Ensure there is no race between haproxy and certbot for initial cert

The certbot pre-hook is not used during initial setup of the cert, only during renewal. This means that the same race condition exists at initial configiuration as renewal. This patch uses the same approach as used in the renewal pre-hook and applies it during initialisation of certbot. This fixes race condition related failures during initial provisioning of haproxy+letsencrypt. Change-Id: Ica5ed5de24e3eb2fb5a743bb877d113ed0bb8a43
2020-06-08 16:02:24 +01:00 · 2020-06-08 16:02:24 +01:00 · 5fba658296
parent 6b60e51005
commit 5fba658296
1 changed files with 4 additions and 1 deletions
--- a/tasks/haproxy_ssl_letsencrypt.yml
+++ b/tasks/haproxy_ssl_letsencrypt.yml
@ -62,7 +62,10 @@
  when: haproxy_ssl_letsencrypt_install_method == 'distro'

 - name: Create first time ssl cert with certbot
-  command: >
+  shell: >
+    timeout {{ haproxy_ssl_letsencrypt_pre_hook_timeout }}
+    python3 -m http.server {{ haproxy_ssl_letsencrypt_certbot_backend_port }}
+    --bind {{ haproxy_ssl_letsencrypt_certbot_bind_address }} || true &&
    {{ haproxy_ssl_letsencrypt_certbot_binary }} certonly
    --standalone
    --agree-tos