Merge "Fix venv installation of Letsencrypt certbot"
This commit is contained in:
commit
c06b4a09e9
|
@ -75,6 +75,7 @@ haproxy_ssl_bind_options: "force-tlsv12"
|
|||
haproxy_ssl_letsencrypt_enable: false
|
||||
haproxy_ssl_letsencrypt_email: "example@example.com"
|
||||
haproxy_ssl_letsencrypt_download_url: "https://dl.eff.org/certbot-auto"
|
||||
haproxy_ssl_letsencrypt_venv: "/opt/eff.org/certbot/venv"
|
||||
haproxy_ssl_letsencrypt_config_path: "/etc/letsencrypt/live"
|
||||
haproxy_ssl_letsencrypt_install_path: "/opt/letsencrypt"
|
||||
haproxy_ssl_letsencrypt_cron_minute: "0"
|
||||
|
|
|
@ -35,6 +35,14 @@
|
|||
path: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}"
|
||||
register: lcdatadir
|
||||
|
||||
- name: Install certbot
|
||||
shell: >
|
||||
PIP_INDEX_URL="https://pypi.org/simple/"
|
||||
{{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }}
|
||||
--install-only
|
||||
args:
|
||||
creates: "{{ haproxy_ssl_letsencrypt_venv }}"
|
||||
|
||||
- name: Stop haproxy for certbot activity
|
||||
service:
|
||||
name: "haproxy"
|
||||
|
@ -51,11 +59,12 @@
|
|||
--rsa-key-size 4096
|
||||
--email {{ haproxy_ssl_letsencrypt_email }}
|
||||
--domains {{ external_lb_vip_address }}
|
||||
creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem"
|
||||
args:
|
||||
creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}-0001/fullchain.pem"
|
||||
|
||||
- name: Create new pem file for haproxy
|
||||
assemble:
|
||||
src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}"
|
||||
src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}-0001"
|
||||
dest: "/etc/ssl/private/haproxy.pem"
|
||||
regexp: '(privkey|fullchain).pem$'
|
||||
notify:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/bash
|
||||
# renew cert if required and copy to haproxy destination
|
||||
|
||||
certbot renew \
|
||||
{{ haproxy_ssl_letsencrypt_venv }}/bin/certbot renew \
|
||||
--standalone \
|
||||
--pre-hook "systemctl stop haproxy" \
|
||||
|
||||
|
|
Loading…
Reference in New Issue