openstack
/
openstack-ansible-haproxy_server
Code Issues Proposed changes

Serialise initial issuing of LetsEncrypt certificates 

Currently the role will run against all target hosts, and it is
possible that the calling playbook runs with a serial: setting
to control how many hosts are targetted simultaneously.

However, this is not sufficient to guarantee that each potential
haproxy server requests a LetsEncrypt certificate sequentially.
It is only possible for the loadbalancer to direct the challenge
from the ACME server to one certbot instance at a time, so this
patch enforces serialisation of the initial certificate generation
regardless of the number of target hosts and setting of serial:
outside this role.

Change-Id: If8ae64bc01510d3570fa4c554463bd6121b21f86
This commit is contained in:
Jonathan Rosser 2023-02-28 18:40:01 +00:00
parent 7dea60f263
commit 34f153b139
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
tasks/haproxy_ssl_letsencrypt.yml
View File

@ -62,6 +62,7 @@
when: haproxy_ssl_letsencrypt_install_method == 'distro'
- name: Create first time ssl cert with certbot
throttle: 1
shell: >
{% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %}
timeout {{ haproxy_ssl_letsencrypt_pre_hook_timeout }}