Serialise initial issuing of LetsEncrypt certificates
Currently the role will run against all target hosts, and it is possible that the calling playbook runs with a serial: setting to control how many hosts are targetted simultaneously. However, this is not sufficient to guarantee that each potential haproxy server requests a LetsEncrypt certificate sequentially. It is only possible for the loadbalancer to direct the challenge from the ACME server to one certbot instance at a time, so this patch enforces serialisation of the initial certificate generation regardless of the number of target hosts and setting of serial: outside this role. Change-Id: If8ae64bc01510d3570fa4c554463bd6121b21f86
This commit is contained in:
parent
7dea60f263
commit
34f153b139
|
@ -62,6 +62,7 @@
|
|||
when: haproxy_ssl_letsencrypt_install_method == 'distro'
|
||||
|
||||
- name: Create first time ssl cert with certbot
|
||||
throttle: 1
|
||||
shell: >
|
||||
{% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %}
|
||||
timeout {{ haproxy_ssl_letsencrypt_pre_hook_timeout }}
|
||||
|
|
Loading…
Reference in New Issue