ letsencrypt_standalone_supp_challenges }}
LE_SERVICES_SCRIPT_DIR={{ letsencrypt_services_scripts_dir }}
LE_COMMAND={{ letsencrypt_auto }}
LE_CERTS_DIR={{ letsencrypt_certs_dir }}
LE_LOG_DIR={{ letsencrypt_logdir }}