openstack
/
openstack-ansible-haproxy_server
Code Issues Proposed changes

Fix haproxy Let's Encrypt SSL path 

With releasing PKI role we broke Let's Encrypt option because of
changing directories where certs should be located
and not reflecting these changes for let's encrypt. At the same time
we should not generate self-signed cert when let's encrypt path is used.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/811742
Closes-Bug: #1938961
Change-Id: I1a6701b171782528373bc1d0a39e70e6d1ef20ab
(cherry picked from commit 1195355b43)
This commit is contained in:
Dmitriy Rabotyagov 2021-09-30 17:47:49 +03:00 committed by Andrew Bonney
parent 4a04a03bf0
commit 00441b7108
3 changed files with 14 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
tasks/haproxy_ssl_letsencrypt.yml
View File

@ -75,14 +75,14 @@
--text
--rsa-key-size 4096
--email {{ haproxy_ssl_letsencrypt_email }}
--domains {{ external_lb_vip_address }}
--domains {{ haproxy_bind_external_lb_vip_address }}
{% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %}
--http-01-port {{ haproxy_ssl_letsencrypt_certbot_backend_port }}
--http-01-address {{ haproxy_ssl_letsencrypt_certbot_bind_address }}
{% endif %}
{{ haproxy_ssl_letsencrypt_setup_extra_params }}
args:
creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem"
creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}/fullchain.pem"
- name: Create certbot pre hook
template:
@ -102,8 +102,10 @@
- name: Create new pem file for haproxy
assemble:
src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}"
dest: "/etc/ssl/private/haproxy.pem"
src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}"
dest: "{{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item ~ '.pem' }}"
regexp: '(privkey|fullchain).pem$'
with_items:
- "{{ [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses }}"
notify:
- Reload haproxy

6
templates/letsencrypt_renew_certbot_auto.j2
View File

@ -5,7 +5,9 @@
--standalone \
--pre-hook "systemctl stop haproxy" \
cat /etc/letsencrypt/live/{{ external_lb_vip_address }}/{fullchain,privkey}.pem \
> /etc/ssl/private/haproxy.pem
{% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %}
cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \
> {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip ~ '.pem' }}
{% endfor %}
systemctl reload haproxy

6
templates/letsencrypt_renew_certbot_distro.j2
View File

@ -1,7 +1,9 @@
#!/bin/bash
# renew cert if required and copy to haproxy destination
cat /etc/letsencrypt/live/{{ external_lb_vip_address }}/{fullchain,privkey}.pem \
> /etc/ssl/private/haproxy.pem
{% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %}
cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \
> {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip ~ '.pem' }}
{% endfor %}
systemctl reload haproxy