Adapt the haproxy role so that it supports both letsencrypt acmetool and acme.sh

2018-08-20 19:18:27 +02:00 · 2018-08-20 19:18:27 +02:00 · 708f8027ef
parent c35ab07597
commit 708f8027ef
5 changed files with 44 additions and 24 deletions
--- a/haproxy/tasks/haproxy-letsencrypt-acme-sh.yml
+++ b/haproxy/tasks/haproxy-letsencrypt-acme-sh.yml
@ -0,0 +1,18 @@
+---
+- block:
+  - name: Create the acme hooks directory if it does not yet exist
+    file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root
+
+  - name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
+    template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_sh_services_scripts_dir }}/haproxy owner=root group=root mode=4555
+
+  - name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case
+    shell: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem
+    args:
+      creates: '{{ pki_dir }}/haproxy/haproxy.pem'
+    tags: [ 'pki', 'ssl', 'letsencrypt', 'haproxy', 'letsencrypt_acme_sh' ]
+
+  when:
+    - haproxy_letsencrypt_managed
+    - letsencrypt_acme_sh_install
+  tags: [ 'haproxy', 'letsencrypt', 'letsencrypt_acme_sh' ]
--- a/haproxy/tasks/haproxy-letsencrypt-acmetool.yml
+++ b/haproxy/tasks/haproxy-letsencrypt-acmetool.yml
@ -1,15 +1,18 @@
 ---
- name: Create the acme hooks directory if it does not yet exist
-  file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
+- block:
+  - name: Create the acme hooks directory if it does not yet exist
+    file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
+
+  - name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
+    template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4555
+
+  - name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case
+    shell: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem
+    args:
+      creates: '{{ pki_dir }}/haproxy/haproxy.pem'
+    tags: [ 'pki', 'ssl', 'letsencrypt', 'haproxy' ]
+
  when:
    - haproxy_letsencrypt_managed
    - letsencrypt_acme_install
  tags: [ 'haproxy', 'letsencrypt' ]
-
- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
-  template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4555
-  when:
-    - haproxy_letsencrypt_managed
-    - letsencrypt_acme_install
-  tags: [ 'haproxy', 'letsencrypt' ]
-
--- a/haproxy/tasks/haproxy-letsencrypt.yml
+++ b/haproxy/tasks/haproxy-letsencrypt.yml
@ -1,7 +0,0 @@
---
- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
-  copy: src=haproxy-letsencrypt.sh dest={{ letsencrypt_services_scripts_dir }}/haproxy owner=root group=root mode=0550
-  when:
-    - haproxy_letsencrypt_managed
-    - letsencrypt_install
-  tags: [ 'haproxy', 'letsencrypt' ]
--- a/haproxy/tasks/main.yml
+++ b/haproxy/tasks/main.yml
@ -1,13 +1,13 @@
 ---
 - import_tasks: haproxy-service.yml
- import_tasks: haproxy-letsencrypt.yml
+- import_tasks: haproxy-letsencrypt-acme-sh.yml
  when:
    - haproxy_letsencrypt_managed
-    - letsencrypt_install is defined
+    - letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install
 - import_tasks: haproxy-letsencrypt-acmetool.yml
  when:
    - haproxy_letsencrypt_managed
-    - letsencrypt_acme_install is defined
+    - letsencrypt_acme_install is defined and letsencrypt_acme_install
 - import_tasks: haproxy-ssl.yml
  when:
    - haproxy_letsencrypt_managed
@ -18,7 +18,7 @@
    - nagios_enabled

 - name: Ensure that haproxy is enabled and started
-  service: name=haproxy state=started enabled=yes
+  service: name=haproxy state=restarted enabled=yes
  when: haproxy_enabled
  ignore_errors: True
  tags: haproxy
--- a/haproxy/templates/haproxy-letsencrypt-acme.sh.j2
+++ b/haproxy/templates/haproxy-letsencrypt-acme.sh.j2
@ -12,8 +12,14 @@ DATE=$( date )
 [ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
 echo "$DATE" >> $LE_LOG_DIR/haproxy.log

-if [ -f /etc/default/letsencrypt ] ; then
-    . /etc/default/letsencrypt
+{% if letsencrypt_acme_install %}
+LE_ENV_FILE=/etc/default/letsencrypt
+{% endif %}
+{% if letsencrypt_acme_sh_install %}
+LE_ENV_FILE=/etc/default/acme_sh_request_env
+{% endif %}
+if [ -f "$LE_ENV_FILE" ] ; then
+    . "$LE_ENV_FILE"
 else
    echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
 fi
@ -33,7 +39,7 @@ fi
 # Run the OCSP stapling script
 if [ -x /usr/local/bin/hapos-upd ] ; then
    echo "Run the OCSP stapling updater script" >> $LE_LOG_DIR/haproxy.log
-    /usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v {{ letsencrypt_acme_certs_dir }}/fullchain -s {{ haproxy_admin_socket }} -v - >> $LE_LOG_DIR/haproxy.log 2>&1
+    /usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v ${LE_CERTS_DIR}/fullchain -s {{ haproxy_admin_socket }} -v - >> $LE_LOG_DIR/haproxy.log 2>&1
 else
    echo "No OCPS stapling updater script" >> $LE_LOG_DIR/haproxy.log
 fi