Adapt the haproxy role so that it supports both letsencrypt acmetool and acme.sh

This commit is contained in:
Andrea Dell'Amico 2018-08-20 19:18:27 +02:00
parent c35ab07597
commit 708f8027ef
5 changed files with 44 additions and 24 deletions

View File

@ -0,0 +1,18 @@
---
- block:
- name: Create the acme hooks directory if it does not yet exist
file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root
- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_sh_services_scripts_dir }}/haproxy owner=root group=root mode=4555
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case
shell: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem
args:
creates: '{{ pki_dir }}/haproxy/haproxy.pem'
tags: [ 'pki', 'ssl', 'letsencrypt', 'haproxy', 'letsencrypt_acme_sh' ]
when:
- haproxy_letsencrypt_managed
- letsencrypt_acme_sh_install
tags: [ 'haproxy', 'letsencrypt', 'letsencrypt_acme_sh' ]

View File

@ -1,15 +1,18 @@
---
- name: Create the acme hooks directory if it does not yet exist
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
- block:
- name: Create the acme hooks directory if it does not yet exist
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4555
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case
shell: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem
args:
creates: '{{ pki_dir }}/haproxy/haproxy.pem'
tags: [ 'pki', 'ssl', 'letsencrypt', 'haproxy' ]
when:
- haproxy_letsencrypt_managed
- letsencrypt_acme_install
tags: [ 'haproxy', 'letsencrypt' ]
- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4555
when:
- haproxy_letsencrypt_managed
- letsencrypt_acme_install
tags: [ 'haproxy', 'letsencrypt' ]

View File

@ -1,7 +0,0 @@
---
- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
copy: src=haproxy-letsencrypt.sh dest={{ letsencrypt_services_scripts_dir }}/haproxy owner=root group=root mode=0550
when:
- haproxy_letsencrypt_managed
- letsencrypt_install
tags: [ 'haproxy', 'letsencrypt' ]

View File

@ -1,13 +1,13 @@
---
- import_tasks: haproxy-service.yml
- import_tasks: haproxy-letsencrypt.yml
- import_tasks: haproxy-letsencrypt-acme-sh.yml
when:
- haproxy_letsencrypt_managed
- letsencrypt_install is defined
- letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install
- import_tasks: haproxy-letsencrypt-acmetool.yml
when:
- haproxy_letsencrypt_managed
- letsencrypt_acme_install is defined
- letsencrypt_acme_install is defined and letsencrypt_acme_install
- import_tasks: haproxy-ssl.yml
when:
- haproxy_letsencrypt_managed
@ -18,7 +18,7 @@
- nagios_enabled
- name: Ensure that haproxy is enabled and started
service: name=haproxy state=started enabled=yes
service: name=haproxy state=restarted enabled=yes
when: haproxy_enabled
ignore_errors: True
tags: haproxy

View File

@ -12,8 +12,14 @@ DATE=$( date )
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
echo "$DATE" >> $LE_LOG_DIR/haproxy.log
if [ -f /etc/default/letsencrypt ] ; then
. /etc/default/letsencrypt
{% if letsencrypt_acme_install %}
LE_ENV_FILE=/etc/default/letsencrypt
{% endif %}
{% if letsencrypt_acme_sh_install %}
LE_ENV_FILE=/etc/default/acme_sh_request_env
{% endif %}
if [ -f "$LE_ENV_FILE" ] ; then
. "$LE_ENV_FILE"
else
echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
fi
@ -33,7 +39,7 @@ fi
# Run the OCSP stapling script
if [ -x /usr/local/bin/hapos-upd ] ; then
echo "Run the OCSP stapling updater script" >> $LE_LOG_DIR/haproxy.log
/usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v {{ letsencrypt_acme_certs_dir }}/fullchain -s {{ haproxy_admin_socket }} -v - >> $LE_LOG_DIR/haproxy.log 2>&1
/usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v ${LE_CERTS_DIR}/fullchain -s {{ haproxy_admin_socket }} -v - >> $LE_LOG_DIR/haproxy.log 2>&1
else
echo "No OCPS stapling updater script" >> $LE_LOG_DIR/haproxy.log
fi