diff --git a/tasks/haproxy_ssl_letsencrypt.yml b/tasks/haproxy_ssl_letsencrypt.yml index 428f6a2..f08b1c0 100644 --- a/tasks/haproxy_ssl_letsencrypt.yml +++ b/tasks/haproxy_ssl_letsencrypt.yml @@ -55,6 +55,12 @@ user: "root" state: present +- name: Install certbot from distro package + package: + name: "{{ haproxy_distro_certbot_packages }}" + state: present + when: haproxy_ssl_letsencrypt_install_method == 'distro' + - name: Stop haproxy for certbot activity service: name: "haproxy" @@ -75,6 +81,13 @@ args: creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem" +- name: Create certbot post renewal hook + template: + src: letsencrypt_renew_certbot_distro.j2 + dest: /etc/letsencrypt/renewal-hooks/post/haproxy-renew + mode: 0755 + when: haproxy_ssl_letsencrypt_install_method == 'distro' + - name: Create new pem file for haproxy assemble: src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}" diff --git a/templates/letsencrypt_renew_certbot_distro.j2 b/templates/letsencrypt_renew_certbot_distro.j2 new file mode 100644 index 0000000..3f896f1 --- /dev/null +++ b/templates/letsencrypt_renew_certbot_distro.j2 @@ -0,0 +1,7 @@ +#!/bin/bash +# renew cert if required and copy to haproxy destination + +cat /etc/letsencrypt/live/{{ external_lb_vip_address }}/{fullchain,privkey}.pem \ + > /etc/ssl/private/haproxy.pem + +systemctl reload haproxy diff --git a/vars/debian.yml b/vars/debian.yml index c6eab52..74e233b 100644 --- a/vars/debian.yml +++ b/vars/debian.yml @@ -21,3 +21,6 @@ haproxy_distro_packages: - netcat # Used for the Ansible haproxy module - psmisc - vim-haproxy + +haproxy_distro_certbot_packages: + - certbot diff --git a/vars/ubuntu.yml b/vars/ubuntu.yml index c6eab52..74e233b 100644 --- a/vars/ubuntu.yml +++ b/vars/ubuntu.yml @@ -21,3 +21,6 @@ haproxy_distro_packages: - netcat # Used for the Ansible haproxy module - psmisc - vim-haproxy + +haproxy_distro_certbot_packages: + - certbot