Adapt the haproxy role so that it supports both letsencrypt acmetool and acme.sh

haproxy/tasks/haproxy-letsencrypt-acme-sh.yml

@@ -0,0 +1,18 @@
+---
+- block:
+  - name: Create the acme hooks directory if it does not yet exist
+    file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root
+
+  - name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
+    template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_sh_services_scripts_dir }}/haproxy owner=root group=root mode=4555
+
+  - name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case
+    shell: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem
+    args:
+      creates: '{{ pki_dir }}/haproxy/haproxy.pem'
+    tags: [ 'pki', 'ssl', 'letsencrypt', 'haproxy', 'letsencrypt_acme_sh' ]
+
+  when:
+    - haproxy_letsencrypt_managed
+    - letsencrypt_acme_sh_install
+  tags: [ 'haproxy', 'letsencrypt', 'letsencrypt_acme_sh' ]

haproxy/tasks/haproxy-letsencrypt-acmetool.yml

@@ -1,15 +1,18 @@
 ---
-- name: Create the acme hooks directory if it does not yet exist
+- block:
-  file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
+  - name: Create the acme hooks directory if it does not yet exist
+    file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
+
+  - name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
+    template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4555
+
+  - name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case
+    shell: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem
+    args:
+      creates: '{{ pki_dir }}/haproxy/haproxy.pem'
+    tags: [ 'pki', 'ssl', 'letsencrypt', 'haproxy' ]
+
   when:
     - haproxy_letsencrypt_managed
     - letsencrypt_acme_install
   tags: [ 'haproxy', 'letsencrypt' ]
-
-- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
-  template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4555
-  when:
-    - haproxy_letsencrypt_managed
-    - letsencrypt_acme_install
-  tags: [ 'haproxy', 'letsencrypt' ]
-

haproxy/tasks/haproxy-letsencrypt.yml

@@ -1,7 +0,0 @@
----
-- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
-  copy: src=haproxy-letsencrypt.sh dest={{ letsencrypt_services_scripts_dir }}/haproxy owner=root group=root mode=0550
-  when:
-    - haproxy_letsencrypt_managed
-    - letsencrypt_install
-  tags: [ 'haproxy', 'letsencrypt' ]

haproxy/tasks/main.yml

@@ -1,13 +1,13 @@
 ---
 - import_tasks: haproxy-service.yml
-- import_tasks: haproxy-letsencrypt.yml
+- import_tasks: haproxy-letsencrypt-acme-sh.yml
   when:
     - haproxy_letsencrypt_managed
-    - letsencrypt_install is defined
+    - letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install
 - import_tasks: haproxy-letsencrypt-acmetool.yml
   when:
     - haproxy_letsencrypt_managed
-    - letsencrypt_acme_install is defined
+    - letsencrypt_acme_install is defined and letsencrypt_acme_install
 - import_tasks: haproxy-ssl.yml
   when:
     - haproxy_letsencrypt_managed
@@ -18,7 +18,7 @@
     - nagios_enabled
 
 - name: Ensure that haproxy is enabled and started
-  service: name=haproxy state=started enabled=yes
+  service: name=haproxy state=restarted enabled=yes
   when: haproxy_enabled
   ignore_errors: True
   tags: haproxy

haproxy/templates/haproxy-letsencrypt-acme.sh.j2

@@ -12,8 +12,14 @@ DATE=$( date )
 [ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
 echo "$DATE" >> $LE_LOG_DIR/haproxy.log
 
-if [ -f /etc/default/letsencrypt ] ; then
+{% if letsencrypt_acme_install %}
-    . /etc/default/letsencrypt
+LE_ENV_FILE=/etc/default/letsencrypt
+{% endif %}
+{% if letsencrypt_acme_sh_install %}
+LE_ENV_FILE=/etc/default/acme_sh_request_env
+{% endif %}
+if [ -f "$LE_ENV_FILE" ] ; then
+    . "$LE_ENV_FILE"
 else
     echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
 fi
@@ -33,7 +39,7 @@ fi
 # Run the OCSP stapling script
 if [ -x /usr/local/bin/hapos-upd ] ; then
     echo "Run the OCSP stapling updater script" >> $LE_LOG_DIR/haproxy.log
-    /usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v {{ letsencrypt_acme_certs_dir }}/fullchain -s {{ haproxy_admin_socket }} -v - >> $LE_LOG_DIR/haproxy.log 2>&1
+    /usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v ${LE_CERTS_DIR}/fullchain -s {{ haproxy_admin_socket }} -v - >> $LE_LOG_DIR/haproxy.log 2>&1
 else
     echo "No OCPS stapling updater script" >> $LE_LOG_DIR/haproxy.log
 fi