Fix venv installation of Letsencrypt certbot

certbot-auto wants to install depedencies which are possibly
not fulfilled by the repo-server - so bypass installation here.
Use the venv bin later for the renew script.
Minor errors are also fixed.

Change-Id: I4087bbcb4fe6182cb090a5b6b85bea36768b4f4f
This commit is contained in:
Frank Kloeker 2019-02-02 01:14:18 +01:00
parent 4fb2059a3b
commit b9cb133bb0
3 changed files with 13 additions and 3 deletions

View File

@ -75,6 +75,7 @@ haproxy_ssl_bind_options: "force-tlsv12"
haproxy_ssl_letsencrypt_enable: false
haproxy_ssl_letsencrypt_email: "example@example.com"
haproxy_ssl_letsencrypt_download_url: "https://dl.eff.org/certbot-auto"
haproxy_ssl_letsencrypt_venv: "/opt/eff.org/certbot/venv"
haproxy_ssl_letsencrypt_config_path: "/etc/letsencrypt/live"
haproxy_ssl_letsencrypt_install_path: "/opt/letsencrypt"
haproxy_ssl_letsencrypt_cron_minute: "0"

View File

@ -35,6 +35,14 @@
path: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}"
register: lcdatadir
- name: Install certbot
shell: >
PIP_INDEX_URL="https://pypi.org/simple/"
{{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }}
--install-only
args:
creates: "{{ haproxy_ssl_letsencrypt_venv }}"
- name: Stop haproxy for certbot activity
service:
name: "haproxy"
@ -51,11 +59,12 @@
--rsa-key-size 4096
--email {{ haproxy_ssl_letsencrypt_email }}
--domains {{ external_lb_vip_address }}
creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem"
args:
creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}-0001/fullchain.pem"
- name: Create new pem file for haproxy
assemble:
src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}"
src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}-0001"
dest: "/etc/ssl/private/haproxy.pem"
regexp: '(privkey|fullchain).pem$'
notify:

View File

@ -1,7 +1,7 @@
#!/bin/bash
# renew cert if required and copy to haproxy destination
certbot renew \
{{ haproxy_ssl_letsencrypt_venv }}/bin/certbot renew \
--standalone \
--pre-hook "systemctl stop haproxy" \